The hacking of securities firm Ion earlier this month reverberated through the financial services industry. It was described as an attack that “affected parts of the vital financial plumbing that underlies the vast derivatives trading industry”. GRIP explored the issue with cybersecurity expert Shah Sheikh.
What impact did the ransomware attack on ION Trading have on the fintech sector more broadly?
Cybersecurity attacks are very common nowadays. Pretty much all sectors are affected, whether it’s public, private, banking, financial services, and the insurance (BFSI) industry in general, education, healthcare, and so on. They will increase as customers and organizations transform digitally.
Fintechs are dealing with financial-related services. So while they may not be a bank, in some cases they might have a banking license, but in other cases they work with a bank on the back end. So they will always be the potential target of a cyber attack from organized cyber criminals looking at ways in which they can compromise their infrastructure in the cloud using different techniques.
“There need to be firewalls and immutable backups in place. Security hygiene needs to be improved.”
Shah Sheikh
Businesses operating in a regulated environment need to improve their security fast. Many startups don’t necessarily have the funding or the means to implement the right security controls, yet they are providing financially-related services to consumers. Security is one thing, but data governance and data privacy is another important thing they need to make sure they have the right controls on as well.
There are two sides to this, a top-down approach making sure that security is implemented and risks are managed from the board down, and a bottom-up approach relating to employees. There has to be an institutionalized framework. So cyber security policy, procedures, processes have to be put in place. Those policies and procedures need to be aligned towards enterprise risk. So any security-related incident should be tied towards enterprise-level risk management. There needs to be a boardroom discussion. CSOs and ISOs should be given the right resources, tools, and financial support to implement the right security technologies within the organization, such as Endpoint Detection and Response (EDR).
There need to be firewalls and immutable backups in place. Security hygiene needs to be improved. That typically comes from implementing tools and solutions from the security perspective. On the data security side, protection of data, data loss prevention, data classification, data encryption tools, multi-factor authentication, privilege access, to manage identities of users and consumers.
With the bottom-up approach, employees need to be trained on security, so how to spot phishing emails, what to do when one is identified, reporting it to the security team. Humans are very much the weakest link in security and need to also be trained with the right programs.
Shah Sheikh
Shah Sheikh is a cybersecurity expert based in Dubai with over 20 years experience in blockchain, crowdfunding and network security.
What is your view on ChatGPT as a security threat?
As an AI tool it’s being used by Advanced Persistent Threat (APT) groups to create malicious code, malware, viruses, trojans, and phishing emails at a very quick speed. Now things are automated, even hackers that don’t have many years of experience can easily create malware through AI.
AI is being weaponized and hackers are using it to target organizations and government entities. ChatGPT can easily proliferate the volume and sophistication of attacks. On the other hand, AI can be leveraged by security professionals like ourselves to automate threat detection, automate vulnerability management, and automate neutralizing threats. So it depends who is using this technology and their intentions. Using AI is a race against time.
“The lack of controls is dictating how the crypto industry is seen by the wider market. For adoption to happen on a mass scale there has to be some form of regulation.”
From the international perspective, are these threats as prevalent outside financial centers and which regions are most under threat?
Nowadays politics plays a big part in cyber warfare. Information is everything. The more information you have, the more intelligence you have about counterparties. Cyber warfare and cyber activities at the nation state level are definitely already there and on the rise.
In addition to regular armies, countries have cyber armies. We can see that with the ongoing war in Ukraine. The Russians have leveraged their cyber capabilities to infiltrate into critical infrastructure, gaining access to sensitive government information.
Information is key not just at the government level. Organizations may hire unethically in order to obtain certain competitive information. For example, hiring hackers as a service. That’s a very lucrative market now on the dark web.
What’s happening in the crypto sphere?
In the last few months, and especially towards the end of last year, with FTX collapsing and the situation that evolved from that, hundreds of millions were siphoned out of exchanges.
Crypto is technology driven, so a piece of code defines how much money you have in your wallet. Vulnerabilities in software are always going to exist. In decentralized finance (DeFi) in general, everything is controlled through what we call smart contracts written with code, and they’re vulnerable.
“When you have exchanges that are dealing with millions and billions of assets under management and they don’t have enterprise level security controls, they are an easy target for hackers and cyber criminals.”
It’s easy to drain a wallet to zero by exploiting a smart contract. With cryptocurrency, lack of regulation is a major issue. Many tier one and tier two crypto companies and exchanges do not follow enterprise level cybersecurity controls. When you have exchanges that are dealing with millions and billions of assets under management and they don’t have enterprise level security controls, they are an easy target for hackers and cyber criminals.
There are hacking groups from North Korea that focus only on hacking crypto exchanges. They have a dedicated hacking army just to hack into crypto exchanges. So crypto exchange is always going to be a target. But also if they don’t have the right enterprise level cybersecurity controls, like a bank or investment bank would typically have, they’re an easy target.
There are plenty of things that need to happen in the crypto industry to improve the level of security. In 2020 we saw around $12bn worth of crypto hacks happening in DeFi, and that number’s only going to increase due to more companies getting involved in the Web3 space and more companies launching their products and platforms without the right level of security controls and practices in place.
Do you think that will come when there’s defined regulation on crypto?
Absolutely. I work in the UAE, which is quite open-minded when it comes to crypto. The Virtual Asset Regulatory Authority (VARA) in Dubai, established last year, released a rule book two weeks ago for crypto and virtual asset service providers – that’s crypto custody platforms, OTC platforms, exchanges etc. If they want to get licensed and regulated by VARA, they have to follow the rule book and what is in the rule book, which pertains to AMLs, KYC and more.
“Regulation is the key in the crypto space to having better governance, better controls, and making sure the infrastructure is secure for people to invest in.”
There’s another rule book for technology and it specifically addresses the importance of appointing a CSO and putting a cybersecurity policy in place. They must have risk management and technical controls. Regulation is the key in the crypto space to having better governance, better controls, and making sure the infrastructure is secure for people to invest in, but also protecting the people that have invested, to not end up in a situation like FTX where people end up losing money.
Is there any chance that tougher regulation could hinder entrepreneurialism and technological development?
You will always have conflicting opinions on this. There’s a very fine line between innovating from a solution product and financial inclusion perspective versus running the same industry.
The lack of controls is dictating how the crypto industry is seen by the wider market. For adoption to happen on a mass scale there has to be some form of regulation. When people end up losing a lot of money simply because a crypto exchange has been hacked and there’s no protection mechanism, who will trust the system?
Governments and regulators need to have a more of an open mind and be fast-moving. The problem at the moment is a lot of these regulators and central banks are very slow to issue even basic guidance.
Often companies want to launch and get products out in the market quickly, but yet there’s no guidance, support or clear guidelines on what to do. Regulation is good because it sets a benchmark for how the industry needs to operate.