Cybersecurity Due Diligence - Lessons from 2020

COVID-19 was, naturally, the overarching cybersecurity story of 2020. The pandemic forced a massive shift as organizations around the world pivoted to remote workforces, a move which introduced numerous information security challenges. And, of course, the year ended with SolarWinds - arguably the most serious cyber hack / intrusion in history. What are the key lessons of 2020 for investors and asset managers as they consider cybersecurity due diligence?

1. Remote Work  

As COVID case numbers rose around the globe in February and March, asset managers (and administrators and other service providers) began to close their offices and hastily transition to remote working arrangements, enacting business continuity plans that, for many, had never been designed to accommodate an extended mass exodus from the office. This meant providing employees with necessary equipment for prolonged work-from-home, ensuring they had secure means of accessing any on-site or otherwise restricted tech resources, and modifying procedures around operations and sensitive transactions. 

Castle Hall published a blog in mid-March, highlighting some of the essential controls and procedures to consider when transitioning to WFH arrangements. 

2. Zoom 

One change from new remote work arrangements was, of course, the rapid adoption of videoconferencing to replace business travel and in-person meetings. The videoconferencing provider Zoom saw a meteoric rise in users, and subsequently received backlash for concerns around privacy and security as the platform become a de facto standard. To their credit, Zoom took feedback from consumers and regulators and has made great strides in security controls and in redesigning their product to address those concerns.  

‘Zoom-bombing’, a phenomenon where uninvited parties would join Zoom meetings with the intent of disrupting or disturbing attendees, became widespread enough to warrant a warning from the FBI in March 2020. Evidently ‘security by obscurity’ was not enough to prevent being "bombed". In most cases, meetings which were subject to unwanted interruptions were created without access controls, and their connection details had been published online, allowing bad actors to join those meetings. 

As Zoom grew more popular, the brand was also co-opted by those running phishing campaigns – fake Zoom invite e-mails became more common as a new wave of online scams rolled out. 

3. COVID-19 Fraud 

A range of phishing and social engineering campaigns appeared in the first half of 2020, with e-mails, calls, and text messages targeting businesses and individuals with phony promises of COVID-19 statistics, insider news and access to home testing kits or even vaccines. Everything from miracle cures to threats of debt collection were fair game as fraudsters took full advantage to frighten people into providing credentials, sending money, or installing malware. 

Phishing aside, there were many other novel cyberattacks and frauds carried out throughout the year. The Canada Revenue Agency (CRA) detected a co-ordinated attempt to compromise individuals’ online accounts to falsely claim the $2000/month Canada Emergency Relief Benefit, redirecting the payments to bank accounts controlled by bad actors. The attack was attributed not to any specific weakness in the CRA’s systems, but to a technique known as ‘credential stuffing’. 

4. Credential Stuffing 

The CRA attack was part of a larger pattern in 2020 – credential stuffing attacks became so prevalent that the OCIE issued a warning in mid-September. ‘Credential stuffing’ relies on users who re-use the same login / password combination across multiple websites and applications, on the grounds that it is "too complicated" or "they can't remember" different passwords.

Credential stuffing can be compared to finding a key in an apartment lobby and trying each mailbox in turn to see which one it opens. However – instead of a found key, it’s millions of username/password combinations (obtained on the dark web from previously published data breaches), and instead of a grid of mailboxes, the targets are a virtually unlimited number of online sites & services. 

If passwords are not rotated regularly, and if two-factor authentication is not enforced on critical systems, this approach can be highly effective. A single known good e-mail address/password combination could potentially open any number of doors and result in the compromise of sensitive systems.

The credential stuffing technique was responsible for several notable breaches: 

• Zoom had to vehemently defend themselves against accusations that they were responsible for the breach of 500,000 accounts - ultimately traced to previously leaked password databases. 
• Two years after their headline data breach, Marriott International suffered another blow, when the credentials of two employees, harvested from passwords dumps, were used to expose a further 5.2M customer records. 
• The FBI has advised that they are aware of at least 50,000 account compromises reported by US financial institutions as a result of credential stuffing attacks since 2017. 

The relative success of credential stuffing as a vector in 2020 served to highlight the importance of basic credential hygiene – ensuring the use of strong, unique passwords for different services (as opposed to the legacy ‘but this is my password’ approach), and regular rotation – especially for accounts affected by a data breach. 

5. Notable Cyber Breaches 

In Castle Hall's weekly cybersecurity diligence newsletter, we highlight notable data breaches and explore their causes in a segment we call ‘Know Your Breach’. Here were some of the more notable cybersecurity incidents we examined over the course of 2020: 

• Microsoft revealed in January that a misconfiguration had resulted in five servers becoming publicly accessible, exposing 250 million call centre records. 
• Michael Rosen, Chief Investment Officer for Angeles Investment, fell victim to an e-mail compromise which saw his account used to distribute phishing emails disguised as RFPs to his contacts. 
• Rogue employees used South African Postbank’s master encryption key to steal $3.2M in 25,000 fraudulent transactions and gain access to confidential data and PIN codes for more than 12 million customers. 
• Virtu Financial, the high-speed trading firm, lost almost $7M USD after an executive’s e-mail account was used to send fraudulent transfer requests. 

We explored a range of data breaches and cyber-attacks over the course of the year, and the consequences of a breach can be staggering. Between immediate material losses, reputational damage, and, in the case of lost personally identifiable information, legislative penalties (there were around 300 fines levied in 2020 for GDPR violations, totalling over €142M), for some organizations – the accumulated costs can be fatal. 

6. A Cyber Attack Kills a Hedge Fund 

A sobering example came later in the year – we commented in November on the case of Levitas Capital, an Australian hedge fund manager, which was ultimately forced to shutter their operations after a cyber attack.  After an executive received a phishing e-mail with a phony Zoom link, his accounts were compromised, and his e-mail account was used to issue fake invoices and payment instructions.  

While some of the transfers were ultimately blocked, almost $800K was unable to be recovered, and, their confidence shaken, the fund’s largest investor redeemed - forcing Levitas to shut down. 

7. SolarWinds 

The cherry on the 2020 sundae was perhaps the most chilling breach of all – it was revealed at the end of the year that SolarWinds, a vendor of network management software used by Fortune 500 firms and US Government agencies alike, had been compromised. The firm had pushed malware within software updates for their Orion platform that allowed Russian agents backdoor access to the networks of their high-profile clients.  

The scope of this attack continues to grow as more details emerge. Compromised client networks, already subject to data exfiltration and further probing by the threat actors, will need to perform thorough forensic analysis to fully understand the scope of the attack and chart their next steps. Patching the SolarWinds software alone is, at this point, rather like closing the barn door once the cows have already fled – it remediates the cause, but doesn’t address the consequences of the compromise. Some clients will ‘only’ have lost control of their data, while others will discover that the attackers established beachheads and introduced additional access points into their networks and systems. 

This incident has re-opened the discussion around supply-chain vulnerabilities in a significant way. There’s always an element of risk when integrating with suppliers and vendors to share access to sensitive data and systems. When the third-party that causes a breach is your software provider, that has a profound effect on confidence, and raises questions – best practise is to test and apply software patches as soon as possible to reduce attack surface, but how can you be sure that those software patches won’t themselves introduce new vulnerabilities? 

Events have also prompted a range of conversations on the topic of organizational reticence to treat cybersecurity warnings seriously. Reports have indicated that concerns existed for years about SolarWinds’ internal security practices, from use of the password ‘solarwinds123’ on an update server, to the 2017 resignation of a security advisor who felt the firm’s leadership did not have the willingness to give security issues the appropriate attention and resources. Furthermore, some commentators have raised the question of whether profit-boosting cuts to security budgets and the cost-saving relocation of software engineering teams to Eastern European countries (where Russian intelligence operatives are deeply rooted) may have ultimately contributed to the compromise of the Orion platform. 

To be fair - SolarWinds aren’t the only ones who’ve ignored warnings or given inadequate attention to pressing cybersecurity matters. One of the most shocking headlines associated with the SolarWinds compromise was the breadth of its effect on the US government – affected entities include the Pentagon, the National Nuclear Security Administration, Department of State, and the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security (DHS), to name a few. The Government Accountability Office reports having made over 3,000 recommendations in the last decade to tighten network security. They claim that nearly 20% of them still haven’t been implemented, including 75 of their highest priority recommendations. A system known as the Patch Authentication and Dissemination Capability, specifically conceived to address concerns that “the patch update process could become a vector for large-scale attacks”, was implemented by the DHS in 2003, but was shelved the next year. 

It can be tempting to assume a mentality of “it won’t happen to us” or to look in the budget for cost savings during a stretch of sunny days. Security posture must be based on honest risk assessments and must be part of an organization's overall risk management strategy – ignorance and incredulity do not absolve an asset manager of their responsibility to their clients, their employees, and their investors. 

On that cheery note - what cybersecurity lessons can we carry from the past year into 2021 and beyond? 

• Remote work: Even after most of the population has been vaccinated and we attempt to ‘return to normal’ – the toothpaste is well out of the tube regarding remote working. Businesses who had been reluctant to allow WFH arrangements in the past have seen that they work (and seen how to save money on expensive prime real estate), and more to the point - their employees have, too. Cybersecurity planning and posture looking forward will have to account for a workforce where a material percentage of investment industry employees will work remotely, at least some of the time. We also expect to see a significant increase in dispersion of employees, as staff elect to work for some or all of the time away from a manager's headquarter city, whether driven by taxes, cost of housing, or lifestyle preferences.  
• Back to basics: If fundamental password hygiene and best practice authentication controls (2FA, password aging, etc.) were followed, credential stuffing attacks would be unable to succeed. Furthermore, security tools and settings are only useful when they’re correctly configured – publishing online meeting details and failing to enforce access control, for example, leaves the door open to unwanted guests. The importance of enforcing common-sense controls and educating employees on best practices cannot be understated.  
• Gone phishing: Social engineering attacks continue to be so frequently executed because they continue to be so undeniably effective. We cannot overemphasize the importance of regular training sessions for staff, frequent phishing tests, and programs to encourage critical thinking and the reporting of suspicious correspondence to internal IT and information security teams. Castle Hall continues to be surprised at the number of asset managers who have only conducted a single phishing test, or run tests once per year at most: these standards fall massively short of an effective training and education program (and yes, investment professionals cannot rely on being "too smart" to fall for phishing attacks).
• Supply chain: In tightly integrated third-party relationships, mi casa es su casa – and my breach is your breach. The ongoing SolarWinds story has highlighted how a firm’s internal posture and procedures can be subverted by a subcontractor or vendor failing to enforce their own controls and has tragically underscored just how wide the impact of a single breach can be. Vendors who sell services, or sub contractors who interface with managers, must be prepared to make information available about their own information security controls.
• It doesn’t matter (until it does): We continue to see the common theme of organizations downplaying or outright ignoring security concerns. When those chickens come home to roost, it’s the decision-makers who are ultimately responsible for having failed to prepare. This is especially relevant in the asset management industry, where managers have control over billions of dollars of investors' capital.

We remain convinced that now, more than ever, it’s crucial that firms get their own cyber house in order - and that they expect suppliers, vendors, and partners to be open and accountable about their own security postures. Due diligence practitioners must engage in serious assessment and conversations around cyber risk and how those risks are being managed. Are technical controls layered, robust, and adequate? Are staff given appropriate training, is that training evaluated, and is a firm-wide culture of security awareness nurtured from the top down?  

Only time will tell what 2021 has in store!