Thought leadership. Threat analysis. Cybersecurity news and alerts.
Wall Street’s Top Regulator Discloses Own Data Breach
The US Securities and Exchange Commission (SEC) – Wall Street’s top regulator – is the latest entity that publicly acknowledged that it was a victim of a cyber attack.
SEC Chairman Jay Clayton, who took office in May of this year, admitted that in August 2017, the Commission learned that a hacking incident detected way back in 2016 “may have provided the basis for illicit gain through trading”.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Chairman Clayton. “We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
This recent cyber attack disclosure came just two weeks after the massive data breach at credit monitoring company Equifax, affecting 143 million Americans – almost all of the adults in the US, and affecting 100,000 Canadians and 400,000 UK residents.
This recent SEC hacking incident puts the Commission in an uneasy position given that it’s the government body that’s responsible for enforcing securities laws, issuing rules and regulations and ensuring that securities markets are fair, honest and provide protection for investors. The Commission, in particular, has the power to fine private entities for failing to safeguard customer information.
In June 2016, Morgan Stanley Smith Barney LLC paid a $1 million SEC fine over stolen customer data. The Morgan Stanley case originated from the act of then-employee who accessed and transferred the data of nearly 730,000 accounts to his personal server, which was then eventually hacked by third parties.
The Commission found Morgan Stanley violated Regulation S-P, a regulation that requires registered investment companies, broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Morgan Stanley agreed to settle the charges without denying or admitting the SEC findings.
In September 2015, a St. Louis-based investment adviser firm paid a $75,000 SEC fine for failing to establish the needed cyber security policies and procedures, resulting in a data breach that compromised the personally identifiable information (PII) of nearly 100,000 individuals, including thousands of the clients of the firm. SEC, in its decision, said the firm “failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.”
Patch, Patch, Patch
According to SEC Chairman Clayton, hackers exploited the software vulnerability of the Commission’s corporate filing system known as “EDGAR”, short for electronic data gathering, analysis and retrieval. The software vulnerability was patched after discovery, the SEC Chairman said.
The Commission’s EDGAR system, performs automated collection, validation, indexing, acceptance and forwarding of data submitted by companies and others required to file certain information with the Commission. The system, in particular, receives, stores and transmits nonpublic information, including data which relates to the operations of credit rating agencies, issuers, investment advisers, broker-dealers, clearing agencies, investment companies, municipal advisors, self-regulatory organizations ("SROs") and alternative trading systems ("ATSs").
What is a Patch
A patch is a piece of code that’s added into a software program to fix a defect also known as software bug, including a security vulnerability. Patches are created and released by software creators after defects or security vulnerabilities are discovered. If a patch isn’t applied in a timely manner or if a software creator no longer offers a patch, cyber criminals can exploit a known vulnerability.
The Common Vulnerabilities and Exposures (CVE), an international industry standard, lists and assigns names to all known cyber security vulnerabilities. The United States Computer Emergency Readiness Team (US-CERT) provides an up-to-date list of known vulnerabilities and patches.
“Federal agencies consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available,” Gregory Wilshusen, Director for Information Security Issues, said in a written statement before the Subcommittee on Research and Technology, Committee on Science, Space, and Technology, House of Representatives in February 2017. “We also consistently identify instances where agencies use software that is no longer supported by their vendors. These shortcomings often place agency systems and information at significant risk of compromise, since many successful cyberattacks exploit known vulnerabilities associated with software products. Using vendor-supported and patched software will help to reduce this risk.”
The 2 major cyber attacks in 2017 – WannaCry and Equifax data breach – exploited known vulnerabilities in computers that were unpatched.
WannaCry ransomware, which affected thousands of computers worldwide in May of this year, exploited the vulnerability in Microsoft Windows. This particular vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Microsoft, for its part, released a patch or security update for this known vulnerability in March 2017 – two months before WannaCry was released into the wild.
For the Equifax data breach, the identified cause was the vulnerability in the Apache Struts in the US online dispute portal web application of Equifax. According to Equifax, the data breach happened from May 13, 2017 to July 30, 2017.
The Apache Software Foundation, a not-for-profit corporation that manages and provides patches for Apache Struts, released 4 patches for 4 known vulnerabilities from March 2017 to July 2017.
Even as cyber vulnerabilities are made public and patches are released, many organizations still fall victim to cyber attacks for failing to simply apply the available patches. According to the Apache Software Foundation, majority of the breaches that came to its attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
Days after the patch for CVE-2017-5638 – a critical vulnerability in Apache Struts that allows attackers to take almost complete control of web servers used by banks and government agencies – was made available to the public, security researchers still noticed a spike of attacks exploiting this vulnerability.
Patching known vulnerabilities in a timely manner is important as cyber criminals are quick to make use of newly published cyber security vulnerabilities, using them to launch cyber attacks within days.
Monitoring and managing vulnerabilities and threats is only effective when done regularly. Identifying security vulnerabilities is an onerous task generally assigned to your company's IT department. We can save you time and money by proactively scanning your infrastructure and networks, helping you prevent a data breach. Connect with us today to learn more and protect your business.
Steve E. Driz, I.S.P., ITCP