New Technology and Service Options Do Not Trump Law and Regulations

May 16, 2017

A couple weeks ago I received a letter from Wells Fargo. After mentioning some brokerage account details there were a couple paragraphs of disclosure about $2.5 M in penalties for failing to effectively protect business-related electronic records.  Wells Fargo has been having a rough time lately.  But this situation is just so self-inflicted, and so likely to happen elseware as Financial Services organization’s technology personnel attempt to demonstrate that they can “deliver more for less…” that I thought it might be worth sharing as a cautionary tale.

The disclosures outlined that the bank’s brokerage and independent wealth management businesses paid $1 million and another $1.5 million in fines & penalties because they failed to keep hundreds of millions of electronic documents in a “write once, read many” format — as required by the regulations under which they do business.

Federal securities laws and Financial Industry Regulatory Authority (FINRA) rules require that electronic storage media hosting certain business-related electronic records “preserve the records exclusively in a non-rewriteable and non-erasable format.” This type of storage media has a legacy of being referred to as WORM or “write once, read many” technology that prevents the alteration or destruction of the data they store. The SEC has stated that these requirements are an essential part of the investor protection function because a firm’s books and records are the “primary means of monitoring compliance with applicable securities laws, including anti-fraud provisions and financial responsibility standards.”  Requiring WORM technology is associated with maintaining the integrity of certain financial records.

Over the past decade, the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records, further emphasizing the need to maintain records in WORM format. At the same time, in some financial services organizations “productivity” measures have resulted in large scale, internally-initiated customer fraud, again posing a threat to inadequately protected records.

My letter resulted from a set of FINRA actions announced late last December that imposed fines against 12 firms for a total of $14.4 million “for significant deficiencies relating to the preservation of broker-dealer and customer records in a format that prevents alteration.” In their December 21st press release FINRA said that they “found that at various times, and in most cases for prolonged periods, the firms failed to maintain electronic records in ‘write once, read many,” or WORM, format.”

FINRA reported that each of these 12 firms had technology, procedural and supervisory deficiencies that affected millions, and in some cases, hundreds of millions, of records core to the firms’ brokerage businesses, spanning multiple systems and categories of records. FINRA also announced that three of the firms failed to retain certain broker-dealer records the firms were required to keep under applicable record retention rules.

Brad Bennett, FINRA’s Executive Vice President and Chief of Enforcement, said, “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records. Ensuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry.”

FINRA reported 99 related “books and records” cases in 2016, which resulted in $22.5 million in fines. That seems like real money…

Failure to effectively protect these types of regulated electronic records may result in reputational (impacting brand & sales) and financial (fines & penalties) harm. Keep that in mind as vendors and hype-sters attempt to sell us services that persist regulated data. New technology and service options do not supersede or replace established law and regulations underwhich our Financial Services companies operate.

REFERENCES:
“FINRA Fines 12 Firms a Total of $14.4 Million for Failing to Protect Records From Alteration.”
December 21, 2016
http://www.finra.org/newsroom/2016/finra-fines-12-firms-total-144-million-failing-protect-records-alteration

“Annual Eversheds Sutherland Analysis of FINRA Cases Shows Record-Breaking 2016.”
February 28, 2017
https://us.eversheds-sutherland.com/NewsCommentary/Press-Releases/197511/Annual-Eversheds-Sutherland-Analysis-of-FINRA-Cases-Shows-Record-Breaking-2016

“Is Compliance in FINRA’s Crosshairs?”
http://www.napa-net.org/news/technical-competence/regulatory-agencies/is-compliance-in-finras-crosshairs/

SEC Rule 17a-4 & 17a-3 of the Securities Exchange Act of 1934:
“SEC Rule 17a-4 & 17a-3 – Records to be made by and preserved by certain exchange members, brokers and dealers.” (vendor summary)
http://www.17a-4.com/regulations-summary/

“SEC Interpretation: Electronic Storage of Broker-Dealer Records.”
https://www.sec.gov/rules/interp/34-47806.htm

“(17a-3) Records to be Made by Certain Exchange Members, Brokers and Dealers.”
http://www.finra.org/industry/interpretationsfor/sea-rule-17a-3

“(17a-4) Records to be Preserved by Certain Exchange Members, Brokers and Dealers.”
http://www.finra.org/industry/interpretationsfor/sea-rule-17a-4

Advertisements

New In-Flight Data Leakage Channel — Gogo.

January 9, 2015

Commercial aircraft WiFi network provider Gogo appears to have been issuing SSL certificates for Google sites accessed via their in-flight service. Technically, the Gogo Inflight Internet service acts as an SSL Man-in-the-middle (MITM) attack. Most of us in Financial Services are familiar with analogous HTTP proxy infrastructure to allow our organizations to inspect and control web traffic, even traffic to secure web sites.

Assuming that many of your traveling workforce also use and communicate highly sensitive information, the kind that must be controlled to meet regulatory obligations and/or customer & investor expectations, the Gogo service appears to present a potentially material risk management issue. There is also the issue of losing any (more) of your workforce credentials. Under a range of common scenarios, Gogo appears to have them. Does Gogo protect that information to the degree required by Financial Services enterprises?  I assume not.

At a minimum, this seems like another topic to be included in our traveler’s security awareness training.
REFERENCES:

“Gogo Inflight Internet is intentionally issuing fake SSL certificates.” http://www.techworm.net/2015/01/gogo-inflight-internet-intentionally-issuing-fake-ssl-certificates.html
BY Dwulf, 01-05-2015

“Gogo Inflight Internet is Intentionally Issuing Fake SSL Certificates.”
http://www.symantec.com/connect/blogs/gogo-inflight-internet-intentionally-issuing-fake-ssl-certificates
By Rick Andrews, 01-07-2015


Another BYOD Security Challenge – User-Managed Remote Access Software

August 16, 2014

In a recent Defcon presentation three researchers demonstrated that scanning the Internet — the entire Internet — is now a practical exercise.  That idea alone should force us all to re-frame our thinking about how we measure the effectiveness of our infrastructure’s defensive posture — but that is not a topic for this post.  As part of their work, the team demonstrated the scale of unauthenticated remote access set up on business and personal endpoints accessible from the Internet.  As families acquire more and more Internet endpoints, it appears that some in each household want to access or manage some of them remotely.  This might be as simple as accessing the “office Mac” from an tablet on the couch, or as crazy as unauthenticated remote access to that home office endpoint while traveling.  The use case doesn’t matter as much as the behavior itself.  If people are setting up unauthenticated remote access (or using default or ‘easily-guessable’ passwords) on the endpoints they also want to bring to work, we all have a problem…

Regardless of how ill-conceived, BYOD experiments, even formal BYOD programs seem to be a fever without a cure.  When a financial services workforce uses non-company endpoints we inherit all the risks associated with their all-too-often unprofessional and uninformed management practices.  Now we have evidence that one facet of that behavior is the installation and use of unauthenticated remote access software.  There are a number of popular approaches.  The Defcon presentation appears to have focused on VNC (virtual network computing), but there are other popular packages used to support convenient remote access – Wikipedia lists dozens.

We need to train our workforce that they need to limit their exposure (and the organization’s via BYOD) to the risks associated with remote access software. At the very highest level, they need to understand that for any endpoint used for financial services work:

  1. Don’t run software (whatever it is) that is not really needed
  2. If your really need it, learn how to manage it and configure it to deliver only the features you need — in the context of end user-managed BYOD environments, running software you don’t understand is not risk-reasonable in the context of performing financial services business (our regulators require and our customers and partners expect that we perform our business activities using risk management practices stronger than simple ‘hope’
  3. If you need remote access exercise the principle of least privilege
    1. Install and configure the software so that by default it is not turned on (if it is not running it will not support unintended remote access)
    2. Turn on your remote access software only when you need it, and then turn it off again as soon as is practical afterword
    3. Configure the remote access software to include a risk-reasonably short session timeout
    4. Permit only uniquely-authenticated users having a strong, unique, time-limited password
  4. Restrict remote access to your endpoint as much as possible
  5. Turn off all remote access you can get away with
  6. Use multiple layers of protection to implement defense in depth
    1. Run an endpoint firewall configured to reject all inbound communications attempts except those you explicitly authorize
    2. Don’t grant apps permissions that you don’t understand
    3. Don’t grant apps permissions that would enable access to business data or business communications
    4. Run one or more anti-malware packages
    5. Use security-centric web proxies
    6. Configure your browser(s) in their most paranoid settings
    7. Turn on your search engine’s ‘recommendation’ or anti-hostility service
    8. If your operating system supports it, perform your work in the absence of administrative rights (don’t make yourself equivalent to root or the local administrator)

In addition to end user education, and before permitting even the most limited BYOD experiment, financial services enterprises should have their infrastructure configured to resist the use of virtually all known remote access software on those non-company devices.  The port-blocking and protocol recognition will not be perfect, but it will stop the unauthorized use of the most casual installations.  As a result, we also need to have our SIEM infrastructure configured to alert and then staff to deal with those alerts.  In addition, and using the same signature and/or correlation logic configured in the SIEM, those with widespread IPS infrastructure can block BYOD remote access attempts (at least in some scenarios).

All of the security measures required to deal with BYOD fever will add expense that needs to be introduced into the BYOD economic equation.  All of the new risks also need to be introduced into the overall enterprise risk management pool.  The impacts will be different for various organizations.  For some, it seems reasonable to assume that the new costs and risks will far exceed any real benefits that could possibly be delivered in a financial services enterprise environment. 

REFERENCES:

“Thousands of computers open to eavesdropping and hijacking.” By Lisa Vaas on August 15, 2014, http://nakedsecurity.sophos.com/2014/08/15/thousands-of-computers-open-to-eavesdropping-and-hijacking/

“Mass Scanning the Internet: Tips, Tricks, Results.” By Robert Graham, Paul McMillan, & Dan Tentler, https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Graham 

“Comparison of remote desktop software.” From Wikipedia, http://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software

“Principle of Least Privilege.” From Wikipedia, http://en.wikipedia.org/wiki/Principle_of_least_privilege

“Defense in depth.” From Wikipedia,
http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29


NSA Data Gathering Hits Financial Services Privacy & Security Promises

September 8, 2013

Reputable news organizations have been covering the NSA data gathering and spying stories for months.

For Financial Services, the short version is that we can have little confidence in the information security or privacy of cloud-based collaboration services or the standard commercial encryption products and services we use in the day-to-day operations.

Months ago it was revealed that NSA’s Prism program allows participants to collect material hosted by Apple, Facebook, Google, and other US internet giants, including search history, the content of emails, file transfer/storage, and chat sessions.

The U.S. intelligence-gathering operation is also accessing data from smart phones from all leading manufacturers. Spiegel reported on NSA documents they have seen explicitly that note the NSA can copy encrypted “private” information from Apple iPhones & iPads, BlackBerry devices, and mobile devices running the Android operating system. This is not simple access to contacts or browser history. The NSA documents said they have “access to at least 38 iPhone features.”

UPI summarized a key issue: “tech firms and ISPs said they were coerced into handing over their master encryption keys or building in hidden methods, known as ‘back doors,’ to bypass normal computer, cryptosystem and algorithm authentication systems.”  Regardless of whether cooperation or intimidation was the path to this vendor access, the breaches seem to be factual and we need to adapt our business practices to this new environment.

The NSA information gathering and decryption capabilities appear to have invalidated many of our standard claims about data security and privacy. Our VPNs, our secured email communications, high-speed mobile data communications, and virtually all the “plumbing” used to communicate and store data are now vulnerable to active NSA data gathering programs. Given compliance obligations in our industry, continuing to sign SOX attestations may present ethical and legal challenges for many.  Some may also be in violation of contracts with customers, partners, and other banks.

At a minimum, you should advise senior staff in all organizations who develop strategy and senior decision makers that their written interactions as they explore ideas and attempt to identify the edges of compliance and legality are likely to be stored in U.S. government databases in clear text into the foreseeable future.

The same is true for those involved in the sensitive tactical work of implementing strategy. If there is any question about identifying the edges of compliance and legality, it is likely that increases the probability of showing up in government searches of this data.

Because of the way information about these capabilities are leaking out, it is unclear how that information is shared, and who is authorized and who is able to gain access for ‘discovery’ activities. The governance of that access control is also unclear as is how access policies and decision-making practices might evolve over time.

In that context, consider the operations of a normal global financial services corporation. It is commonplace to write the names of countries, cities, companies, and individuals located across the globe, many of which would likely match U.S. government filtering criteria. Once tagged for additional analysis, that once private information is exposed to examination of types and means that are still leaking out. It seems like an elevated-risk gamble for some categories of communications to be subjected those odds.

REFERENCES:

Much reporting on this topic has been delivered by The New York Times, the Guardian and ProPublica based on documents obtained by The Guardian.
For the Guardian: James Ball, Julian Borger, Glenn Greenwald
For the New York Times: Nicole Perlroth, Scott Shane
For ProPublica: Jeff Larson
“Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security.” Sept. 5, 2013
http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption

“N.S.A. Able to Foil Basic Safeguards of Privacy on Web.” Sept. 5, 2013
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0&pagewanted=all

“Revealed: how US and UK spy agencies defeat internet privacy and security.” Sept. 5, 2013
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

“Privacy Scandal: NSA Can Spy on Smart Phone Data.” Sept. 7, 2013
http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html

“Documents show NSA can crack most Web privacy encryption.” Sept. 6, 2013
http://www.upi.com/Top_News/US/2013/09/06/Documents-show-NSA-can-crack-most-Web-privacy-encryption/UPI-60871378450800/#ixzz2eMBRBQy4

“NSA Prism program taps in to user data of Apple, Google and others.” June 6, 2013
http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data

Sarbanes-Oxley (SOX):
http://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act#Sarbanes.E2.80.93Oxley_Section_404:_Assessment_of_internal_control

.


%d bloggers like this: