Insights

CYBERSECURITY RISK ALERT: GOOGLE CHROME VULNERABILITY

March 8, 2019

Recently, Google identified a zero-day vulnerability affecting Chrome internet browsers. The vulnerability is a memory management error which could allow a remote attacker to read the contents of files stored on a user’s computer. Google addressed the vulnerability in Chrome version 72.0.3626.121.

Check if your Chrome browser is up-to-date:

  • Click this icon in the upper right corner of your browser;
  • Go to ‘Help’;
  • Go to ‘About Google Chrome’;
  • Ensure that your browser displays version 72.0.3626.121

If your browser is not up-to-date, update it immediately.

For additional information, please visit: https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html

CYBERSECURITY RISK ALERT : Cisco Webex Alert

February 28, 2019

Cisco has identified a vulnerability in its Webex Meetings Desktop App and Webex Productivity Tools. By invoking the update service command with a crafted argument, an authenticated, local attacker could run arbitrary commands with SYSTEM level user privileges. The vulnerability may also be exploited remotely in Active Directory deployments by leveraging operating system remote management tools.

Cisco has released the following software updates to remediate the vulnerability:

  • Cisco Webex Meetings Desktop App Release 33.6.6 and 33.9.1; and
  • Cisco Webex Productivity Tools Release 33.0.7

For additional information, please visit:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj?emailclick=CNSemail

CYBERSECURITY NEWS ALERT: CFTC’s First Ever Examination Priorities

February 26, 2019

On February 12, 2019, the Commodity Futures Trading Commission’s (“CFTC”) released its first ever examination priorities for registrants of the Division of Market Oversight (“DMO”), Division of Swap Dealer & Intermediary Oversight (“DSIO”), and Division of Clearing & Risk (“DCR”). A notable inclusion in the examination priorities is service provider oversight. In the release, the CFTC also mentions their practice of conducting System Safeguard Exams to assess the risk assessment and cybersecurity testing programs of covered entities. The focus on self-governance, oversight, and sound cybersecurity practices aligns the CFTC’s examination approach with the Securities and Exchange Commission.

For additional information, please visit: https://www.cftc.gov/PressRoom/PressReleases/7869-19

CYBERSECURITY RISK ALERT: Microsoft Internet Explorer Vulnerability

February 13, 2019

Microsoft has recently identified a vulnerability (CVE-2019-0676) within Internet Explorer (“IE”). When IE improperly handles objects in memory, it is possible for an attacker to test for the presence of files on disk. Attackers can exploit this vulnerability by sending the user a link leading to a malicious website, and coercing them to follow the link. This vulnerability affects versions 10 or 11 of IE.

Microsoft has addressed this vulnerability with various patches as of Tuesday 2/12/2019.

For additional information, please visit: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0676#ID0EN

Cybersecurity News Alert: SEC Infiltration EDGAR System Hack

January 16, 2019

On Tuesday January 15th, the U.S. Securities and Exchange Commission (the “SEC”) announced that it charged nine defendants in an alleged hack of the SEC’s EDGAR system. The hackers allegedly infiltrated the EDGAR system and extracted nonpublic information to use for illegal trading, ultimately profiting $4,135,015 in the process. The hackers mostly stem from Ukraine and Russia, but two defendants were identified in California. Defendants have been charged with federal securities anti-fraud laws as well as SEC anti-fraud rules and is seeking penalties, return of profits with prejudgment interest, and enjoining the defendants from committing future violations.

For additional information, please visit: https://www.sec.gov/news/press-release/2019-1

Cybersecurity Vulnerability Alert – Microsoft Windows

January 9, 2019

Microsoft has recently identified a vulnerability in its Windows products. The vulnerability could allow a local attacker to elevate privileges on the targeted Windows-based system. A successful attack would require user-level access and would allow the attacker to execute arbitrary code with escalated privileges and compromise the system entirely.

Microsoft has released software updates to address the vulnerability available here: https://bit.ly/2j3EEiA

For additional information, please visit: https://bit.ly/2AD2Ns6

Cybersecurity Risk Alert – NFA

January 7, 2019

The National Futures Association (“NFA”) recently amended the NFA Compliance Rules 2-9, 2-36, and 2-49: Information Systems Security Programs. The amendments address three areas originally covered in the 2016 Interpretive Notice and go into effect on April 1, 2019. The amendments are as follows:

  • Cybersecurity Training
    • Previously, the NFA required employee cybersecurity training upon hire and periodically during employment. With the amendments, training will be required upon hire, at least annually, and more frequently if necessary (e.g. if the employee is the subject of a data breach or has displayed poor cybersecurity practices).
    • Amendments also require Member Firms to describe the topics covered during training in their information security policies.
  • Information Systems Security Program (“ISSP”) Approval
    • The NFA has determined that ISSP approval by an “executive level official” of a Member Firm is not uniformly understood. The language has been amended to require ISSP approval by the Member Firm’s “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the Member’s execution of its ISSP.”
  • Notice Requirement
    • Currently, Member Firms are not required to notify the NFA of cybersecurity incidents. The amendments will now require Member Firms to notify the NFA of cybersecurity incident, if the incident results in the following:
      • A loss of customer or counterparty funds or loss of a Member Firm’s capital; or
      • Notification of an incident is reported to customers or counterparties pursuant to state or federal law.

For additional information, please visit: https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=5085

Cybersecurity Vulnerability Alert – Cisco

December 27, 2018

NOTE: This vulnerability affects Cisco ASA Software that is running on any Cisco product that has web management access enabled.

On December 19th, Cisco identified a vulnerability in the authorization subsystem of ASA Software on Cisco products. This vulnerability would allow an authenticated, but unprivileged, remote attacker to perform privileged actions by using the web management interface, if enabled. The result of an attack could be unauthorized retrieval of files from the affected device. Cisco has released software to address the vulnerability. An effective workaround is enabling command authorization in Cisco ASA.

For additional information, please visit: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181219-asa-privesc

Cybersecurity News Alert – Microsoft

December 21, 2018

On Wednesday December 19th, Microsoft released a critical security update for Internet Explorer after receiving a report about a new vulnerability being used in targeted attacks. The browser’s vulnerability could allow an attacker to gain the same user rights as the current user. If that user has administrative rights, the attacker could then take control of an affected system and install programs, change or delete data, or create new accounts. Microsoft’s security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

According to Microsoft, users who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage you to check with your IT Provider or IT Department to ensure patches are applied.

For additional information, please visit: https://bit.ly/2BtfNjE

Cybersecurity News Alert – U.S. Securities and Exchange Commission (the “SEC”)

December 20, 2018

On Thursday December 20th, the U.S. Securities and Exchange Commission (the “SEC”) released the examination priorities for 2019. The SEC has shifted their examination priorities from years past in an effort to adapt with emerging risks, but cybersecurity continues to remain a top priority for the SEC. The SEC will be focusing on the following key areas with respect to cybersecurity:

  • Proper configuration of network storage devices
  • Information security governance
  • Policies and procedures related to retail trading information security
  • Cybersecurity practices at firms with multiple branch offices
  • Governance and risk assessment
  • Access rights and controls
  • Data loss prevention
  • Vendor management
  • Cybersecurity training
  • Incident response planning

For additional information, please visit:

https://www.sec.gov/news/press-release/2018-299

-or-

https://www.sec.gov/files/OCIE%202019%20Priorities.pdf