Friday, September 22, 2017
The story, initially reported by Wall Street Journal reporter Dave Michaels, rapidly spread across news channels, igniting fierce commentary among security analysts, who questioned why the SEC failed to patch a known vulnerability in its Edgar filing system. This latest criminal intrusion doesn't impinge on the payments chain in the same manner that the recent, massive Equifax breach has potential to do, but the questions it raises illuminate the need to implement significantly improved data security practices and technology across the board, some experts noted.
"While we await greater detail about what layer and component of the application stack was exploited, it furthers the point that strengthening application security is critical. In this case, a vulnerable piece of software was used to exfiltrate sensitive and ephemerally private information," said Kunal Anand, Chief Technology Officer and co-founder at Prevoty. "On the heels of the now historical Equifax breach, two burning questions are top of mind: 1) was the vulnerable software component previously known and did Edgar fail to patch it? and 2) why wasn't this information encrypted, or was it encrypted and did attackers compromise sensitive keys?"
Brad Keller, Senior Director 3rd Party Strategy at Prevalent Inc., called the Edgar breach a classic case of criminals targeting a system used by numerous companies. "It's a simple business proposition – why expand resources to hack into one company's data base when, through the relatively same level of effort, you can gain access to dozens (or in the case of Edgar tens of thousands) of corporate financial records," he stated. "While the SEC is not a vendor in the classic sense, the analogy to why criminals target vendors for the higher 'return on hack', is very clear."
Jeff Hill, Prevalent Director of Product Management, said the SEC hack took a page from an exploit reported in August 2015, involving an international hacking group that intercepted a corporate wire service and made millions off insider trades.
"The Edgar episode is also tantalizing efficient for bad actors: penetrate once, compromise many," Hill noted. "Rather than hacking multiple public companies to illicitly gather valuable insider information, the Edgar perpetrators could parlay a single breach into a potential monetizable data bonanza."
Gabriel Gumbs, Vice President of Product Strategy at Stealthbits Technologies, said the hackers gained access to Business Wire, PR Newswire and Marketwired, and used the wire services to trade ahead of more than 800 financial releases, which resulted in more than $30 million in fraudulent stock market transactions. "Other financially motivated hackers were clearly paying attention, as the SEC hack targeted the same type of information," he added. "Protecting information that will be made public but has to remain private for some period of time is very difficult to govern."
Gumbs urged publicly traded companies to implement private data governance programs with dynamic access rights to protect classified information prior to public disclosure. "This is not an area most organizations have shown competence in, and for any publicly traded company it is an area that they must be proficient in, but until then, expect this will not be the last such insider trading hack," he added.
Clayton implemented a five-point security assessment in May 2017, intended to identify and patch vulnerabilities in the SEC's data collection, risk management, supervision of regulated entities, coordination with other regulators and pursuit and enforcement of cyber threat actors that seek to harm investors and markets. Forensic analysts have yet to determine whether the internal assessment or criminal behavior alerted the SEC to the year-old data breach.
Hill suggested the SEC hack, like the 2015 breach, was exposed by anomalous insider trading behavior rather than traditional security methods, which he called, "a particularly disconcerting reality for the SEC's security professionals, if in fact that's the case."
In an SEC statement about the intrusion, Clayton said, "I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself. Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery."
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
