5 Notions for Adding Value while Meeting SEC Regulatory Expectations
Vulnerability Management is not the easiest concept to grasp, but, if you are attempting to define it, you are probably ahead of most of your peers in demonstrating IT security and corresponding program maturity. As Lyman Terni pointed out in a recent post, identifying and remediating vulnerabilities in networks and systems is a critical part of your firm’s overall IT Security Program (see: Vulnerability Scanning, the SEC, and You).
In addition to recent mentions of Vulnerability Scanning in the 2015 Cybersecurity Exam Initiative (the sweep, part 2), the NIST Cybersecurity Framework also references vulnerability scanning via the “Detect” function under the “Continuous Monitoring” category as follows:
DE.CM-8: Vulnerability scans are performed.
No one wants to respond to this subcategory in the negative or to say “we do not perform any scanning.” So, under the assumption that the CCO and/or CISO is guiding the firm toward the implementation of vulnerability scanning, the major questions are, “how do we get the most out of this process?” or “what is the value-add side of vulnerability scanning beyond hitting the compliance checkbox?”
We are providing 5 notions which can assist in adding value to your vulnerability scanning process. Make no mistake about it, checking the compliance box is important and it may well help you to demonstrate a level of maturity and continuous monitoring consistent with the role and responsibilities of the CCO to be testing the efficacy of policies and procedures.
- Educate yourself about Vulnerability Scanning. Today’s network and system scanning process is fairly automated, but you need to have a clear idea of your goals and this requires you to be informed. Scanning, in general, is about discovering Common Vulnerabilities and Exploits (CVEs), or potential exploits within systems and networks. Vulnerabilities may exist due to configuration failures or, in many cases, because systems and software services/applications have not been properly patched or updated to be current. For example, simple discovery scans may identify an operating system or application which is no longer supported by the vendor. Security updates and patching may no longer be addressed by the vendor making such services ripe for hacking activity. Hackers are scanning to obtain information about your Company, your IPs, your systems, and the open ports and services running on those systems. By conducting vulnerability scanning, you are attempting to pre-empt hackers and bad actors by identifying network and system vulnerabilities before they do.
- Vulnerability Scanning should be informed. While it is possible to just scan networks and systems indiscriminately, vulnerability scanning should be tied to the process of Risk Assessment. Understanding what scanning is advisable and where the greatest risk lies in the organization can help you create a plan and prioritization for scanning. For example, has the perimeter of your company ever been tested? Have external facing hosts/systems and IPs ever been scanned? Vulnerability scanning can help you make a rapid assessment of what a hacker or bad actor can see of your external footprint, systems and available service from the internet. Similarly, considering some combination of both external and internal vulnerability scanning is also advisable, as not all risks emanate from beyond the perimeter. It is quite possible that you may have the perimeter fairly well-protected via firewalls, intrusion detection and intrusion prevention, but your internal systems are riddled with common vulnerabilities. This can become an issue should your perimeter defenses fail – “The Shields are Down!” – or your company is breached internally. You also may wish to assess who the highest-risk users at your firm are: those who are involved in financial processes like wiring of funds; or employees handling personal identifiable information or intellectual property. Perhaps their systems should be put at the head of the vulnerability scanning line. While there are pluses and minuses to conducting sample scanning of systems, there are times when this process can reveal helpful information about global vulnerabilities, or CVEs which may exist across systems. Consider vulnerability scanning in light of your periodic risk assessment process.
- Selecting your Vulnerability Scanning Vendor. Similar to choosing a firm to assist with security assessment in general, you want to make sure that your vendor is both technically competent and has an understanding or regulatory requirements and expectations. There are a lot of firms conducting automated scanning for PCI DSS scanning who may have no concept of the SEC or FINRA agenda. Does your vendor work with financial services firms? Although, in our experience, the answer is always “yes” to this question along with a somewhat-robotic “we understand the SEC’s agenda.” Is your vendor going beyond the process of automated scanning, perhaps using multiple tools, and working with you to consider assisting the CCO with validating the efficacy of your IT security program? In addition to advising you on a common sense and considered approach to vulnerability scanning, will your vendor work with you to provide meaningful reporting, which is relevant to your firm as an RIA or broker-dealer? Most reporting is provided with reference to the Common Vulnerability Scoring System (CVSS), which is the standard for assessing the severity of computer system security vulnerabilities. If your vendor is not working with such accepted standards what is their approach, methodology, and toolset? Keep in mind that vulnerability scanning is supposed to be an ongoing process, as suggested in the NIST CSF subcategory, so your early testing is about creating a benchmark. Make sure you are comfortable with your vendor, who will hopefully have an open and collaborative approach to guide you in a reasonable vulnerability scanning plan.
- Lock the windows and doors prior to vulnerability scanning. What we mean by this is that most scanning will produce some tangible results. If not, your scanning may be serving as validation of your strong practices. Your IT personnel and the Information Security Committee should already be addressing firm security controls and information practices. You want to make your scanning and penetration testing vendors, if applicable, work for their results. Conducting an information security assessment, making sure that a base level of patching, anti-virus definition updating, and system controls are in place, would just be common sense. Don’t wait for scanning results to be addressing network and system security vulnerabilities.
- Beyond initial scanning. Once your benchmark results are in place, make sure you have considered your long-term vulnerability scanning goals. We have already mentioned that ongoing monitoring is a clear regulatory expectation, and the CCO will understand this from the standpoint of obtaining validation of system controls, patching, and updating. Do you need to conduct Penetration Testing? First, understand that pentesting involves the attempt to exploit a discovered vulnerability to access networks and systems and could perhaps damage/disable resources. Many firms are not comfortable with the notion of penetration testing on systems that are critical to their day-to-day operations, and we understand this. Putting in place a program which regularly identifies and mitigates vulnerabilities should, in theory, protect your systems, and this may be acceptable from a regulatory standpoint. Penetration testing, similar to vulnerability scanning, will be most meaningful after you have identified and closed CVE’s. Oftentimes, vulnerability scanning and penetration testing are marketed hand-in-hand. We recommend taking the same considered and informed approach to pentesting which goes with the initial steps of vulnerability scanning.
Hackers have the advantage of being able to take their time, to probe for weaknesses over a prolonged period of many weeks, months, or even years. This being understood, you should also be aware of the limitations of a vulnerability scan. A scan will attempt, in a very brief period of time, to identify and provide mitigation steps for known vulnerabilities. It is not a perfect process, but designed to create a benchmark, enhance security over time by addressing known CVEs, and maintain a reasonable level of network and system security. The process, in itself, demonstrates a certain level of IT maturity which should improve security at your firm and help satisfy the growing list of regulatory expectations for financial services firms.
Please contact us for further information on system scanning and security.
Vulnerability Scanning, the SEC and You
NIST Framework for Improving Critical Infrastructure Cybersecurity (the CSF)
NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment