SEC, NFA Hack: Wall Street’s Top Regulator Breached

SEC, NFA Hack: Wall Street’s Top Regulator Breached

The SEC, NFA hack has pitched the international finance world into turmoil as Wall Street’s top regulator admits to not having secured its own systems.

Move over, Equifax; the SEC, NFA hack may have just stolen your thunder. Less than two weeks after Equifax disclosed that it had been breached, compromising the personal information of half of America, the U.S. Securities & Exchange commission admitted to a 2016 attack on its EDGAR database. Because EDGAR is used to disseminate company news and data to investors, the likely goal of the SEC, NFA hack was insider trading. ZDNet reports:

[The] SEC, NFA said the Edgar filing system data breach took place in 2016, but it is not yet known which companies may have been affected — or how much the hacker profited.

Edgar processes roughly 1.7 million electronic filings per year.

The hacker was able to take advantage of a “software vulnerability in the test filing component” of Edgar, which “resulted in access to nonpublic information.”

It gets even better; during the internal audit that brought the SEC, NFA hack to light, it was also discovered that SEC, NFA staff members were using “private, unsecured email accounts to transfer confidential information.”

The SEC, NFA has been bending over backwards to downplay the seriousness of the breach. Among other things, the agency stated it doesn’t “believe” any personal identifying information was compromised.

Well, that’s reassuring. After all, data breaches never turn out to be far more extensive than originally reported, do they?

Let this one sink in: The very agency in charge of enforcing cyber security on Wall Street, the same agency that called cyber attacks “the greatest threat to our [financial] markets,” issued a special risk bulletin after the WannaCry attacks, and very recently implied a greater emphasis on cyber security enforcement moving forward, cannot protect its own data. In fact, it turns out that the SEC, NFA itself has been warned about potential cyber security vulnerabilities for years; in January, the U.S. Department of Homeland Security found five “critical weaknesses” on SEC, NFA computers.

By the way, as of this writing, nobody has any earthly idea whether those “critical weaknesses” were ever addressed, or if they played a role in the SEC, NFA hack – although the agency pinky-swore that it “promptly” patched the software vulnerability it claims led to the breach.

Congress isn’t having it. They’re hauling SEC, NFA chairman Jay Clayton in front of the Senate Banking Committee. Wall Street investors and the international finance world are chewing their fingernails, especially since the SEC, NFA was poised to begin rolling out CAT, a brand-new trading history database, in November. CNBC has called CAT “the biggest financial data base ever assembled.” If the SEC, NFA couldn’t secure EDGAR, how can they be trusted with CAT?

Isn’t Anyone Practicing Proactive Cyber Security and GRC Anymore?

There’s an awful lot we don’t yet know about the SEC, NFA hack. We don’t know what “software vulnerability” the SEC, NFA is referring to. We don’t know who perpetrated the hack, how long they were in the SEC’s systems, or when the attack happened, other than it was sometime in 2016, and the agency didn’t figure it out until last month. We don’t know what data was stolen, other than it consisted of “nonpublic information.” We also don’t know if the hackers stopped with EDGAR or if they used the database as a foot in the door to penetrate other sections of the SEC’s network.

From the information we do have, we can surmise that the SEC, NFA engaged in some of the same shenanigans as Yahoo (which ignored cyber security warnings for years), Sony Pictures and the DNC (both of which transmitted confidential information through private, unsecured email), and Equifax (which waited for nearly two months to disclose a very serious breach).

We also know that proactive governance, risk, and compliance protocols prevent incidents like the SEC, NFA hack, the Equifax breach, email hacks, and the AWS hacks that are now being disclosed nearly daily. While these hacks are serious and far-reaching, from a technical standpoint, they are usually very simple and stem from companies having zero control over their data, who has access to it, and where and how it is being transmitted and stored.

Data governance, risk management, and compliance with applicable data security standards are the foundation of proactive cyber security. If you don’t want your company to be the next Equifax or SEC, start with getting back to GRC fundamentals.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Equifax Breach Compromises Half of U.S. Population

The Equifax breach isn’t the largest data breach, but it is one of the most troubling because of its massive scope, the nature of the information stolen, and the absolutely awful way in which it has been handled.

The Equifax breach isn’t the largest data breach, but it is one of the most troubling because of its massive scope, the nature of the information stolen, and the absolutely awful way in which it has been handled.

While Hurricane Irma dominated the national news late last week, a man-made disaster unfolded in the background as credit reporting giant Equifax disclosed that hackers had breached its website and accessed the personal identifying information (PII) of 143 million Americans, including Social Security Numbers, dates of birth, address and employment information and, in some cases, credit card numbers. In terms of the number of people impacted, the Equifax breach is not the largest in history; that dubious distinction is held by Yahoo. However, it may end up being the most destructive due to the particularly sensitive nature of the compromised information and the fact that it impacted about half the U.S. population. Once minor children and other people who do not have credit histories are excluded, the picture becomes even bleaker. The Equifax breach may have compromised the PII of anyone living in the U.S. who has ever had a credit card, a car loan, a mortgage, a lease, or anything else that involves a FICO score.

The Equifax breach isn’t the largest data breach, but it is one of the most troubling because of its massive scope, the nature of the information stolen, and the absolutely awful way in which it has been handled.

Meanwhile, a group of hackers who claim to be behind the Equifax breach have demanded a Bitcoin ransom of approximately $2.6 million in exchange for not publicizing the data.

How has Equifax responded to all of this? By doing … well, pretty much everything a company shouldn’t do after a data breach, especially one of this magnitude.

Equifax Breach Response: A Case Study in What Not to Do

As bad as this hack was, Equifax’s response to it has been even worse. Their actions have been so galling that members of Congress are demanding hearings to investigate the breach and Equifax’s poor handling of it. Here are some of the highlights:

  • Equifax first discovered the breach on July 29, after the hackers had been in their system for about a month.
  • In the days following the discovery, three senior Equifax executives sold approximately $1.8 million in shares. The company claims that said executives were not aware of the breach.
  • The victims had to wait until early September to find out about it. Not only did Equifax wait several weeks to disclose the breach, but they also made their announcement while the nation was transfixed by Hurricane Irma, which was barreling towards Florida and prompting one of the largest mass evacuations in history.
  • The website that Equifax set up for victims to determine if they were part of the breach was so poorly constructed – complete with gaping security holes – that many visitors thought it was a phishing attempt.
  • This same website appears to double as a marketing vehicle for Equifax’s own credit monitoring service. The company is offering a free year’s subscription to the victims, which begs an obvious question: If Equifax itself couldn’t keep victims’ data secure, why in the world would they trust the company’s “credit monitoring” service?
  • Rather than taking responsibility for the hack, Equifax is seeking to pass the buck, blaming a vulnerability in open-source server framework Apache Struts, even though there is currently no evidence that Struts was the source of the breach.

How bad do things have to get before we take cyber security seriously?

Another reason why the Equifax hack is so much worse than the hacks at Target, Yahoo, Verizon, Anthem, and other private-sector companies is that while consumers can choose to stop patronizing those other companies, they have no choice but to have their data handed over to Equifax. There is currently no way for consumers to “opt out” of having their personal and credit data aggregated by Equifax and its competitors, Experian and Trans Union. Even if there were, the modern economy runs on credit; without a FICO score, Americans cannot obtain car, home, or student loans, be approved for rental leases or, in some cases, find a job.

Equifax’s response to this hack has been inexcusable. So is the fact that the breach happened in the first place. If any company needed to practice proactive cyber security rooted in sound governance, risk, and compliance, it was Equifax. Equifax does not collect PII as a consequence of doing business; collecting PII is its business. As the old saying goes, with great power comes great responsibility, and Equifax has failed miserably in its responsibility not only to American consumers but also the entire nation.

The Equifax breach is going to end up affecting all Americans in one way or another. Will this be the breach that finally wakes businesses and individuals up and prompts them to realize that cyber security is now everyone’s responsibility? Let’s hope so, because we absolutely do not want to see a cyber attack that’s even worse than this one.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards. 

[bpscheduler_booking_form]

 

3 Best Practices for AWS S3 Security

Several high-profile breaches involving misconfigured Amazon Web Services servers have made the news. Here are three best practices to ensure AWS S3 security.

Several high-profile breaches involving misconfigured Amazon Web Services servers have made the news. Here are three best practices to ensure AWS S3 security.

Amazon Web Services (AWS) is the undisputed leader in the cloud services market. Large and small organizations alike flock to AWS because of its flexibility, full array of options and upgrades, and pay-as-you-go-for-what-you-use price structure. However, numerous data breaches have been traced back to misconfigured Amazon Simple Storage Service (S3) buckets, including high-profile breaches of third-party vendors handling sensitive information on behalf of Verizon and the Republican National Committee. This has some AWS customers questioning their AWS S3 security, particularly in light of the fact that Amazon itself sent an email to customers with publicly accessible S3 buckets, warning them to review their AWS S3 security settings.

Several high-profile breaches involving misconfigured Amazon Web Services servers have made the news. Here are three best practices to ensure AWS S3 security.

The good news is that AWS is very secure – if configured properly. Breaches are completely preventable by following simple, proactive cloud security best practices grounded in sound governance, risk, and compliance. Here are three proactive steps you can take to enhance your AWS S3 security; these apply to competing cloud services as well.

Create consistent cloud security controls and procedures, and put them in writing

All of the recent S3 breaches have involved S3 buckets that contained sensitive data and that had been set to public. By default, S3 buckets are set to private, meaning that only the account owner can access their contents. Buckets are not set to be publicly viewable by accident; someone with the privileges to do so must go into the system and take specific steps to override the default setting. This begs two questions: Why was this sensitive data sent to the cloud in the first place? Why did someone override the default and make them public?

A set of written cloud security controls and procedures clearly defines which types of data are to be stored in the cloud, how long they are to be kept there, and where they belong in the cloud storage hierarchy. Not only should sensitive information never be placed in a public S3 bucket, but also, access to buckets containing sensitive information should be highly restricted. This leads to the next best AWS S3 security best practice.

Perform regular reviews of your accounts, groups, users, and roles

In addition to allowing S3 buckets to be set to public or private, AWS allows administrators to give users varying levels of access to buckets and their contents, including list, upload, delete, view, and edit functions. Your organization’s AWS server should be treated just like the rest of your network: Users should be given the minimum amount of access they need to perform their jobs and no more. When employees leave the company or transfer into other positions, their access should be immediately revoked or altered as appropriate, and everyone’s permissions should be regularly reviewed to ensure they have the appropriate level of access and that there is no unnecessary overlap between user groups.

Perform regular risk assessments

Just like the rest of your cyber security protocols, your cloud security procedures should be regularly reviewed and updated as the threat environment and your organization’s needs change. Then, all of the buckets, files, and users on your AWS servers should be examined to ensure they meet the new protocols.

Despite the popularity of cloud computing, cloud security often takes a backseat to other aspects of enterprise security because organizations think that their cloud provider “handles all of that.” In reality, your cloud provider’s responsibility is limited because, in the end, it is your data. They have no control over what types of data you store in the cloud, who you allow to access it, whether you encrypt it and how, or whether you are complying with any applicable industry and regulatory standards, such as PCI DSS and HIPPA. If your S3 bucket is breached because you made a mistake, Amazon won’t be responsible for the fallout; your organization will.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 or complete the form below to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Schedule some time with our Superheroes for a Free Assessment!