While advancements in technology have greatly improved the speed, efficiency and capability of investment advisers’ and broker-dealers’ systems and workflows, these developments have also significantly increased operational and reputational risk. An isolated system intrusion can have dramatic consequences for a SEC or FINRA registrant including financial loss, ongoing liability to clients and investors and potential regulatory enforcement action. In today’s environment, if a “hacked” SEC or FINRA registrant has any hope of avoiding a regulatory enforcement action, it is imperative they can demonstrate that they have adequate policies and procedures to identify and test potential cybersecurity vulnerabilities and weaknesses. Such policies must also address the experience, security vetting process and the location of any external party performing such tests.
2. Since 2003, SEC Compliance
Consultants, Inc. (SEC3) has been
helping organizations bridge the
SEC, FINRA, CFTC, and NFA
compliance knowledge gap.
Meet John Lukan &
SEC Compliance Consultants, Inc.
• CA, CFA, CMT
• Managing Director of SEC3
• 25 years experience providing fiduciary advice
3. A boutique cybersecurity services
company specializing in
supporting NFA & SEC registrants
under $3B AUM - primarily RIA’s,
hedgefunds, CTAs, and CPOs.
Meet Michael Brice &
BW Cyber Services
• Co Founder, Principal, Chief Security Officer
• Financial Services Cyber Expert, Former CIO
• B.S. Computer Science, NSATrained
• 30 years of experience (classified & unclassified)
4. Providing global businesses with
the highest quality solutions to
cybersecurity issues by utilizing a
comprehensive prevent, defend,
contain, and eradicate approach
to threats.
Meet Paul Caiazzo &
TruShield Security Solutions
• Co-Founder, CEO, Chief Security Architect
• CISSP, CISA, CEH
• M.S. in Information Security and Assurance
• 15+ years of experience in Information Security
5. SEC and FINRA PenTest
Compliance Insight
PenTesting Explained
Penetration Testing (PenTesting)
Webcast Objectives:
Choosing a Qualified PenTest
Vendor
6. Office of Compliance Inspections and
Examinations (OCIE) - 2017 Focus
Section II. Assessing Market-Wide Risks
• Cybersecurity: In 2017, we will continue our initiative
to examine for cybersecurity compliance procedures
and controls, including testing the implementation of
those procedures and controls.
Section IV. Protecting Retail Investors
• Never-Before Examined Investment Advisers: We are
expanding our Never-Before Examined Adviser
initiative to include focused, risk-based examinations of
newly registered advisers as well as of selected
advisers that have been registered for a longer period
but have never been examined by OCIE.
7. SEC Case Study “RT Jones”
• (RIA): $75k SEC fine
• Rule 30(a) of Regulation S-P2 (the “Safeguard Rule”) for Cybersecurity
• 3rd party vendor, hosting PII for over 100,000 individuals
• Website hacked by unknown Chinese organization
• R.T. Jones mitigation
• Cybersecurity consultants, identity monitoring…
• R.T. Jones consequences:
• Despite mitigation - SEC concluded they violated the law, issued
censured, and assessed $75k fine
• SEC Message: The SEC made it clear that even in the absence of an actual
attack or a security breach, the failure of a Fund Manager to design and
implement a Cybersecurity Program is actionable.
8. Nature of theThreat
National States
• Israel
• Russia
• China
• North Korea
• Iran
Organized Crime
• Eastern Europe
• China
• Others around
the globe
Hactivist/Hacktivism
• Anonymous
• Friends of Assange
• Just about anyone
with an agenda
Script Kiddies
• Your neighbor
• The kid down
the street
• A guy or gal
half-way around
the globe
Others
• Competitor
• Insider (purposeful)
• Insider (accidental)
• 3rd Party
We are at war, and we are being beat badly…
PenetrationTesting is our first line of defense against these threats,
because if we don’t test – they will!
9. SoWhat is a PenetrationTest and/or
Vulnerability Assessment?
• “PenTest” = Ethical Hackers
• Act like a hacker
• Look for ways to get into network
• Look for ways to steal data
• Look for ways to watch everything
• Identify weakness in:
o Operating systems
o Applications
o Passwords and remote accesses
o Known software flaws
• Automated programs that hackers use
to identify security holes
• Test your defenses
• Trick your systems
• Provide possible low security means for
attack
Vulnerability Assessment
(Automated Process)
PenetrationTesting
(Manual Process)
A PenTest combines automated tools with experienced “Testers” to probe your network (internally &
externally) to find and exploit technical weakness and operational vulnerabilities
+
10. Vulnerability Scan Results
Vulnerability Scanning:
• Hundreds of tools available
• Automated Scanning
• Runs for hours/days
• Looks at everything
• Hundreds of pages output
• No inherent analysis
• Difficult to understand
• Difficult to interpret
• Difficult to prioritize
EXAMPLEVULNERABILITY REPORT:
4 Lines of output from an example report that had over 200 results
11. PenetrationTesting Results
PenetrationTesting:
• Dozens of tools available
• Manual Probes
• Runs for hours/days
• Tester determines what to look
at/probe
• Output is less bulky
• Analysis in involved
• SHOULD BE Easy to understand
• SHOULD BE easy to interpret
• SHOULD BE easy to prioritize
• SHOULD include keyVulnerability
Scan results
EXAMPLE PENETRATION REPORT:
5 Lines of output from an example report that had 25 results
Apply the security patches and system hardening configuration
changes as described inAppendix B of the SAR,including
ensuring antivirus software and definitions are updated on all
hosts
Disable the firewall management interface from being
accessible across the Internet
Update the firmware to the SonicWALL firewall
Apply a license to the SonicWALL firewall which enables
many of the appliance-capable industry-standard security
features such as Content Filtering,Anti-Virus,Anti-Spyware,
Intrusion Prevention, and Botnet filtering
Deploy real-time log collection and security monitoring
solution that can correlate, aggregate, and alert on
suspicious activity for border firewall, network appliances,
servers, and endpoints
12. What’s the Difference Between an External and/or Internal PenTest?
External Testing: Internal Testing:
WorkstationWorkstation Workstation
Router or Firewall and Modem
Your Company’s Data and Network
Internet Connection
Banging away at the
webpage or firewall-
trying to get in…
WorkstationWorkstation Workstation
Router or Firewall and Modem
Your Company’s Data and Network
Internal access is assumed-
determining how much
damage can now be done…
Internet Connection
13. Deliverables & Scope
PenetrationTesting Deliverables Should Be:
• Easy to understand report
• Priority-oriented
• In a format that can be provided to IT vendor and
implemented with ease
• Financially feasible recommendations
• Focused on PII and other industry critical data
You Should Avoid Deliverables that:
• Contain 50+ pages of complex, esoteric recommendations
• Required a PhD in Cybersecurity to understand and
implement critical solutions
• Provide “Million dollar solutions” for a “Thousand dollar
problems”
• Don’t understand your business/your industry
14. WhatTo Look For in a “Pen Tester”
U.S.-based testers
PenTesters possess Government/DoD clearances
Experience with SEC/FINRA and NFA regulations
Findings presented in understandable format
Understand critical asset management related information,
such as PII, Signals, and/or “Crown Jewel” data
Testing is tailored to asset management and not just a
“one-size fits all” solution