Cyber security for the mortgage broker industry
By Chris Moschovitis
It started with a friend’s request for help:
“Advice please: One of my email accounts has been hacked five times in the last week. I keep changing the password using the complicated passwords that are computer generated and now it seems like I'm getting hacked even more. What can I do to make this stop?”
I often wondered how a doctor feels when delivering a bad diagnosis to a friend or family member. Yours, of course, is not a life-and-death case, nor am I a doctor; however, when your professional life depends on information technology, getting a bad diagnosis can be injurious to your financial well-being. My friend is a successful mortgage broker, whose business requires a great many email transmissions.
I replied on-line that her computer is most likely compromised by a type of malware (nasty little critters of software) that can record what one types, what’s on one’s computer screen, even what is transmitted. As a result, remedial options were limited: Assuming that the broker had a good, uninfected backup she would have to “burn” her computer by wiping it completely and re-installing the operating system and application from original media. While she did all this, she would need to monitor all of her accounts (email accounts, social media accounts, financial institutions, on-line services, etc.) for any unauthorized activity. Then, she would need to find a “clean” computer, ideally outside her compromised network environment to change all her passwords again, and institute immediately two-factor authentication across the board.
The comments from both my friend and her colleagues and associates started streaming in:
“So does that mean my phone and ipad are compromised? And does that mean I can't just wipe the hard drive clean and reinstall a backup from time machine because that likely means I'll reinstall the malware, right? What's the best way to "burn" my computer?”
“This is horrifying. just the idea...” typed another. “Isn't there a way to remove that type of malware from the computer?”
Yes, there is, but it will not be worth your fees. Trying to remove this type of malware is hours of uninterrupted and expensive fun. Moreover, never underestimate hackers. Your “going in” assumption should be that they are brilliant, persistent, and cunning. They only need succeed once. You need to defend thousands of times and multiple entry points.
Bottom line: surgical removal of malware should be considered very carefully, done by experienced cybersecurity people, and can never be 100% guaranteed. One typically faces this type of solution when backup is inadequate.
What is an adequate backup? Like most solutions, there is no such thing as “one size fits all” answer. It depends on the data, the sensitivity of the information, its life expectancy (yes, data has a life), usage, etc. Is it encrypted to begin with? Should it be? And so on.
You hear people talking about “disk-to-disk-to-cloud” solutions, “time machine” and half-a-dozen different vendors and products. They all have pluses and minuses. You should have a conversation with both your IT and your Cybersecurity professionals (they are not, and should not, be the same person), and arrive at a strategy and a solution that lets you sleep at night. Always remember: You’re the only one that can accept risk! No product or consultant can do this for you.
The comments kept streaming in…
“I've got a malware program that sweeps my computer numerous times a day for malware…”
“I just installed a second one, for good measure!”
The majority of antivirus and antimalware programs available are what is called “signature based.” What this means is that they work about as good as your flu shot.
Flu shot effectiveness varies year-by-year, strain-by-strain. Why? Because a flu vaccine is made by taking last year’s virus(es) and, after making them inert, creating a vaccine whose job is to tell your body to attack any virus that looks like the vaccine. If you’re lucky, this year’s vaccine “looks like” last year’s and the inoculation works! If not, then you spend a few weeks sneezing and wheezing in misery.
Same story with the antivirus programs for computers. There are, of course, more sophisticated answers, programs that look for behaviors, for example, or those that use artificial intelligence algorithms to guess if a piece of software is good or bad. Are they right for your environment? Perhaps. It all depends on your risk appetite, type of data, and budget.
What’s the bottom line here? Be vigilant. Have reliable backups. Use strong passwords. Encrypt your stuff and your internet sessions (use HTTPS whenever possible). Use two-factor authentication. Keep your computers, phones, tablets, etc., up-to-date.
And use common sense! The Nigerian prince retired right after he sent me my $2,000,000, so if you get an email like that, it’s fake!
Chris Moschovitis is co-author of the critically acclaimed “History of the Internet: 1843 to the Present” as well as a contributor to the “Encyclopedia of Computers and Computer History” and the “Encyclopedia of New Media.” He is cyber security and governance certified (CSX, CISM, and CGEIT), and an active member of ISACA, ISSA, and IEEE. Chris, in addition to his duties as CEO of tmg-emedia, personally leads the cyber security and consulting teams and delivers cyber security awareness training and consulting. He is an active speaker and writer, and delivers workshops on a variety of topics, including Cyber Security, Information Technology Strategy, Governance, and Execution. Chris is working on his latest book “How I Stopped Worrying and Learned to Love the Hackers.”
It started with a friend’s request for help:
“Advice please: One of my email accounts has been hacked five times in the last week. I keep changing the password using the complicated passwords that are computer generated and now it seems like I'm getting hacked even more. What can I do to make this stop?”
I often wondered how a doctor feels when delivering a bad diagnosis to a friend or family member. Yours, of course, is not a life-and-death case, nor am I a doctor; however, when your professional life depends on information technology, getting a bad diagnosis can be injurious to your financial well-being. My friend is a successful mortgage broker, whose business requires a great many email transmissions.
I replied on-line that her computer is most likely compromised by a type of malware (nasty little critters of software) that can record what one types, what’s on one’s computer screen, even what is transmitted. As a result, remedial options were limited: Assuming that the broker had a good, uninfected backup she would have to “burn” her computer by wiping it completely and re-installing the operating system and application from original media. While she did all this, she would need to monitor all of her accounts (email accounts, social media accounts, financial institutions, on-line services, etc.) for any unauthorized activity. Then, she would need to find a “clean” computer, ideally outside her compromised network environment to change all her passwords again, and institute immediately two-factor authentication across the board.
The comments from both my friend and her colleagues and associates started streaming in:
“So does that mean my phone and ipad are compromised? And does that mean I can't just wipe the hard drive clean and reinstall a backup from time machine because that likely means I'll reinstall the malware, right? What's the best way to "burn" my computer?”
“This is horrifying. just the idea...” typed another. “Isn't there a way to remove that type of malware from the computer?”
Yes, there is, but it will not be worth your fees. Trying to remove this type of malware is hours of uninterrupted and expensive fun. Moreover, never underestimate hackers. Your “going in” assumption should be that they are brilliant, persistent, and cunning. They only need succeed once. You need to defend thousands of times and multiple entry points.
Bottom line: surgical removal of malware should be considered very carefully, done by experienced cybersecurity people, and can never be 100% guaranteed. One typically faces this type of solution when backup is inadequate.
What is an adequate backup? Like most solutions, there is no such thing as “one size fits all” answer. It depends on the data, the sensitivity of the information, its life expectancy (yes, data has a life), usage, etc. Is it encrypted to begin with? Should it be? And so on.
You hear people talking about “disk-to-disk-to-cloud” solutions, “time machine” and half-a-dozen different vendors and products. They all have pluses and minuses. You should have a conversation with both your IT and your Cybersecurity professionals (they are not, and should not, be the same person), and arrive at a strategy and a solution that lets you sleep at night. Always remember: You’re the only one that can accept risk! No product or consultant can do this for you.
The comments kept streaming in…
“I've got a malware program that sweeps my computer numerous times a day for malware…”
“I just installed a second one, for good measure!”
The majority of antivirus and antimalware programs available are what is called “signature based.” What this means is that they work about as good as your flu shot.
Flu shot effectiveness varies year-by-year, strain-by-strain. Why? Because a flu vaccine is made by taking last year’s virus(es) and, after making them inert, creating a vaccine whose job is to tell your body to attack any virus that looks like the vaccine. If you’re lucky, this year’s vaccine “looks like” last year’s and the inoculation works! If not, then you spend a few weeks sneezing and wheezing in misery.
Same story with the antivirus programs for computers. There are, of course, more sophisticated answers, programs that look for behaviors, for example, or those that use artificial intelligence algorithms to guess if a piece of software is good or bad. Are they right for your environment? Perhaps. It all depends on your risk appetite, type of data, and budget.
What’s the bottom line here? Be vigilant. Have reliable backups. Use strong passwords. Encrypt your stuff and your internet sessions (use HTTPS whenever possible). Use two-factor authentication. Keep your computers, phones, tablets, etc., up-to-date.
And use common sense! The Nigerian prince retired right after he sent me my $2,000,000, so if you get an email like that, it’s fake!
Chris Moschovitis is co-author of the critically acclaimed “History of the Internet: 1843 to the Present” as well as a contributor to the “Encyclopedia of Computers and Computer History” and the “Encyclopedia of New Media.” He is cyber security and governance certified (CSX, CISM, and CGEIT), and an active member of ISACA, ISSA, and IEEE. Chris, in addition to his duties as CEO of tmg-emedia, personally leads the cyber security and consulting teams and delivers cyber security awareness training and consulting. He is an active speaker and writer, and delivers workshops on a variety of topics, including Cyber Security, Information Technology Strategy, Governance, and Execution. Chris is working on his latest book “How I Stopped Worrying and Learned to Love the Hackers.”