ICE Brings an Incubator Approach to Cybersecurity


Cyber threats continuously evolve, and those firms that take a reactionary approach and relying on a standard cyber-security checklist likely will be attractive targets for hackers, according to Jerry Perullo, the chief information security officer at the Intercontinental Exchange

A hacked organization’s initial response is often to throw money at the problem, hire consultants, and implement a draconian security model that affects productivity, he noted during an interview on the ICE House podcast.

Jerry Perullo, ICE

“The problem of bad controls is that they get torn down,” said Perullo. “You get a lot of exceptions and over-securing is a lack of securing at the end of the day.”

Security teams should be more like startup incubators where the staff challenges pre-set ideas and try to develop better ways to secure access to enterprise and its data.

When reviewing user accounts and passwords, Perullo’s team sought to find a more secure method than the standard model of an eight-character password that includes a sprinkling of capitals and special characters and has been in use for more than 20 years.

The team wanted to lengthen account passwords to 15 characters and omit the complexity of including special characters. They tossed all of the necessary calculations on to the whiteboard and the math held, according to Perullo.

“Then the National Institute of Standards and Technology released an updated standard that said that length was king,” he said. “You can get rid of that stuff as long as you look and block out commonly used passwords.”

The team tested the new password format against its internally developed Kraken engine that attempts to crack the passwords of all ICE user accounts daily and found the new format was secure. Kraken’s success rate also dropped steadily over the 90 days it to ICE to deploy its new security policy.

“Having that machine that constantly red teaming us has exposed a lot of other things around cleaning up accounts, visibility, and looking across acquisitions and geographies,” said Perullo.

Implementing a red team strategy, in which an internal team acts as an adversary, as well as security information shared amongst the industry also helps ICE develop a threat matrix based on the likelihood of an attack and its potential impact on the business.
“There is nothing more important than being close to the business and understanding the business and partnering with the business to understand what the impact would be,” he added.

Perullo also noted that having a red team deliver its findings to the IT team improves productivity when they can provide a video of a hacker trying to hack an exploit rather than giving a list of security-related tasks without context.

“People will get up and go out of the room to fix it,” he said. “There is no more back-and-forth.”

Related articles

  1. Third-Party Providers Pose Cyber Risk: Sifma

    The two-day UK market wide simulation exercise involved 50 regulated firms and the financial authorities.

  2. Cybersecurity is Top of Mind for FinServ

    Exchange group can integrate crypto and fiat legs into overall analysis and monitoring.

  3. Cybersecurity Still a Work in Progress

    Brokers need to bolster protection against the "account intrusion" threat.

  4. The Crypto Assets and Cyber Unit in the Division of Enforcement will grow to 50 dedicated positions.

  5. Cyber-Criminals Target Wall Street

    Participants included over 1,000 representatives from more than 20 countries.