Insights

Cybersecurity Vulnerability Alert – Microsoft Windows

January 9, 2019

Microsoft has recently identified a vulnerability in its Windows products. The vulnerability could allow a local attacker to elevate privileges on the targeted Windows-based system. A successful attack would require user-level access and would allow the attacker to execute arbitrary code with escalated privileges and compromise the system entirely.

Microsoft has released software updates to address the vulnerability available here: https://bit.ly/2j3EEiA

For additional information, please visit: https://bit.ly/2AD2Ns6

Cybersecurity Risk Alert – NFA

January 7, 2019

The National Futures Association (“NFA”) recently amended the NFA Compliance Rules 2-9, 2-36, and 2-49: Information Systems Security Programs. The amendments address three areas originally covered in the 2016 Interpretive Notice and go into effect on April 1, 2019. The amendments are as follows:

  • Cybersecurity Training
    • Previously, the NFA required employee cybersecurity training upon hire and periodically during employment. With the amendments, training will be required upon hire, at least annually, and more frequently if necessary (e.g. if the employee is the subject of a data breach or has displayed poor cybersecurity practices).
    • Amendments also require Member Firms to describe the topics covered during training in their information security policies.
  • Information Systems Security Program (“ISSP”) Approval
    • The NFA has determined that ISSP approval by an “executive level official” of a Member Firm is not uniformly understood. The language has been amended to require ISSP approval by the Member Firm’s “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the Member’s execution of its ISSP.”
  • Notice Requirement
    • Currently, Member Firms are not required to notify the NFA of cybersecurity incidents. The amendments will now require Member Firms to notify the NFA of cybersecurity incident, if the incident results in the following:
      • A loss of customer or counterparty funds or loss of a Member Firm’s capital; or
      • Notification of an incident is reported to customers or counterparties pursuant to state or federal law.

For additional information, please visit: https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=5085

Cybersecurity Vulnerability Alert – Cisco

December 27, 2018

NOTE: This vulnerability affects Cisco ASA Software that is running on any Cisco product that has web management access enabled.

On December 19th, Cisco identified a vulnerability in the authorization subsystem of ASA Software on Cisco products. This vulnerability would allow an authenticated, but unprivileged, remote attacker to perform privileged actions by using the web management interface, if enabled. The result of an attack could be unauthorized retrieval of files from the affected device. Cisco has released software to address the vulnerability. An effective workaround is enabling command authorization in Cisco ASA.

For additional information, please visit: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181219-asa-privesc

Cybersecurity News Alert – Microsoft

December 21, 2018

On Wednesday December 19th, Microsoft released a critical security update for Internet Explorer after receiving a report about a new vulnerability being used in targeted attacks. The browser’s vulnerability could allow an attacker to gain the same user rights as the current user. If that user has administrative rights, the attacker could then take control of an affected system and install programs, change or delete data, or create new accounts. Microsoft’s security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

According to Microsoft, users who have Windows Update enabled and have applied the latest security updates, are protected automatically. We encourage you to check with your IT Provider or IT Department to ensure patches are applied.

For additional information, please visit: https://bit.ly/2BtfNjE

Cybersecurity News Alert – U.S. Securities and Exchange Commission (the “SEC”)

December 20, 2018

On Thursday December 20th, the U.S. Securities and Exchange Commission (the “SEC”) released the examination priorities for 2019. The SEC has shifted their examination priorities from years past in an effort to adapt with emerging risks, but cybersecurity continues to remain a top priority for the SEC. The SEC will be focusing on the following key areas with respect to cybersecurity:

  • Proper configuration of network storage devices
  • Information security governance
  • Policies and procedures related to retail trading information security
  • Cybersecurity practices at firms with multiple branch offices
  • Governance and risk assessment
  • Access rights and controls
  • Data loss prevention
  • Vendor management
  • Cybersecurity training
  • Incident response planning

For additional information, please visit:

https://www.sec.gov/news/press-release/2018-299

-or-

https://www.sec.gov/files/OCIE%202019%20Priorities.pdf

CYBERSECURITY NEWS ALERT: December 2018

December 20, 2018

On December 20th, the Financial Industry Regulatory Authority (“FINRA”) released a report detailing the effective cybersecurity practices and common risks observed during recent examinations. The report focused on the following key areas:

  1. Branch Controls
  2. Phishing Attacks
  3. Insider Threats
  4. Penetration Testing
  5. Mobile Device Security

Branch Controls: Maintaining rigorous cybersecurity controls are a firms best defense against attacks and human error. Establishing policies, controls, and an overall cybersecurity program promotes firm cybersecurity awareness and fosters a “security first” environment. In this section FINRA reviews:

  • Policies and Procedures (Information Security Policy, Incident Response Plan, etc.)
  • Asset Inventory
  • Third-Party Risk Management
  • Technical Controls (Encryption, Strong Passwords, etc.)
  • Patch Maintenance

Phishing Attacks: Phishing is one of the most common threats to firms. This section details specific types of phishing (“spear phishing” and whaling”) as well as controls that FINRA recommends firms should implement in order to combat phishing attacks. In this section FINRA reviews:

  • Email and Browser Protection
  • Network Security
  • Risk Assessments
  • Endpoint Malware Protection

Insider Threats: Insider threats remain a major cybersecurity concern for firms. Bad actors who had or may still have authorized access to the firms network represent a very present and capable threat to the firms network security. Among other methods detailed by FINRA, regularly reviewing access rights is imperative to combating insider threats. In this section FINRA reviews:

  • Identity and Access Management (Access Rights and Controls)
  • Secure System Configuration
  • Data Protection (Encryption, Backup Retention, etc.)
  • Security Awareness Training

Penetration Testing: Penetration testing and vulnerability scanning are an important part of a firms cybersecurity program. Testing and scanning the firms network allows the firm to identify specific deficiencies and target areas for improvement. In this section FINRA reviews:

  • Vulnerability Scanning
  • Selecting Security Vendors/Due Diligence

Mobile Device Security: Mobile devices are a part of everyday life and, in many cases, essential to a firms business and work flow. However, with increased mobility comes increased risk as mobile devices are particularly susceptible to risks like spam, spoofed calls and emails, viruses, etc. Implementing mobile device security controls and establishing a “security first” approach to mobile device use is essential to mobile device security. In this section FINRA reviews:

  • MDM
  • Remote wipe
  • Password requirements
  • Security software on devices

For additional information, please visit: http://www.finra.org/newsroom/2018/finra-publishes-report-selected-cybersecurity-practices-2018

Cybersecurity Risk Alert – Facebook

September 25, 2018

On Tuesday September 25th, Facebook discovered a security breach affecting approximately 50 million users. Attackers exploited a vulnerability in the “View As” feature of Facebook, which allows users to view their profile from the perspective of another user. As a result of the exploit, the attackers stole Facebook access tokens, which could have allowed them to gain control of the user accounts. Access tokens are digital keys that keep users logged in to Facebook and do not require users to re-enter their password every time they use the application.

At this time, it has not been determined whether any information was accessed or if the affected accounts were compromised in any other way. The breach was reported to law enforcement on Tuesday. The attackers have not yet been identified and the investigation into the incident is still in its early stages.

The vulnerability was remediated Thursday (yesterday) evening. Approximately 50 million accounts have had their access tokens reset and, an additional 40 million accounts have had their access tokens reset as a precautionary step. Today, the 90 million users were prompted to re-login to their Facebook accounts or any other applications that uses Facebook login. Once logged in, an explanation of the breach will be available to users at the top of their News Feed.

The “View As” feature has been temporarily disabled for security purposes.

For additional information and information on how you can take immediate action to secure your Facebook account, please visit: https://newsroom.fb.com/news/2018/09/security-update/