BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

SEC hack acts as another security wakeup call

October 20, 2017

  • Blog
  • Archive

The U.S. Securities and Exchange Commission (SEC) has revealed that it’s fallen victim to a hack. In its recent “Statement on Cybersecurity, published by its Chairman, Jay Clayton, it was revealed that its controversial Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system had been compromised last year and "may have provided the basis for illicit gain through trading".

Unfortunately, this is not the first time the SEC has exposed financial data. In 2014, the SEC inspector general revealed that hundreds of agency laptops, potentially containing sensitive market data, could not be accounted for. If you look at the SANS institute’s CIS critical security controls, number 1 on the list is “Inventory of Authorized and Unauthorized Devices”. Put simply, you can secure what you don’t know about.

CIS

What about the more recent EDGAR breach? This system was designed to handle electronic filings of corporate statements. These statements relate to finances and events that may impact the business and include draft documents. The system is designed to ensure fairness by releasing all the relevant data to the public at the same time preventing individuals trading on advanced information.

As a result of the breach, it is believed that hackers may have accessed advanced information to gain an advantage in trades. Interestingly the breach occurred due to a software vulnerability in a test version of EDGAR. This is where alarm bells start ringing in terms of security best practice. In this case, it appears that a test system was connected to live SEC data and made publicly accessible. Given that test systems are generally not secured to the same level as production systems this is a huge red flag.

If we again look again at the CIS controls we see that secure configuration and vulnerability assessment and remediation are key controls to prevent an attacker easily exploiting a system. In this case ensuring that any system with access to sensitive data is secured. Moving beyond that it is important to harden the system by having an inventory (allow list) of authorized software and control administrative privileges. These last steps are key to stopping attackers leveraging a vulnerability to easily install backdoors and abuse privileged accounts access to data.

Given that the vulnerability was only patched after the breach was discovered it appears that just like the Equifax incident, this is a classic example of organizations failing to get the basics right around securing systems. No matter if a system is test or production if it contains business information it needs to be secured properly. Repeatedly it has been proven that applying the top 5 CIS controls or as an alternative the ASD top 4, mitigate the majority of cyber threats that seem to plague organizations globally.

Although it appears that the SEC has a good deal of work to do in improving their security posture this is hopefully a wakeup call to other organizations who may be sitting on a time bomb of unpatched systems, unauthorized applications and excessive use of admin privileges.

Photograph of James Maude

James Maude,

James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Solutions to the Identity, Credential, and Access Management (ICAM) Architecture

Whitepapers

Four Key Ways Governments Can Prepare for the Growing Ransomware Threat

Whitepapers

The Operational Technology (OT) Remote Access Challenge

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.