A simulated cyberattack on the U.S. financial sector in July that exposed weaknesses that enabled hackers to force a shutdown in the equity markets has prompted a call from industry leaders for a thorough review of incident response procedures.
An organization that represents hundreds of securities firms and banks is calling for both better coordination between business and IT during security incident response and a greater investment in advanced security defenses to address emerging threats that could rattle the U.S. stock markets.
The Securities Industry and Financial Markets Association issued its recommendation this week, following a simulated cyberattack on the U.S. financial sector in July that exposed weaknesses that enabled hackers to force a shutdown in the equity markets. The six-hour cybersecurity drill, called Quantum Dawn 2, simulated multiple trading days and examined what would happen if financial sector critical infrastructure was lost due to an attack. The association hosted the exercise, which was overseen by Deloitte.
The Quantum Dawn 2 exercise introduced a distributed denial-of-service attack on government websites and services, a phishing attack against an industry group and custom malware unleashed against the systems involved with post-trade processing. Hackers used stolen administrator accounts to simulate the creation of an automatic sell-off in stocks. It introduced counterfeit and malicious telecommunication equipment to incident responders and simulated the triggering of fraudulent press releases on stocks to sustain the price drop.
The drill exposed the need for a thorough review of the incident response command structure and processes. The exercise also found a need for a risk assessment on how security incidents could impact the broader financial system and ways to promote communication and information sharing during an attack to foster trust and confidence in the markets.
Solution providers told CRN that an annual review of incident response procedures is generally seen as best practice in the security industry and one financial firms often champion. Businesses typically will want to repeat risk assessments annually, or whenever there is a significant change to systems, policies, compliance concerns or outside threats, said Peter Hesse, president of Chantilly, Va.-based Gemini Security Solutions.
"Risk assessments shouldn't simply be performing a vulnerability scan of a network, but should address the entire lifecycle of business critical information," Hesse told CRN. "A proper risk assessment should address physical security, training personnel on security policies and incident response, network security, and system security."
Too many incident response plans tend to focus on technology, missing what could happen when a key member of the team is missing, when the legal team gets involved or how to proceed, for example, when the business learns about an incident through the press, said Ken Silva, senior vice president for cyber strategy at ManTech International Corp. Incident response procedures and processes should be every bit as important as the business continuity plan, Silva said.
"Often times what happens is that you don't know what you have wrong until you have to use it for real," Silva told CRN. "Exercises are very helpful, particularly because they help shine light on things that you didn’t anticipate."
Banks and other financial firms are generally further ahead than any other industry when it comes to cybersecurity preparedness, with strong incident response teams, said Silva, formerly an adviser for cyber technologies at Booz Allen Hamilton and CTO at VeriSign. Silva said the financial industry has a strong Information Sharing and Analysis Center (ISAC) that works together to solve industry-wide attacks with members typically cooperating because many of the security threats financial firms face are common and have an impact on the entire sector.
SIFMA called its Quantum Dawn drill a success. Deloitte's analysis cited strong communication across business lines within firms and ongoing public-private partnership between the financial industry and government agencies. It also found strong execution on response procedures conducted by financial firms and the Financial Services Information Sharing and Analysis Center (FS-ISAC).
SIFMA said exchanges, clearing firms and trusted government partners should play a stronger role in incident response and crisis management following an attack and called for the investment in "next-generation capabilities to support systemic risk analytics, information sharing and crisis management."
"Quantum Dawn 2 demonstrated the industry’s resiliency when faced with serious cyberattacks that aimed to steal money, crash systems and disrupt equity market trading. Most importantly, the exercise helped participants identify areas where we can improve,” said Judd Gregg, SIFMA's CEO, in a statement.
PUBLISHED OCT. 22, 2013