The SEC is Afraid. Are You? Painful Cyber-Realities and 5 Offensive Measures for the CCO

For several years, we have steered clear of fear and doubt-based incentives for practicing good IT security. As the Head of the Division of Investment Management noted in a speech yesterday, the unfortunate reality is that there is plenty about which to be concerned. David Grimm made comments at the “Investment Company Institute’s 2016 Mutual Funds and Investment Management Conference” which included a discussion of the C-word, “Cybersecurity.” Along with reaffirming the SEC’s commitment to pursue an agenda focused on cybersecurity, Grimm reminded us that that the SEC, itself, is pushing hard to defend its own turf.

Read on for discussion of the SEC’s cyber-fears, go to the bottom for 5 Offensive Countermeasures…

Chair White has acknowledged the critical importance of cybersecurity on a number of occasions, and has taken steps to ensure that the Commission’s cybersecurity protocols are as robust as possible. For example, to help the Commission continue its efforts to strengthen its cyber security posture, Chair White has requested funds from Congress to maintain and enhance the Commission’s cyber capabilities. Furthermore, consistent with the federal government’s Information System Continuous Monitoring methodology, the Commission remains focused on enhancing awareness of its information security status, including its vulnerabilities and the threats it faces. Such awareness is an essential component of any effective cybersecurity regime, as it supports risk-response decisions, and offers insights into the effectiveness of the Commission’s security controls. The Commission is also implementing certain cybersecurity protocols that are consistent with those recommended by the National Institute of Standards and Technology, which develops frameworks for cybersecurity risk mitigation. Finally, the Commission plans to focus on bolstering its ability to respond rapidly and effectively to any unauthorized intrusions that may occur. In sum, I believe the Commission remains focused on cybersecurity, and that it is working diligently to continue to be a responsible steward of the information it collects.[1]

IT Security and the concept of Cybersecurity has, in many ways, breathed new life into the SEC. Here is a whole new front for examination, potential deficiencies and enforcement, and, yes, a raft of documentation which can be tied to the existing rules framework. Beyond the exhilarating new regulatory frontier, the SEC has substantial risk to which David Grimm is referring.

Will the SEC be breached before you are?

This is distinctly possible as the SEC is swimming in the same pool as all of us with perhaps a bigger target on their back. In fact most IT security pros would probably wager that they’ve already been breached. There is little reason to believe that the Commission has robust controls or information security practices in place. After all, we know the Commission is short on funds and, just like most investment advisers and broker-dealers, is also considering how to allocate more dollars to the IT Security Budget. Then there are some of the past indiscretions and foibles at the SEC, such as the 2011 pornography scandal:

AP, March 8, 2011 — DENVER — The U.S. Securities and Exchange Commission has counseled or disciplined 24 employees who accessed pornographic sites on government computers between 2005 and 2010 as the financial system teetered and almost collapsed.

In a letter dated March 3, the SEC responded to a Freedom of Information Act request by Denver attorney Kevin D. Evans listing the offices of the employees. They were in Atlanta, Denver, Boston, Chicago, Los Angeles, Washington, D.C., and Fort Worth, Texas.

The hypocrisy of the SEC playing watchdog in cyberspace will likely be further exposed as there will almost certainly be more public data breaches involving the Commission for several reasons:

  1. The Commission is aggregating critical information about investment advisers and broker-dealers who are tangled in the examination and enforcement process.
  2. In the course of the normal exam process, the SEC is raking in loads of sensitive client information. Don’t forget about the “big data” aggregation of multiple years of Trade Blotter, strategy, and personal email of RIA employees. If it isn’t bad enough you have to protect this information, we are also handing it over to an Agency which may not even pass the Vendor Management litmus tests they are promoting.
  3. Just like you, the SEC is attempting to secure a traveling workforce with laptops and mobile devices subject to the same public connection and physical theft concerns that your partners and research analysts face.

Beyond musing about the SEC’s own cyber dilemma, it is important to note that Mr. Grimm is basically referencing the NIST Cybersecurity Framework as a potential remedy (underlined above). It’s nice to know that the SEC, which has actively promoted the NIST CSF in the two sweep exams and all guidance, is going to sit down at the dinner table with RIAs to eat their own cooking.

What’s there to be afraid of?

Just as the SEC and other agencies have been forced into cyberspace, make no mistake about it, there is an absolute vendor gold rush into IT security. SEC officials have been stating publicly that future exams will include IT-competent personnel to validate your controls and information security practices. This suggests to me that you should have IT-competent personnel validating IT security at your firm. Beware of compliance consultants posing as IT experts, and IT experts posing as regulatory experts.

For our part and having been technology security professionals prior to the “cyber-rush,” we have attempted to move past fear-based marketing of IT Security and offer practical solutions and ideas to clients. I think I can safely say that you should be wary of any vendor pumping fear and doubt to sell products and services.

This being said, I lost a night’s sleep this week monitoring internet traffic on two servers. The persistent trawling of internet facing hosts (systems) is absolutely appalling. If you have an internet-facing host, whether it’s a website, a client portal, or just the firewall for your business, you are constantly being probed, pinged, scanned, and tested for vulnerabilities. This is not a revelation or particularly new, but every day the forces of automated darkness are growing.

Quite simply and no matter how lovely your business, you are connected to a cesspool of criminal activity. You are wandering through a bad neighborhood hoping you are not going to get mugged.

If you have never seen your firewall logs or monitored traffic, common ports and services are tested all day and night by bots, port scanners, and port sweepers. When particular vulnerabilities are discovered, like the recent SSL-based “DROWN Attack,” there is a clear spike in criminal activity targeting related paths, such as common http and https ports. One of the better illustrations of global criminal activity can be found on the “SANS Internet Storm Center” in the form of the Threat Feed Map.[2] Without going too far off the cliff here if you would like to see how many port scanners are probing your open http ports from mainland China every day, take a look. If you don’t think it is happening, you are just wrong.

Offensive Measures: Fight Back!

Chief Compliance Officers and Chief Information Security Officers need attitude adjustment. Rather than bemoaning the regulatory initiative, it’s time to put your hands up and get into the fight. If you don’t and management doesn’t join you, the odds are you are going to lose.

  1. Scan Your Systems. The bad guys are already doing it. While this falls on the more technical side of the issue, you need to know what ports and services are open on your systems. We have written quite a bit about Vulnerability Management and Scanning lately, but you must add this to your agenda. I recently spoke with an external IT Consultant who said they leave certain ports open for “convenience” in connecting to the client. I couldn’t help but think, “how convenient for the overnight hacking community.”
  2. Harden Your Servers and Systems. Don’t leave any ports open unnecessarily. Kill legacy services that may be listening on particular ports. Whitelist users who may be connecting to systems. Deny Root or Administrative logins to systems. Make sure your IT Consultant is monitoring login activity and configuration files for changes. Validate password policies of your administrators and IT consultants. Force two-factor authentication (2FA) for admins or IT consultants accessing your systems remotely. Enforce 2FA wherever feasible and with respect to cloud-based services used by your firm.
  3. Move Quickly. In the future, we will be writing more about effective monitoring and “time to discovery” of breach. We have heard the old saw a million times, “it’s not a matter of if you will be breached, but when.” Our suggestion is that we start talking about rapid identification of anomalous activity. This can be accomplished through active threat monitoring, scanning, and system testing. There is a clear chain between vulnerability discoveries and a massive rush to exploit those who do not move quickly to address them. You need to think about lighting a fire under your IT security people and consultants. Understand clearly the decisive Response steps that will be taken upon discovery of breach. Isolating a system rapidly, for example, may prevent an intruder who has breached your systems from pivoting throughout your network. Of course, this depends on the capability to identify such activity.
  4. Training. Traditional measures like training are talked about quite a bit, but we would also emphasize that training is the key to raising awareness and improving the culture at your firm. We find that Management often needs to understand the very real threats out there and reputational risk. IT personnel often need to be trained about devoting specific activities to security. Your IT consultants often need to be informed about the regulatory initiative and what you are up against. Not to mention – it could be the single employee who recognizes and reports anomalous activity which identifies and halts the progression of a breach.
  5. The IT Consultant. As you and your firm are being forced to address IT security issues, you have to push these new security requirements toward your closest vendor, who is often your primary IT Consultant. Has your Consultant hardened their own systems? Has your Consultant scanned their systems? Does your Consultant have a security mindset: do they understand the regulatory initiative and are they proactive about IT security?

Conclusion: Privacy is an Issue

Until you understand that IT Security is a personal issue, it is difficult to be a real advocate. People who have experienced identity theft, of the damaging variety, get this notion. Most people can relate to the unsettling phishing scam sitting in their Inbox, the fraud alert from your credit card vendor, and that feeling of “why is my computer so slow today?” We need to tap into the notion and emotion that threats are real and personal. If you and your personnel understand exactly who is at the gate, you would be more concerned. The internet-facing hosts at your business are being touched every day and night by systems in China, India, Korea, Eastern Europe, and, perhaps most disquieting, our own government organizations and internet spies.

There is good reason for the SEC to be afraid, and, unfortunately, the same is true for the rest of us. Without a well thought-out Vulnerability Management Plan you are simply rolling the dice and playing the odds.

References:

[1] David Grimm’s full remarks: https://www.sec.gov/news/speech/david-grim-remarks-to-ici-2016-mutual-funds-and-invest-mgmt-conf.html

[2] SANS Threat Feed Map: https://isc.sans.edu/threatmap.html