Late last week, the world at large was made aware of two major flaws in computer chips could leave a vast number of computers and smartphones vulnerable to security concerns. These flaws impact virtually every computer, tablet and smartphone on the planet. These fundamental flaws in chip design have apparently existed for more than two decades, but we are just learning about them now. It is unclear whether or not anyone has been able to take advantage of these flaw in the ensuing years. The reports we’ve seen say that nobody has exploited the flaw yet, but as far as we know, there has been no known methodology in place to detect such an attack, so how can anyone be sure?
Why should advisors be really worried about this if it impacts just about every computer chip manufacturer since 1995? There are a couple of reasons. First advisors’ computers, and the ones they interact with, store what is potentially valuable personally identifiable information (PII) as well as other financial information. So, it is where the money is, and a prime target for attack. Second, because many advisors and their providers make use of multi-tenancy cloud computing platforms, which are particularly vulnerable to this sort of attack.
WHAT ARE THESE NEW THREATS?
The two vulnerabilities, Meltdown and Spectre, were identified by a team at Google. Meltdown apparently only impacts Intel chips. Intel chips power the vast majority of Windows PCs, all Apple Macs manufactured in the past decade, and approximately 95% of chips used in cloud services and data centers run by corporations. Spectre affects chips from all major manufacturers PC, tablets and smartphone chips.
Meltdown and Spectre exploits are aimed at the “kernel,” a hidden part of your device’s operating system that is the go-between for all your applications and basic parts of your computer: the processor, the memory, the keyboard, the touchscreen, and the like. It can be used by malicious users to get at sensitive data stored in the memory of programs. This might include passwords, credit card information, emails, etc. Unlike traditional malware which operates like an application, kernel exploits can’t be seen by antivirus software or in system logs. These vulnerabilities exist, but so far there’s no way to know if anyone has actually exploited them.
Major users of Intel chips seem to have deployed the patches that Intel recommends. So far, no major performance declines have been reported. We’ve been told that Meltdown can be countered by patching the operating system. Spectre is more difficult to mitigate. The code on the chips themselves needs to be updated. Furthermore, patches against Spectre will have to be done on a case-by-case basis, so it is likely that Spectre exploits will be with us for some time. Some applications like web browsers may also need to be modified.
According to Tony Leal, President of PIEtech, Inc., the developers of MoneyGuidePro, this is the first widespread threat to “cloud computing.” Leal emphasizes that in the case of a vulnerability such as Meltdown and Spectre, individual corporate servers are just as vulnerable to attack as multi-tenant cloud servers, but the rewards of hacking a cloud server may be greater since the hacker would have access to the information of many user firms instead of just one. He also pointed out that PIEtech does not store PII, so the firm is much less of a target than those firms that do store PII.
WHAT CAN ADVISORS DO?
Brian Edelman, President of Financial Computer, Inc., suggests that cleverDome, an industry initiative that launched at the 2017 T3 Enterprise Conference, could be the answer. “If a technology vendor was under the Dome, Meltdown and Spectre would not have been a threat to those firms. If an advisory firm was under the Dome, the firm’s data would remain secure.”
From a vendor perspective, cleverDome performs a due diligence process, it ensures endpoint protection, and it only allows secure, known devices to access the network. So, in essence, vendors that are passing information through cleverDome are secure from outside traffic, and only communicate with others on the network. cleverDome acts as a private network, but it does so using the public Internet.
Advisory firms that use cleverDome must adopt cybersecurity stands that include an incidence response plan, a business continuity plan, and an information security policy. cleverDome also provides such advisors with a third-party due diligence process to vet vendors under the Dome. In addition, advisors are required to have end-point protection. Only advisors that meet the standards are granted the ability to transmit and receive data securely over the cleverDome network.
INDUSTRY-WIDE DISCUSSION NEEDED
Leal hopes that this incident will prompt an industry wide discussion about how data is shared among industry participants, where it is doing, and why. Every vendor and advisor should be asking: “Where is my data, and can it hurt my clients and me?” He suggests that the industry needs to re-examine the way that APIs are developed and used throughout financial services. “Why not have two levels of APIs?” he asks. Level One would not include PII, and Level Two would. When Level One data is sufficient to get a task done, you only use a Level One API, thereby limiting the potential damage. Since Level One data would be less dangerous to use, the due diligence process could be less extensive and less expensive to implement. Firms that required Level Two APIs would be put through a much more extensive due diligence process.
While Leal’s suggestion is a credible one worthy of thoughtful consideration, it cannot be implemented immediately. For now, the following precautions should be undertaken:
Meltdown and Spectre should serve as yet another wake-up call to the industry and the recent events hammer home the point that cybersecurity will remain perhaps the single most important technology issue for financial services in 2018. Advisors, and those who serve them, must remain vigilant. The stakes are high and the threats are not going away anytime soon.