Practical analysis for investment professionals
19 March 2013

Recommended Reading: Cybersecurity — Crime, Warfare, or Scaremongering?

Posted In: Risk Management

Cyberattacks, with nefarious conspiracies and faceless enemies, have long been the fodder of Hollywood scriptwriters — think back to WarGames (1983) and Tron (1982), both classics. But a flood of recent headlines about cyberwarfare, and a report by Mandiant, a computer security firm, linking attacks to a Chinese military unit, show there is often a fine line between fact and fiction.

Last week, a deputy social media editor at Thomson Reuters was charged in a federal indictment for allegedly conspiring with members of the hacker group Anonymous to hack into the Los Angeles Times.

Meanwhile, cyberthreats featured prominently in President Obama’s congratulatory call to the new Chinese president, Xi Jinping, and James R. Clapper, Jr. (pictured above), director of National Intelligence, and Keith Alexander, head of the National Security Agency and US Cyber Command (both part of the Defense Department), were on Capitol Hill talking about cyberattacks. Alexander noted that cyberattacks on private companies, particularly banks, are on the rise, and in fact, that same week JPMorgan Chase was hit by a distributed-denial-of-service (DDoS) attack. Since September, a new wave of DDoS attacks have crippled the websites of major financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T, and HSBC.

General Alexander told Congress he is establishing 13 teams of programmers and computer experts who can carry out offensive cyberattacks on foreign nations if the United States is hit with a major attack on its own networks, the first time the Obama administration has publicly admitted to developing such weapons for use in wartime. His testimony came on the same day that Clapper said the prospect of a cyberattack is the number one threat facing the United States. (For an example of how a cyberattack can temporarily cripple a nation, look at what happened to Estonia in 2007, when cyberattacks targeted the websites of banks, media outlets, government ministries, and even the parliament.)

At CFA Institute’s recent Global Investment Risk Symposium, John E. Mroz, president and chief executive of EastWest Institute, presented on “Cybersecurity: Crime Prevention or Warfare?” and warned delegates about the scale of the problem.

Here is some recommended reading, followed by answers (from EastWest Institute) to two important questions: How do I know if my computer is infected by a botnet? And, what practical steps can companies take to improve self-awareness?

What to Make of the Cybersecurity Debate

What’s Going on Behind the Scenes of a Cyberattack?

How to stay up to date?

How do I know if my computer is infected by a Botnet?

The answer, courtesy of the Information Technologies Department at EastWest Institute:

In short, you don’t. Botnets are designed to be invisible, and can’t be found on your computer until security experts are well aware of them and have updated their antivirus software to find them. This means that you could be hosting a botnet for weeks, months, or even years without knowing.

The best solution is prevention. Be aware of your surroundings. Don’t use a Wi-Fi access point that you don’t know for sure isn’t provided by the guy sitting in the corner. Don’t click on links or open attachments that you aren’t expecting. Don’t insert thumb drives you found in your computer. In short, be paranoid. Keeping your antivirus software updated is necessary, but it’s only a tiny, tiny part of security.

From the very, very technical side of things, a computer security expert can monitor data traffic sent out by your computer, but botnet creators do their best to make their traffic look like normal traffic. The only way to really find out if you have an infection is to monitor your network for changes in traffic sent. When those changes occur, you then have to analyze that to make sure it wasn’t due to a system or software update. If you still can’t explain that traffic, then you’ll need to monitor it, trace it to where it goes, and involve the real experts (the FBI has a dedicated group for this). Considering the sheer amount of traffic that happens in the background, often there’s just no way for anyone without the resources of the FBI, NSA, or a Fortune 500 company to find out if they’re infected. At least until that particular infection becomes public knowledge and the experts build tools or update antivirus software to find it and notify you. (Source: How Do I Know If My Computer is Being Used for a Botnet-Based DDoS Attack?)

What practical steps can companies take to improve self-awareness?

The answer is courtesy of Ingo Dean, Information Technologies Department, EastWest Institute:

Any organization should take a holistic approach to computer security. Don’t think of your computers as islands, but rather as pieces of an entire ecosystem encompassing computers, networks, services, and most importantly, people.

The weakest link in computer security is always the human being. Human beings designed and built the hardware, designed and built the operating system, designed and built the applications, designed and built the network protocols, and human beings use the computers. Human beings are fallible — nothing is perfect, everything has some flaw that can be exploited.

An organization’s Computer Security program should provide awareness training in understandable bite-size chunks. In the past I’ve sent out “IT QuickTip” messages, held brown-bag Q&A sessions, contracted outside training, contracted web-based training, updated blogs, Intranets, and Wiki’s. The key is that most people are simply far too busy doing the job they’re paid to do to want to spend any time on computer security, so you have to just keep plugging away at what seems to be a hopeless task. The users think security is IT’s job, but IT’s real job is to convince the organization management and users that security is everyone’s job. A little carrot, a little stick, a little humor, all used in moderation.

Computer security awareness includes strong passwords, not reusing passwords, knowing where you can securely enter your password, never sharing your password with others, verifying that links go where they say they go, knowing what’s safe to open, knowing when to ask your local expert, having an expert. That’s just a tiny subset.

Security awareness training should not stop at the computer, for instance, during my last training session I explained how most hotel-room card key systems can be defeated in less than 30 seconds with a tool you can build yourself for less than $25. (See: “Dry Erase Marker Opens All Hotel Room Doors.”)

Perhaps the most important thing is to hire or contract and then support an IT staff that truly understands and cares enough to not only protect your computers and network with the tools of their trade, but also takes the impossible effort to try to educate the population.

In the end, the solution to the fallibility of human-built systems is also another human.

Please note that the content of this site should not be construed as investment advice, nor do the opinions expressed necessarily reflect the views of CFA Institute.

About the Author(s)
Lauren Foster

Lauren Foster was a content director on the professional learning team at CFA Institute and host of the Take 15 Podcast. She is the former managing editor of Enterprising Investor and co-lead of CFA Institute’s Women in Investment Management initiative. Lauren spent nearly a decade on staff at the Financial Times as a reporter and editor based in the New York bureau, followed by freelance writing for Barron’s and the FT. Lauren holds a BA in political science from the University of Cape Town, and an MS in journalism from Columbia University.

2 thoughts on “Recommended Reading: Cybersecurity — Crime, Warfare, or Scaremongering?”

  1. Lauren, as a CTO in a knowledge based organization, this is a topic close to my heart. For an organization to thwart 90% of the attacks that are made on it’s knowledge resources is the easier part of this task. What worries me is the 10% of attacks which require more and more resources to prevent.

    As organizations grow in scale, their infrastructure however does not keep pace. Often the CFO and the CTO are at loggerheads … why spend that additional million on network equipment/security consultants when that could show up as pure profit?

    I doubt whether analysts even stop to consider information security within an organization as a parameter to evaluate the company’s health … even though infosec is an obvious health metric. Can something be done about this?

Leave a Reply

Your email address will not be published. Required fields are marked *

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.