Suspected Russian hackers,
international intrigue and one of the biggest banks in the
world, the latest security scandal to hit financial services
has all of the necessary James Bond style elements.
The news that JP Morgan had no
less than 90 servers taken over and data on 76 million
households and businesses (approximately two thirds of all
households in the USA) stolen in a recent hacking incident has
generated incredulity worldwide.
Then we learn that nine other
unnamed financial institutions apparently have been attacked by
the same group. How could some of the most well-funded banks be
so susceptible to online attack?
It also raises a number of
questions in our futures and options environment where we have
been (as far as we know) largely immune from these type of
issues yet members and vendors are connected to at times 50+
global markets and sometimes are poorly protected from internet
Only one of my online financial
services requires two factor authentication an insanely
small number. This is where you require something you know and
something you have (such as a dongle) in order to authenticate
yourself to the service.
Are you really who you say you
are? This technology, which was an expensive implementation
five years ago is commonplace now and there are numerous
solutions which replace the username & password combination
which is so ridiculously poor in its security paradigm.
Putting aside the traders
access to a trading system, which should be uppermost in
peoples minds, the connectivity of the trading systems to
the matching engines at the exchange in turn is usually by
simple username and password.
Rarely do exchanges nowadays
lock-down access to a certain network path by the physical
connection, an issue in the expanding world of DMA.
I always thought that the
vendors would be the weakest link in the chain as far as
security in the connectivity game is concerned but it seems
One of the biggest banks in the
world has been compromised what does that say for some
of the less well funded players, both small brokers and buy
side, especially in smaller, more esoteric markets which still
have the same unfettered access to the matching engines as the
How many mnemonics does your
firm have? How many are logged in right now? They should all be
or they should be disabled. Usually you cant log
in twice which is one of your main defences. And they
should be logged in for every minute the exchange is open
or else you open yourself up to possible attack. How
recently have the passwords been changed on them the
exchanges seldom mandate this - and how widely known or
distributed are these passwords and keys?
How do your vendors secure your
credentials do you send them by clear-text email? Do
they in turn copy and paste them into their incident &
change management systems? How many of these mnemonics are
lying around unused in the industry. How many internal staff
have access? Do they all need it? Are pre-production or staging
systems protected in the same way that production systems
How many trading firms
(especially the small ones) and vendors are regularly security
audited? A few have adopted SSAE16 audit standards and so are
held to a higher account. However, many arent and
our industry is only as strong as its weakest link.
Security auditing services, also
known as white hat hackers, are mainstream now and
remarkably affordable. Minerva from NCC for example will do a
daily scan of your perimeter network to check for ports left
open, the IT security equivalent of leaving your back door
How many firms have implemented
true big data technology such as that of Splunk
which, when properly implemented, can provide valuable insight
into issues in real time and assist no end with the diagnosis
after the fact.
Smaller firms or vendors cannot
afford the services of high quality and highly knowledgeable
security staff - but they should.
By way of reference, in an
annual letter to shareholders in April 2014, JPM announced that
by the end of the year it was planning to spend a quarter of a
billion dollars a year on cyber security with a team of 1,000
Your reputation and your
customer data are the most valuable assets you have and
security problems are real.
Hamish Purdey is
non-executive director at Gresham Computing plc and was most
recently Chief Executive at FFastFill plc, a SaaS provider of
trading, clearing & settlement services for exchange traded
derivatives. He can be contacted at firstname.lastname@example.org
Hamish will be speaking at the upcoming FOW
Derivatives World London Debates on December 9. For more
information and to register, click