Posts

What Companies Can Learn from the SEC Breach

Another day and unfortunately, another high-profile cybersecurity hack is in the news. This time, it happened at the Securities and Exchange Commission (SEC).

On September 20, SEC officials said the agency, which regulates the United States markets and protects investors, had a security breach in 2016 that affected the electronic storing system which houses public-company filings. The hackers who accessed the SEC records may have conducted stock market trades on the stolen information, officials said.  

From WannaCry to Petya and Equifax and now the SEC, it seems like breaches are becoming commonplace and that cybersecurity is on the top of everyone’s mind. Referenced on social media channels as the #cyberattacksurge, we must ask what financial companies can do to better protect and prepare themselves from a potential cyberattack.

How Did This Breach Occur?

The data storing system that the SEC named “Edgar” (Electronic Data Gathering, Analysis and Retrieval System) is an online tool that investors use to view company’s earnings and disclosures. Companies can also purchase and then resell the feeds produced by Edgar to online traders as well.

The SEC revealed that the hackers found a vulnerability in the Edgar system through a data transmitting form. Few details were provided, except that the hack was detected in 2016 but evidence of illicit trading using the stolen information wasn’t discovered until August 2017.  An FBI investigation is underway and the SEC is cooperating with authorities.

Steve Groom, Director of Cyber Defense Services at Proficio, said the problem the SEC is facing is that the agency’s web application was compromised by either an SQL Injection or Cross Site Scripting. The real issue is more centered around web application scanning, code review and penetration testing.

Today’s web applications have moved from an agile development cycle to daily sprints, where they are making changes hour by hour or even day by day, Groom stated.

How to Build an Effective Cybersecurity Action Plan

Bryan Borra, SOC and SIEM Director at Proficio, said having an action plan in place to manage applications and services that are exposed to the internet is a critical piece to helping prevent an attack that is sourced against public-facing web applications.

“This breach occurred due to a vulnerability in a web application,” Borra said. “Web applications exposed to the internet are most vulnerable to attacks because a group of individuals from the outside can access them.”

Deploying an externally facing firewall change policy and relevant SIEM correlation use cases can help safeguard your network from attacks like those that broke into the SEC systems, Borra said.

Deploying an Externally Facing Firewall Change Policy

Not all firewall changes are equal in risk and some of the riskiest changes are what you allow inbound to your network, Borra cautioned. Some enterprises have deployed special procedures that treat firewall changes that open a port or system to the outside differently than other firewall changes.

For example, if a web server is stood up and the system owner requests the system be accessible to the internet, a request will be forwarded to the information security team to approve the change. The information security team will then assess the change and approve or disapprove based on criteria documented in the policy, Borra said.

Common evaluation criteria in this policy could be:

  1. The Information Security Team performs a vulnerability scan against the system and have the system owner remediate all vulnerabilities that are interpreted as “critical” or “serious” or above a certain priority level before the system can be placed on the internet.
  2. Assess “least privilege” and attempt to limit the ports and subnets within the change to only what is needed.
  3. Place the system in a specific zone such as a DMZ based on its function.
  4. Make sure that no applications, services, or plugins hosted on the system violate any applications that the information security team has banned due to their security risk profile (ex: WordPress, Joomla, Coldfusion, etc.).

Deploying Relevant SIEM Correlation Use Cases

Vulnerability scan data is often ingested to the SIEM and can provide value for this particular situation. For example, if change approval hooks in security operations to input the systems that have been approved to be open to the outside, then you can input this information into your SIEM and make a list of “systems open to the outside,” Borra said.

With this list, you can correlate the system against incoming vulnerability scan data. If incoming scan data matches this system up with having a new critical, serious, or high priority vulnerability, you can forward the case to security operations to assess blocking access to the system externally until the vulnerability is remediated.

Small to medium sized enterprises may have difficulties doing the previously mentioned correlation use case because they often don’t have a structured list of systems or applications exposed externally through the firewall. They may also have not deployed any type of externally facing firewall change policy and do not have a simple straight forward answer as to if anything currently being accessed from the outside has a critical vulnerability.

If you ingest vulnerability data into your SIEM and have threat intelligence feeds around blacklisted IP addresses, you can build a use case that is somewhat effective at discovering interesting services that have vulnerabilities that are accessible externally.

First, setup a correlation rule to model systems that have services that have critical, serious, or high priority vulnerabilities (ex: webserver01 has critical web vulnerability).

Next, build correlation rules that correlate those systems and services with the firewall to allow blacklisted IP addresses (ex: blacklisted IP was permitted through the firewall accessing websever01 over http).

What you get are firewall rules that are allowing blacklisted IP addresses to access a service with a critical vulnerability.

This is a useful initial correlation use case when assessing what is critical and open to the internet.

What Companies Need to Know

The SEC hack is just another warning to companies, particularly those in the finance sector, that they must ensure that their security environments are properly secured and compliant and that they have strategic plans in place in how to respond if a potential breach does occur.

They are going to be a constant target to hackers because of their confidential and sensitive information that they possess, which unfortunately if hackers do get their hands on can make financial gain.

“This breach highlights the need for high-profile agencies and organizations like the SEC to put in place a more practical process or system to monitor critical assets not only at the perimeter but on the systems themselves to monitor for (IOCs) Indicators of Compromise,” said Dana Hawkins, Director of Security Services at Proficio. “Monitoring is only a part of the solution, you must also put in place trained SOC/NOC personnel capable of quickly identifying problems and an Incident Response Team that has the authority to act when a compromise is found.”

Government bodies like the SEC are particularly vulnerable to fast-moving cyber threats, according to Hawkins, who previously worked as an IT security contractor for the federal government.

“It’s time for government agencies around the country to come out of the dark ages and understand the changing cyber threat landscape,” Hawkins said. “Response to threats needs to be more agile and effective or breaches like this will be a common occurrence.”