A Cyber Security Update by vSEC, LLC

by | Feb 7, 2020

CFTC Request About ‘Cloud Hopper’ Attacks and Recommended Security Responses

The CFTC asked all futures markets participants to report by January 20th if they had (or had not) been impacted by the Cloud Hopper security breaches described by the Wall Street Journal on December 30, 2019. These attacks hit about a dozen cloud service providers, including IBM and HPE / DXC. Attributed by the FBI and the DOJ to professional hacking groups associated with the Chinese government, these attacks targeted the theft of confidential data from companies in many industries.

Were You Attacked?

The apparent goal of these attacks was data theft, so you probably wouldn’t be able to tell directly if your information was stolen. Some vendors are reluctant to volunteer that an attack may have happened, which is why the CFTC asked firms to contact their providers directly to ask about these or similar attacks.

What Should You do?

If you use a cloud service provider to host files or to run software or infrastructure for your business, ask your account manager about these or similar attacks.

If you have not responded yet to the CFTC, they still want to hear from you. They also want to know if your provider says you have not been impacted by these or other cloud service attacks.

These attacks highlight some common security protections that all firms should be aware of:

As general protections, make sure you understand what security features are offered by your service providers and who is responsible for them. Many vendors offer strong security controls but it is up to users to turn them on and manage them. Make sure you require logins with individual passwords, and restrict access to systems, files and folders to only those who need to use them.

Where possible, turn on 2 Factor Authentication. In addition to a password this will require users to enter a code sent to their email or phone, which makes it much harder for someone to impersonate a user even if they know their username and password.

For Google Docs, to turn on 2 Factor Authentication (2FA), click on your Google Account icon, then click on the Security panel on the left. In the section Signing in to Google, select 2-Step Verification.

For Dropbox, to turn on 2 Factor Authentication, click on your avatar, then choose Settings, select the Security tab along the top, and turn on Two-Step Verification. You can choose if you want to receive your security code to your phone by text message or via a mobile app.

As further protection, in general you should encrypt all files containing confidential data including financial details and personally identifiable information. Both Windows Pro and Mac operating systems include encryption capability. As popular cloud file hosting services, both Google Drive and Dropbox encrypt files by default. For highly confidential information you will want to encrypt files yourself before uploading them to file hosting services.

Security awareness training is a critical protection against cyber attacks, and, per NFA Interpretive Notice 9070, training must be provided upon hiring and then annually for all employees. Even the sophisticated Cloud Hopper attacks apparently started by getting employees to click on infected email or website links.

Also per NFA 9070, firms must annually review their written security program to include protections against known security threats. With the WSJ coverage and CFTC notifications, cloud attacks certainly count as current known threats and should be included in your annual risk assessment as well as your vendor security review.

Common security protections such as these will help firms comply with regulatory cyber security guidelines as well as help keep their business and clients safe. The Cloud Hopper attacks made the headlines, but other attacks happen every day, and managing cyber risk is an ongoing business and regulatory requirement.

vSEC, LLC is a cyber and information security firm that specializes in the futures industry. vSEC helps firms develop and manage their written security program (ISSP), as well as performing annual risk reviews, vendor security evaluations, incident response plans and tests, and other security services.

John Lothian Newsletter

Today’s Newsletter

Coronavirus Could Infect Two-Thirds of Globe, Research Shows

Coronavirus Could Infect Two-Thirds of Globe, Research Shows

First Read Hits & Takes By JLN Staff Happy Valentine's Day! Do you want to make an impact and show your love on Valentine's Day? Join our friends at Gate39 Media who are holding a virtual food drive with the Greater Chicago Food Depository....

We visit more than 100 websites daily for financial news (Would YOU do that?)

Now Read This

The CryptoMarketsWiki Podcast Episode 8: Krakpots

The CryptoMarketsWiki Podcast Episode 8: Krakpots

Matt and Thom take to the JLN studio once again to discuss 2020’s biggest stories in crypto (so far).

Topics:

00:35 Bitcoin options are not, in fact, hot right now
02:58 Kraken CEO says cost of regulatory requests rising for the exchange
08:28 Japan puts limits on leverage for regulated cryptocurrency exchanges
09:05 Bitmain’s “questionable” need for layoffs
11:48 Bitwise Bitcoin ETF takes a knee
15:02 Libra creates a new committee
17:35 “Crypto Dad” gets two new gigs

Life and Times of Navinder Sarao

Life and Times of Navinder Sarao

Navinder Sarao pleaded guilty to roughly $13 million worth of spoofing on his first visit to the United States in November 2016. Wearing leg irons and an orange prison jumpsuit in a Chicago federal court, Sarao was freed on bail pending final sentencing, which occurs today, January 28, 2020. 

The Spread: Hedge Early, Hedge Often

The Spread: Hedge Early, Hedge Often

This week on The Spread, Cboe sets its sights on the European derivatives market abroad while preparing for growth at home, and options traders clamor for more VIX data to make "unprecedented" hedges against market volatility. Produced by Mike...

Pin It on Pinterest

Share This Story