New Technology and Service Options Do Not Trump Law and Regulations

A couple weeks ago I received a letter from Wells Fargo. After mentioning some brokerage account details there were a couple paragraphs of disclosure about $2.5 M in penalties for failing to effectively protect business-related electronic records.  Wells Fargo has been having a rough time lately.  But this situation is just so self-inflicted, and so likely to happen elseware as Financial Services organization’s technology personnel attempt to demonstrate that they can “deliver more for less…” that I thought it might be worth sharing as a cautionary tale.

The disclosures outlined that the bank’s brokerage and independent wealth management businesses paid $1 million and another $1.5 million in fines & penalties because they failed to keep hundreds of millions of electronic documents in a “write once, read many” format — as required by the regulations under which they do business.

Federal securities laws and Financial Industry Regulatory Authority (FINRA) rules require that electronic storage media hosting certain business-related electronic records “preserve the records exclusively in a non-rewriteable and non-erasable format.” This type of storage media has a legacy of being referred to as WORM or “write once, read many” technology that prevents the alteration or destruction of the data they store. The SEC has stated that these requirements are an essential part of the investor protection function because a firm’s books and records are the “primary means of monitoring compliance with applicable securities laws, including anti-fraud provisions and financial responsibility standards.”  Requiring WORM technology is associated with maintaining the integrity of certain financial records.

Over the past decade, the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records, further emphasizing the need to maintain records in WORM format. At the same time, in some financial services organizations “productivity” measures have resulted in large scale, internally-initiated customer fraud, again posing a threat to inadequately protected records.

My letter resulted from a set of FINRA actions announced late last December that imposed fines against 12 firms for a total of $14.4 million “for significant deficiencies relating to the preservation of broker-dealer and customer records in a format that prevents alteration.” In their December 21st press release FINRA said that they “found that at various times, and in most cases for prolonged periods, the firms failed to maintain electronic records in ‘write once, read many,” or WORM, format.”

FINRA reported that each of these 12 firms had technology, procedural and supervisory deficiencies that affected millions, and in some cases, hundreds of millions, of records core to the firms’ brokerage businesses, spanning multiple systems and categories of records. FINRA also announced that three of the firms failed to retain certain broker-dealer records the firms were required to keep under applicable record retention rules.

Brad Bennett, FINRA’s Executive Vice President and Chief of Enforcement, said, “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records. Ensuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry.”

FINRA reported 99 related “books and records” cases in 2016, which resulted in $22.5 million in fines. That seems like real money…

Failure to effectively protect these types of regulated electronic records may result in reputational (impacting brand & sales) and financial (fines & penalties) harm. Keep that in mind as vendors and hype-sters attempt to sell us services that persist regulated data. New technology and service options do not supersede or replace established law and regulations underwhich our Financial Services companies operate.

REFERENCES:
“FINRA Fines 12 Firms a Total of $14.4 Million for Failing to Protect Records From Alteration.”
December 21, 2016
http://www.finra.org/newsroom/2016/finra-fines-12-firms-total-144-million-failing-protect-records-alteration

“Annual Eversheds Sutherland Analysis of FINRA Cases Shows Record-Breaking 2016.”
February 28, 2017
https://us.eversheds-sutherland.com/NewsCommentary/Press-Releases/197511/Annual-Eversheds-Sutherland-Analysis-of-FINRA-Cases-Shows-Record-Breaking-2016

“Is Compliance in FINRA’s Crosshairs?”
http://www.napa-net.org/news/technical-competence/regulatory-agencies/is-compliance-in-finras-crosshairs/

SEC Rule 17a-4 & 17a-3 of the Securities Exchange Act of 1934:
“SEC Rule 17a-4 & 17a-3 – Records to be made by and preserved by certain exchange members, brokers and dealers.” (vendor summary)
http://www.17a-4.com/regulations-summary/

“SEC Interpretation: Electronic Storage of Broker-Dealer Records.”
https://www.sec.gov/rules/interp/34-47806.htm

“(17a-3) Records to be Made by Certain Exchange Members, Brokers and Dealers.”
http://www.finra.org/industry/interpretationsfor/sea-rule-17a-3

“(17a-4) Records to be Preserved by Certain Exchange Members, Brokers and Dealers.”
http://www.finra.org/industry/interpretationsfor/sea-rule-17a-4

Getting through that Compliance-Only Mindset

We all need to work with leaders and other influencers who hold “compliance” as their prime (sometimes, only) risk management driver.   Sure, that is tiring and sometimes disheartening, but they are not going away…  In the course of your efforts to advance effective information and operations security motivating these individuals can be a challenge.  Because large scale financial services enterprises in the United States do business across the country, it is sometimes helpful to be able to demonstrate the scope of legislation (not regulation) that applies to various aspects of information and cyber security.  Below is a collection of lists of laws on related information security topics from the National Conference of State Legislatures (http://www.ncsl.org/aboutus.aspx) that may help you on that front.  I’ve included a couple of global resources as well, but that information is far more limited than is available to me about U.S. state laws.

At the story-telling level, one might use this list to demonstrate why it is critical to create, acquire, evolve and maintain ________ (this may be context-specific, use whatever is applicable: software, networks, servers, endpoints, databases, appliances, etc…) that are audit-ready, resilient and resistant to attack, and that protect sensitive resources & transactions while delivering the intended levels of service while under attack.  I am not a lawyer and this is not legal advice!  But I believe given the scope and complexity of the laws involved, along with the velocity of change, attempting to achieve and maintain tight compliance alignment with all applicable laws & regulations would be vastly more expensive than focusing most of our creativity & energy on fielding safe-enough software, infrastructure, and operations.

Sure, laws, regulations, and the professionals who focus on them are critically important in Financial Services.  That does not make them the center-of-the-universe for information security. Safe software, safe infrastructure, and safe operations are expected by all our constituencies and these characteristics also should satisfy information security-relevant compliance obligations. This seems like an achievable goal. Mapping every relevant law and regulation to every facet of every application and all aspects of our infrastructure and its operations seems impractical and unbusinesslike.

What do you think?

List of U.S. Security Breach Notification Laws:

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

A running list of U.S. security breach-related legislation by year (2010 to present):

http://www.ncsl.org/research/telecommunications-and-information-technology/overview-security-breaches.aspx

List of U.S Data Disposal Laws:

At least 31 states and Puerto Rico have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.
http://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx

List of U.S. Identity Theft Laws:

http://www.ncsl.org/research/financial-services-and-commerce/identity-theft-state-statutes.aspx
Identity theft occurs when someone uses another person’s personally identifying information, like a person’s name, Social Security number, or credit card number or other financial information, without permission, to commit fraud or other crimes.
This chart summarizes the identity theft criminal penalties, restitution and identity theft passport laws. Every state has a law regarding identity theft or impersonation. Twenty-nine states, Guam, Puerto Rico and the District of Columbia have specific restitution provisions for identity theft. Five states—Iowa, Kansas, Kentucky, Michigan and Tennessee—have forfeiture provisions for identity theft crimes. Eleven states—Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia—have created identity theft passport programs to help victims from continuing identity theft.

List of U.S. Cybersecurity Legislation for 2016:

http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2016.aspx
Cyber threats have enormous implications for government security, economic prosperity and public safety. States are addressing cybersecurity through various approaches, such as:

• Requiring government or public agencies to implement security practices
• Offering incentives to the cybersecurity industry
• Providing exemptions from public records laws for security information
• Creating cybersecurity commissions, studies or task forces
• Promoting cybersecurity education.

Same for 2015:
http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2015.aspx

List of U.S. Computer Crime Statutes:

http://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx
Computer crime laws encompass a variety of actions that destroy or interfere with normal operation of a computer system including hacking, unauthorized access, and malware, among others.

List of U.S. State Laws Associated with Phishing:

http://www.ncsl.org/research/telecommunications-and-information-technology/state-phishing-laws.aspx
Through 1/9/2015.
Phishing is a scam where fraudsters send spam or text messages or create deceptive websites to lure personal or financial information from unsuspecting victims.

U.S. State Spyware Laws

http://www.ncsl.org/research/telecommunications-and-information-technology/state-spyware-laws.aspx
Last update: 12/3/2015
Spyware, also sometimes called adware, is software that can track or collect the online activities or personal information of Web users, change settings on users computers, or cause advertising messages to pop up on users’ computer screens.  Web users are often unaware that spyware has been downloaded to their computers, and even when found, it can be very difficult to remove.
Twenty states, Guam and Puerto Rico have laws targeting spyware. Other states have laws that address computer crime, fraudulent or deceptive practices or identity theft and that possibly could apply to some practices involving spyware.

Also:

Perkins Coie’s list of U.S. State Security Breach Notification Laws:

https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html
(Last Revised June 2016)
Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification.  The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements.  Lawyers, compliance professionals, and business owners have told Perkins Coie that the chart has been helpful when preparing for and responding to data breaches.
This resource includes more detail than most of the links listed above.

DLA Piper “Data Protection Laws of the World”

Interactive Map Of Notification Status and more.
https://www.dlapiperdataprotection.com/index.html#handbook/world-map-section
Interactive map highlighting breach notification rules and regulations (per country). The colors of the countries below represent a data breach risk index. Red is the highest, orange is high, yellow is elevated, blue is general, and green is low risk.
There is also an on-demand PFD version of “Data Protection Laws of the World” available from DLA Piper at:
https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw/functions/export.pdf?country=all
When downloaded on November 29, 2016, this was a 510 page document covering the following 98 countries: Angola, Argentina, Australia, Austria, Belarus, Belgium, Bosnia and Herzegovina, British Virgin Islands, Bulgaria, Canada, Cape Verde, Cayman Islands, Chile, China, Colombia, Costa Rica, Brazil, British, Bulgaria, Canada, Cape, Cayman, Chile, China, Colombia, Costa, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Ghana, Gibraltar, Greece, Guernsey, Honduras, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jersey, Latvia, Lesotho, Lithuania, Luxembourg, Macau, Macedonia, Madagascar, Malaysia, Malta, Mauritius, Mexico, Monaco, Montenegro, Morocco, Netherlands, New Zealand, Nigeria, Norway, Pakistan, Panama, Peru, Philippines, Poland, Portugal, Romania, Russia, Saudi Arabia, Serbia, Seychelles, Singapore, Slovak Republic, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Trinidad and Tobago, Turkey, UAE – Dubai (DIFC), UAE – General, Ukraine, United Kingdom, United States, Uruguay, Venezuela, and Zimbabwe.

This page below provides a brief summary of the requirements of each of the 47 U.S state data breach notification laws as of August 2014.
http://www.itgovernanceusa.com/data-breach-notification-laws.aspx

New In-Flight Data Leakage Channel — Gogo.

Commercial aircraft WiFi network provider Gogo appears to have been issuing SSL certificates for Google sites accessed via their in-flight service. Technically, the Gogo Inflight Internet service acts as an SSL Man-in-the-middle (MITM) attack. Most of us in Financial Services are familiar with analogous HTTP proxy infrastructure to allow our organizations to inspect and control web traffic, even traffic to secure web sites.

Assuming that many of your traveling workforce also use and communicate highly sensitive information, the kind that must be controlled to meet regulatory obligations and/or customer & investor expectations, the Gogo service appears to present a potentially material risk management issue. There is also the issue of losing any (more) of your workforce credentials. Under a range of common scenarios, Gogo appears to have them. Does Gogo protect that information to the degree required by Financial Services enterprises?  I assume not.

At a minimum, this seems like another topic to be included in our traveler’s security awareness training.
REFERENCES:

“Gogo Inflight Internet is intentionally issuing fake SSL certificates.” http://www.techworm.net/2015/01/gogo-inflight-internet-intentionally-issuing-fake-ssl-certificates.html
BY Dwulf, 01-05-2015

“Gogo Inflight Internet is Intentionally Issuing Fake SSL Certificates.”
http://www.symantec.com/connect/blogs/gogo-inflight-internet-intentionally-issuing-fake-ssl-certificates
By Rick Andrews, 01-07-2015

Another BYOD Security Challenge – User-Managed Remote Access Software

In a recent Defcon presentation three researchers demonstrated that scanning the Internet — the entire Internet — is now a practical exercise.  That idea alone should force us all to re-frame our thinking about how we measure the effectiveness of our infrastructure’s defensive posture — but that is not a topic for this post.  As part of their work, the team demonstrated the scale of unauthenticated remote access set up on business and personal endpoints accessible from the Internet.  As families acquire more and more Internet endpoints, it appears that some in each household want to access or manage some of them remotely.  This might be as simple as accessing the “office Mac” from an tablet on the couch, or as crazy as unauthenticated remote access to that home office endpoint while traveling.  The use case doesn’t matter as much as the behavior itself.  If people are setting up unauthenticated remote access (or using default or ‘easily-guessable’ passwords) on the endpoints they also want to bring to work, we all have a problem…

Regardless of how ill-conceived, BYOD experiments, even formal BYOD programs seem to be a fever without a cure.  When a financial services workforce uses non-company endpoints we inherit all the risks associated with their all-too-often unprofessional and uninformed management practices.  Now we have evidence that one facet of that behavior is the installation and use of unauthenticated remote access software.  There are a number of popular approaches.  The Defcon presentation appears to have focused on VNC (virtual network computing), but there are other popular packages used to support convenient remote access – Wikipedia lists dozens.

We need to train our workforce that they need to limit their exposure (and the organization’s via BYOD) to the risks associated with remote access software. At the very highest level, they need to understand that for any endpoint used for financial services work:

1. Don’t run software (whatever it is) that is not really needed
2. If your really need it, learn how to manage it and configure it to deliver only the features you need — in the context of end user-managed BYOD environments, running software you don’t understand is not risk-reasonable in the context of performing financial services business (our regulators require and our customers and partners expect that we perform our business activities using risk management practices stronger than simple ‘hope’) 
3. If you need remote access exercise the principle of least privilege
   1. Install and configure the software so that by default it is not turned on (if it is not running it will not support unintended remote access)
   2. Turn on your remote access software only when you need it, and then turn it off again as soon as is practical afterword
   3. Configure the remote access software to include a risk-reasonably short session timeout
   4. Permit only uniquely-authenticated users having a strong, unique, time-limited password
4. Restrict remote access to your endpoint as much as possible
5. Turn off all remote access you can get away with
6. Use multiple layers of protection to implement defense in depth
   1. Run an endpoint firewall configured to reject all inbound communications attempts except those you explicitly authorize
   2. Don’t grant apps permissions that you don’t understand
   3. Don’t grant apps permissions that would enable access to business data or business communications
   4. Run one or more anti-malware packages
   5. Use security-centric web proxies
   6. Configure your browser(s) in their most paranoid settings
   7. Turn on your search engine’s ‘recommendation’ or anti-hostility service
   8. If your operating system supports it, perform your work in the absence of administrative rights (don’t make yourself equivalent to root or the local administrator)

In addition to end user education, and before permitting even the most limited BYOD experiment, financial services enterprises should have their infrastructure configured to resist the use of virtually all known remote access software on those non-company devices.  The port-blocking and protocol recognition will not be perfect, but it will stop the unauthorized use of the most casual installations.  As a result, we also need to have our SIEM infrastructure configured to alert and then staff to deal with those alerts.  In addition, and using the same signature and/or correlation logic configured in the SIEM, those with widespread IPS infrastructure can block BYOD remote access attempts (at least in some scenarios).

All of the security measures required to deal with BYOD fever will add expense that needs to be introduced into the BYOD economic equation.  All of the new risks also need to be introduced into the overall enterprise risk management pool.  The impacts will be different for various organizations.  For some, it seems reasonable to assume that the new costs and risks will far exceed any real benefits that could possibly be delivered in a financial services enterprise environment. 

REFERENCES:

“Thousands of computers open to eavesdropping and hijacking.” By Lisa Vaas on August 15, 2014, http://nakedsecurity.sophos.com/2014/08/15/thousands-of-computers-open-to-eavesdropping-and-hijacking/

“Mass Scanning the Internet: Tips, Tricks, Results.” By Robert Graham, Paul McMillan, & Dan Tentler, https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Graham 

“Comparison of remote desktop software.” From Wikipedia, http://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software

“Principle of Least Privilege.” From Wikipedia, http://en.wikipedia.org/wiki/Principle_of_least_privilege

“Defense in depth.” From Wikipedia,
http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29

NSA Data Gathering Hits Financial Services Privacy & Security Promises

Reputable news organizations have been covering the NSA data gathering and spying stories for months.

For Financial Services, the short version is that we can have little confidence in the information security or privacy of cloud-based collaboration services or the standard commercial encryption products and services we use in the day-to-day operations.

Months ago it was revealed that NSA’s Prism program allows participants to collect material hosted by Apple, Facebook, Google, and other US internet giants, including search history, the content of emails, file transfer/storage, and chat sessions.

The U.S. intelligence-gathering operation is also accessing data from smart phones from all leading manufacturers. Spiegel reported on NSA documents they have seen explicitly that note the NSA can copy encrypted “private” information from Apple iPhones & iPads, BlackBerry devices, and mobile devices running the Android operating system. This is not simple access to contacts or browser history. The NSA documents said they have “access to at least 38 iPhone features.”

UPI summarized a key issue: “tech firms and ISPs said they were coerced into handing over their master encryption keys or building in hidden methods, known as ‘back doors,’ to bypass normal computer, cryptosystem and algorithm authentication systems.”  Regardless of whether cooperation or intimidation was the path to this vendor access, the breaches seem to be factual and we need to adapt our business practices to this new environment.

The NSA information gathering and decryption capabilities appear to have invalidated many of our standard claims about data security and privacy. Our VPNs, our secured email communications, high-speed mobile data communications, and virtually all the “plumbing” used to communicate and store data are now vulnerable to active NSA data gathering programs. Given compliance obligations in our industry, continuing to sign SOX attestations may present ethical and legal challenges for many.  Some may also be in violation of contracts with customers, partners, and other banks.

At a minimum, you should advise senior staff in all organizations who develop strategy and senior decision makers that their written interactions as they explore ideas and attempt to identify the edges of compliance and legality are likely to be stored in U.S. government databases in clear text into the foreseeable future.

The same is true for those involved in the sensitive tactical work of implementing strategy. If there is any question about identifying the edges of compliance and legality, it is likely that increases the probability of showing up in government searches of this data.

Because of the way information about these capabilities are leaking out, it is unclear how that information is shared, and who is authorized and who is able to gain access for ‘discovery’ activities. The governance of that access control is also unclear as is how access policies and decision-making practices might evolve over time.

In that context, consider the operations of a normal global financial services corporation. It is commonplace to write the names of countries, cities, companies, and individuals located across the globe, many of which would likely match U.S. government filtering criteria. Once tagged for additional analysis, that once private information is exposed to examination of types and means that are still leaking out. It seems like an elevated-risk gamble for some categories of communications to be subjected those odds.

REFERENCES:

Much reporting on this topic has been delivered by The New York Times, the Guardian and ProPublica based on documents obtained by The Guardian.
For the Guardian: James Ball, Julian Borger, Glenn Greenwald
For the New York Times: Nicole Perlroth, Scott Shane
For ProPublica: Jeff Larson
“Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security.” Sept. 5, 2013
http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption

“N.S.A. Able to Foil Basic Safeguards of Privacy on Web.” Sept. 5, 2013
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0&pagewanted=all

“Revealed: how US and UK spy agencies defeat internet privacy and security.” Sept. 5, 2013
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

“Privacy Scandal: NSA Can Spy on Smart Phone Data.” Sept. 7, 2013
http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html

“Documents show NSA can crack most Web privacy encryption.” Sept. 6, 2013
http://www.upi.com/Top_News/US/2013/09/06/Documents-show-NSA-can-crack-most-Web-privacy-encryption/UPI-60871378450800/#ixzz2eMBRBQy4

“NSA Prism program taps in to user data of Apple, Google and others.” June 6, 2013
http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data

Sarbanes-Oxley (SOX):
http://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act#Sarbanes.E2.80.93Oxley_Section_404:_Assessment_of_internal_control

.