CFTC Request About ‘Cloud Hopper’ Attacks and Recommended Security Responses
The CFTC asked all futures markets participants to report by January 20th if they had (or had not) been impacted by the Cloud Hopper security breaches described by the Wall Street Journal on December 30, 2019. These attacks hit about a dozen cloud service providers, including IBM and HPE / DXC. Attributed by the FBI and the DOJ to professional hacking groups associated with the Chinese government, these attacks targeted the theft of confidential data from companies in many industries.
Were You Attacked?
The apparent goal of these attacks was data theft, so you probably wouldn’t be able to tell directly if your information was stolen. Some vendors are reluctant to volunteer that an attack may have happened, which is why the CFTC asked firms to contact their providers directly to ask about these or similar attacks.
What Should You do?
If you use a cloud service provider to host files or to run software or infrastructure for your business, ask your account manager about these or similar attacks.
If you have not responded yet to the CFTC, they still want to hear from you. They also want to know if your provider says you have not been impacted by these or other cloud service attacks.
These attacks highlight some common security protections that all firms should be aware of:
As general protections, make sure you understand what security features are offered by your service providers and who is responsible for them. Many vendors offer strong security controls but it is up to users to turn them on and manage them. Make sure you require logins with individual passwords, and restrict access to systems, files and folders to only those who need to use them.
Where possible, turn on 2 Factor Authentication. In addition to a password this will require users to enter a code sent to their email or phone, which makes it much harder for someone to impersonate a user even if they know their username and password.
For Google Docs, to turn on 2 Factor Authentication (2FA), click on your Google Account icon, then click on the Security panel on the left. In the section Signing in to Google, select 2-Step Verification.
For Dropbox, to turn on 2 Factor Authentication, click on your avatar, then choose Settings, select the Security tab along the top, and turn on Two-Step Verification. You can choose if you want to receive your security code to your phone by text message or via a mobile app.
As further protection, in general you should encrypt all files containing confidential data including financial details and personally identifiable information. Both Windows Pro and Mac operating systems include encryption capability. As popular cloud file hosting services, both Google Drive and Dropbox encrypt files by default. For highly confidential information you will want to encrypt files yourself before uploading them to file hosting services.
Security awareness training is a critical protection against cyber attacks, and, per NFA Interpretive Notice 9070, training must be provided upon hiring and then annually for all employees. Even the sophisticated Cloud Hopper attacks apparently started by getting employees to click on infected email or website links.
Also per NFA 9070, firms must annually review their written security program to include protections against known security threats. With the WSJ coverage and CFTC notifications, cloud attacks certainly count as current known threats and should be included in your annual risk assessment as well as your vendor security review.
Common security protections such as these will help firms comply with regulatory cyber security guidelines as well as help keep their business and clients safe. The Cloud Hopper attacks made the headlines, but other attacks happen every day, and managing cyber risk is an ongoing business and regulatory requirement.
vSEC, LLC is a cyber and information security firm that specializes in the futures industry. vSEC helps firms develop and manage their written security program (ISSP), as well as performing annual risk reviews, vendor security evaluations, incident response plans and tests, and other security services.