The Achilles Heel Of The Trading World
By Brian Ross, CEO, FIX Flyer.
There are key measures you can take to protect against cyber-attack and ensure that you are not the weakest link.
The legend of Achilles has it that he was dipped into the River Styx by his mother Thetis in order to make him invulnerable. His heel wasn’t covered by the water and he was later killed by an arrow wound to his heel. Although the legend is ancient, the meaning is germane today. Our networks, firewalls and institutions continue to harden, but the world’s most famous hacker knows the truth of cybersecurity.
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain,” says Kevin Mitnick, a once notorious hacker and now a computer security consultant.
Attackers are smart. They don’t target walls. They hammer against the weakest points of entry. Your trading network is a point of entry and it needs a complete chain of security.
Cybercrime is arguably the top systemic threat facing the global financial markets and associated trading infrastructure. Predictions abound of major bank failures as a result of cyber-attack. Finance has long relied on a small number of security measures, mostly focused on heavy security at the edges of the network. But you must find your Achilles heel, if you want to avoid being a big headline in 2017.
Links in your chain
Understanding how to secure your trading network means understanding how each link in the chain connects. If your local network is secure, an attacker will attempt entry through your clients. The path of least resistance sees the most aggressive attack. There are eight core components of a strong chain of security:
• Attack Vector
• Trading Networks
• Air Gap
• Incident Response
Your “attack vector” is the exposed “area of attack” for your FIX network. Minimize your attack vectors as much as possible without impacting your ability to do business. Expose only necessary ports to necessary networks, employ strict firewalls, and implicitly distrust any networks you don’t control. If it’s not your network, it had might as well be public.
This is probably the strongest area in trading networks today. Financial institutions rely heavily on security at the network edge. It is important to restrict your exposure to trusted extranets. In the words of Ronald Reagan: “Trust, but verify.”
Be it VPNs, extranets, leased lines, FIX networks, or cross-connects, your trading network has to reach your clients. The most important thing is to understand the security ramifications of each connection. Does your connectivity provider perform penetration tests? Is the traffic encrypted? Is the connection secured? Encryption is best placed directly on the host and source ends but rarely is this implemented in trading extranets.
Audit and document your connectivity vendors just as you would your own network. They are an active part of your overall security posture.
The FIX protocol is notoriously weak in authentication. Most FIX connections rely primarily and sometimes solely on cleartext FIX tags 49 and 56: SenderCompID and TargetCompID.
Since changing the protocol, or even the software, is often not an option, a solid approach is to use multiple authentication factors. CompIDs, FIX passwords, and source IP/port aren’t perfect, but in combination they are far more effective than clear text CompIDs alone. VPN credentials, SSL certificates, or other more secure means are an improvement.
Where authentication is difficult with FIX, good verification can mitigate the danger to a significant degree. Even if a client authenticates with valid credentials, are you sure they’re who they say they are? Proving who is on the other side of a connection is an important and often neglected aspect of trading network security.
The question you must ask yourself is: “how easy would it be for a rogue application to mimic this credential?” A FIX tag is easily discovered (or even guessed) and trivially duplicated. A valid SSL certificate is much more difficult to spoof, with the added benefit of preventing “man-in-the-middle” attacks. Extranets verify that the network you’re talking to is owned by who they say it’s owned by, but they don’t verify what’s inside that network. FIX secured with TLS/SSL can verify the application itself.
Much of the traffic in trading networks is via FIX, which by default is “in the clear.” Anyone with access to any hop of the network can see the data. Perimeter encryption (VPNs) or security (leased lines, extranets) only protect the data over that connection: not in the full path.
Wherever possible, leverage protocol encryption. TLS/ SSL is supported directly by modern FIX engines. Even when it isn’t a native option, tools such as stunnel can provide TLS encryption for existing applications. This becomes especially important with sensitive data like pending trades or personally identifiable information (PII).
Every part of the network you control must be monitored to maintain trust and integrity. This includes your servers and applications. The moment trust is lost in any component of a trading network, the entire environment is potentially compromised. One of your first challenges is to know you are under attack.
Intrusion detection systems must be deployed, maintained, and monitored. A stable trading network has baseline levels of expected activity: deviations from this baseline are cause for investigation. Is a previously unused port suddenly listening for connections? Is there unexpected network traffic outside of market hours?
The only thing worse than a compromised trading network is when you don’t even know you are compromised. Proactive monitoring can prevent breach attempts as they occur and before they are successful.
Most connectivity options for trading networks provide just that: connectivity. These are direct connections linking two networks. This is a significant danger for trading institutions. Any vulnerability in your system could be exploited by malicious network traffic through direct connections. Wherever possible, “air gap” your most critical infrastructure and avoid direct connectivity from uncontrolled sources.
Security is best achieved with an application air gap, often in the form of a FIX engine. Any inbound network packets never touch your trading systems without passing through this application air gap. Counterparty FIX messages are read by a secured FIX engine, and separate FIX messages are sent from that engine to your trading infrastructure.
The application serving as the air gap provides a powerful layer of security. Its client-facing interface can be hardened against likely intrusion vectors (for example, buffer overflows or system-level network vulnerabilities), while clean validated trade information is communicated onward to the trading infrastructure.