1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

9/23/2017

0 Comments

Wall Street’s Top Regulator Discloses Own Data Breach

 
Data breach - SEC

Wall Street’s Top Regulator Discloses Own Data Breach

The US Securities and Exchange Commission (SEC) – Wall Street’s top regulator – is the latest entity that publicly acknowledged that it was a victim of a cyber attack.
 
SEC Chairman Jay Clayton, who took office in May of this year, admitted that in August 2017, the Commission learned that a hacking incident detected way back in 2016 “may have provided the basis for illicit gain through trading”. 
 
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Chairman Clayton. “We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
 
This recent cyber attack disclosure came just two weeks after the massive data breach at credit monitoring company Equifax, affecting 143 million Americans – almost all of the adults in the US, and affecting 100,000 Canadians and 400,000 UK residents.
 
This recent SEC hacking incident puts the Commission in an uneasy position given that it’s the government body that’s responsible for enforcing securities laws, issuing rules and regulations and ensuring that securities markets are fair, honest and provide protection for investors. The Commission, in particular, has the power to fine private entities for failing to safeguard customer information.
 
In June 2016, Morgan Stanley Smith Barney LLC paid a $1 million SEC fine over stolen customer data. The Morgan Stanley case originated from the act of then-employee who accessed and transferred the data of nearly 730,000 accounts to his personal server, which was then eventually hacked by third parties.
 
The Commission found Morgan Stanley violated Regulation S-P, a regulation that requires registered investment companies, broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Morgan Stanley agreed to settle the charges without denying or admitting the SEC findings.
 
In September 2015, a St. Louis-based investment adviser firm paid a $75,000 SEC fine for failing to establish the needed cyber security policies and procedures, resulting in a data breach that compromised the personally identifiable information (PII) of nearly 100,000 individuals, including thousands of the clients of the firm. SEC, in its decision, said the firm “failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.”

Patch, Patch, Patch

​According to SEC Chairman Clayton, hackers exploited the software vulnerability of the Commission’s corporate filing system known as “EDGAR”, short for electronic data gathering, analysis and retrieval. The software vulnerability was patched after discovery, the SEC Chairman said.
 
The Commission’s EDGAR system, performs automated collection, validation, indexing, acceptance and forwarding of data submitted by companies and others required to file certain information with the Commission. The system, in particular, receives, stores and transmits nonpublic information, including data which relates to the operations of credit rating agencies, issuers, investment advisers, broker-dealers, clearing agencies, investment companies, municipal advisors, self-regulatory organizations ("SROs") and alternative trading systems ("ATSs"). 

What is a Patch

A patch is a piece of code that’s added into a software program to fix a defect also known as software bug, including a security vulnerability. Patches are created and released by software creators after defects or security vulnerabilities are discovered. If a patch isn’t applied in a timely manner or if a software creator no longer offers a patch, cyber criminals can exploit a known vulnerability.
 
The Common Vulnerabilities and Exposures (CVE), an international industry standard, lists and assigns names to all known cyber security vulnerabilities. The United States Computer Emergency Readiness Team (US-CERT) provides an up-to-date list of known vulnerabilities and patches.
 
“Federal agencies consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available,” Gregory Wilshusen, Director for Information Security Issues, said in a written statement before the Subcommittee on Research and Technology, Committee on Science, Space, and Technology, House of Representatives in February 2017. “We also consistently identify instances where agencies use software that is no longer supported by their vendors. These shortcomings often place agency systems and information at significant risk of compromise, since many successful cyberattacks exploit known vulnerabilities associated with software products. Using vendor-supported and patched software will help to reduce this risk.”
 
The 2 major cyber attacks in 2017 – WannaCry and Equifax data breach – exploited known vulnerabilities in computers that were unpatched.
 
WannaCry ransomware, which affected thousands of computers worldwide in May of this year, exploited the vulnerability in Microsoft Windows. This particular vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
 
Microsoft, for its part, released a patch or security update for this known vulnerability in March 2017 – two months before WannaCry was released into the wild.
 
For the Equifax data breach, the identified cause was the vulnerability in the Apache Struts in the US online dispute portal web application of Equifax. According to Equifax, the data breach happened from May 13, 2017 to July 30, 2017.
 
The Apache Software Foundation, a not-for-profit corporation that manages and provides patches for Apache Struts, released 4 patches for 4 known vulnerabilities from March 2017 to July 2017.
 
Even as cyber vulnerabilities are made public and patches are released, many organizations still fall victim to cyber attacks for failing to simply apply the available patches. According to the Apache Software Foundation, majority of the breaches that came to its attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
 
Days after the patch for CVE-2017-5638 – a critical vulnerability in Apache Struts that allows attackers to take almost complete control of web servers used by banks and government agencies – was made available to the public, security researchers still noticed a spike of attacks exploiting this vulnerability.
 
Patching known vulnerabilities in a timely manner is important as cyber criminals are quick to make use of newly published cyber security vulnerabilities, using them to launch cyber attacks within days.

Monitoring and managing vulnerabilities and threats is only effective when done regularly. Identifying security vulnerabilities is an onerous task generally assigned to your company's IT department. We can save you time and money by proactively scanning your infrastructure and networks, helping you prevent a data breach. Connect with us today to learn more and protect your business.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2025
    February 2025
    January 2025
    November 2024
    October 2024
    September 2024
    July 2024
    June 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    AI Security
    Artificial Intelligence
    ATP
    Awareness Training
    Blockchain
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cybercrime
    Cyber Espionage
    Cyber Insurance
    Cyber Security
    Cybersecurity
    Cybersecurity Audit
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    Data Privacy
    DDoS
    Email Security
    Endpoint Protection
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    Incident Management
    Insider Threat
    IoT
    Machine Learning
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third Party Risk
    Third-Party Risk
    VCISO
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
SME CyberShield
​Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2025 Driz Group Inc. All rights reserved.
Photo from GotCredit