Do you BYOD to a Hacking Conference? What are the risks and remedial costs? Lessons learned at the SEC this month.
The SEC is the United States Security and Exchange Commission. It regulates the stock market. It’s important that we never see the SEC suffer the kind of breach that occurred at Nasdaq OMX in 2010, the second largest stock exchange in the US.
So, if you worked for the SEC’s cyber threat division, would you bring computers containing highly sensitive information from stock exchanges to Black Hat? Would you forget to encrypt these computers against SEC guidelines for best practices? We’ll believe it or not, that’s what recently happened at the SEC of late.
According to the SEC no data breach occurred, however these security lapses from employees in the Trading and Markets Division are laid out in an upcoming report by the SEC’s interim Inspector General, Jon Rymer.
The SEC’s Trading and Markets Division, which has several hundred staffers, is primarily responsible for overseeing the U.S. equity markets, ensuring compliance with rules and writing regulations for exchanges and brokerages. Any breach or data loss in this group could have a massively negative impact on US stock markets.
CDM has been informed that the SEC spent over $200k to hire a third-party firm to conduct a thorough audit and make sure none of the data was compromised after this event. So Bring your own device (BYOD) is a growing problem and taking it to a security or hacking show is probably a big “No. No.”, right? One other lesson learned above the cost of a remedial audit is the lack of encryption in portable devices that roam in and out of corporate walls. Encryption. Encryption. Encryption.
Most importantly, it would have been nice if the SEC had some kind of BYOD oriented Network Access Control (NAC) solution to alert IT security staff when these devices came and left and helped determine their state of vulnerabilities.
However, seeing that some of these devices went to Black Hat, one could only wonder if the IT security staff were the ones who violated policy? Now that would be an even more serious dose of cold water on the SEC’s voluntary security policies. No wonder why the SEC Chairman Mary Schapiro recently said the SEC is working to convert the voluntary ARP (Automation Review Policies ie their Business model, compliance and IT security best practices) guidelines into enforceable rules, however, she claims the reason sparking this decision is not the internal risk but the software error at Knight Capital Group which nearly bankrupt the brokerage and led to a $440 million trading loss.
Stay tuned as we expect to hear this is not the end of this story. (Sources: CDM, FBI and SEC)