Penetration Testing and Vulnerability Assessments: Examining the SEC and FINRA Requirements
1 like673 views
The document discusses the importance of penetration testing (pentesting) and vulnerability assessments in complying with SEC and FINRA regulations, emphasizing their role in identifying cybersecurity risks and protecting confidential information. Several cybersecurity experts are introduced, highlighting their experiences and approaches to managing threats, while case studies illustrate the consequences of neglecting cybersecurity measures. The document also details the differences between external and internal pentests, the key deliverables expected from testing, and criteria for choosing a qualified pentester.
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINRA Requirements
- 1. PenetrationTest and Vulnerability Assessments: Examining the SEC and FINRA Requirements January 25, 2017
- 2. Since 2003, SEC Compliance Consultants, Inc. (SEC3) has been helping organizations bridge the SEC, FINRA, CFTC, and NFA compliance knowledge gap. Meet John Lukan & SEC Compliance Consultants, Inc. • CA, CFA, CMT • Managing Director of SEC3 • 25 years experience providing fiduciary advice
- 3. A boutique cybersecurity services company specializing in supporting NFA & SEC registrants under $3B AUM - primarily RIA’s, hedgefunds, CTAs, and CPOs. Meet Michael Brice & BW Cyber Services • Co Founder, Principal, Chief Security Officer • Financial Services Cyber Expert, Former CIO • B.S. Computer Science, NSATrained • 30 years of experience (classified & unclassified)
- 4. Providing global businesses with the highest quality solutions to cybersecurity issues by utilizing a comprehensive prevent, defend, contain, and eradicate approach to threats. Meet Paul Caiazzo & TruShield Security Solutions • Co-Founder, CEO, Chief Security Architect • CISSP, CISA, CEH • M.S. in Information Security and Assurance • 15+ years of experience in Information Security
- 5. SEC and FINRA PenTest Compliance Insight PenTesting Explained Penetration Testing (PenTesting) Webcast Objectives: Choosing a Qualified PenTest Vendor
- 6. Office of Compliance Inspections and Examinations (OCIE) - 2017 Focus Section II. Assessing Market-Wide Risks • Cybersecurity: In 2017, we will continue our initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls. Section IV. Protecting Retail Investors • Never-Before Examined Investment Advisers: We are expanding our Never-Before Examined Adviser initiative to include focused, risk-based examinations of newly registered advisers as well as of selected advisers that have been registered for a longer period but have never been examined by OCIE.
- 7. SEC Case Study “RT Jones” • (RIA): $75k SEC fine • Rule 30(a) of Regulation S-P2 (the “Safeguard Rule”) for Cybersecurity • 3rd party vendor, hosting PII for over 100,000 individuals • Website hacked by unknown Chinese organization • R.T. Jones mitigation • Cybersecurity consultants, identity monitoring… • R.T. Jones consequences: • Despite mitigation - SEC concluded they violated the law, issued censured, and assessed $75k fine • SEC Message: The SEC made it clear that even in the absence of an actual attack or a security breach, the failure of a Fund Manager to design and implement a Cybersecurity Program is actionable.
- 8. Nature of theThreat National States • Israel • Russia • China • North Korea • Iran Organized Crime • Eastern Europe • China • Others around the globe Hactivist/Hacktivism • Anonymous • Friends of Assange • Just about anyone with an agenda Script Kiddies • Your neighbor • The kid down the street • A guy or gal half-way around the globe Others • Competitor • Insider (purposeful) • Insider (accidental) • 3rd Party We are at war, and we are being beat badly… PenetrationTesting is our first line of defense against these threats, because if we don’t test – they will!
- 9. SoWhat is a PenetrationTest and/or Vulnerability Assessment? • “PenTest” = Ethical Hackers • Act like a hacker • Look for ways to get into network • Look for ways to steal data • Look for ways to watch everything • Identify weakness in: o Operating systems o Applications o Passwords and remote accesses o Known software flaws • Automated programs that hackers use to identify security holes • Test your defenses • Trick your systems • Provide possible low security means for attack Vulnerability Assessment (Automated Process) PenetrationTesting (Manual Process) A PenTest combines automated tools with experienced “Testers” to probe your network (internally & externally) to find and exploit technical weakness and operational vulnerabilities +
- 10. Vulnerability Scan Results Vulnerability Scanning: • Hundreds of tools available • Automated Scanning • Runs for hours/days • Looks at everything • Hundreds of pages output • No inherent analysis • Difficult to understand • Difficult to interpret • Difficult to prioritize EXAMPLEVULNERABILITY REPORT: 4 Lines of output from an example report that had over 200 results
- 11. PenetrationTesting Results PenetrationTesting: • Dozens of tools available • Manual Probes • Runs for hours/days • Tester determines what to look at/probe • Output is less bulky • Analysis in involved • SHOULD BE Easy to understand • SHOULD BE easy to interpret • SHOULD BE easy to prioritize • SHOULD include keyVulnerability Scan results EXAMPLE PENETRATION REPORT: 5 Lines of output from an example report that had 25 results Apply the security patches and system hardening configuration changes as described inAppendix B of the SAR,including ensuring antivirus software and definitions are updated on all hosts Disable the firewall management interface from being accessible across the Internet Update the firmware to the SonicWALL firewall Apply a license to the SonicWALL firewall which enables many of the appliance-capable industry-standard security features such as Content Filtering,Anti-Virus,Anti-Spyware, Intrusion Prevention, and Botnet filtering Deploy real-time log collection and security monitoring solution that can correlate, aggregate, and alert on suspicious activity for border firewall, network appliances, servers, and endpoints
- 12. What’s the Difference Between an External and/or Internal PenTest? External Testing: Internal Testing: WorkstationWorkstation Workstation Router or Firewall and Modem Your Company’s Data and Network Internet Connection Banging away at the webpage or firewall- trying to get in… WorkstationWorkstation Workstation Router or Firewall and Modem Your Company’s Data and Network Internal access is assumed- determining how much damage can now be done… Internet Connection
- 13. Deliverables & Scope PenetrationTesting Deliverables Should Be: • Easy to understand report • Priority-oriented • In a format that can be provided to IT vendor and implemented with ease • Financially feasible recommendations • Focused on PII and other industry critical data You Should Avoid Deliverables that: • Contain 50+ pages of complex, esoteric recommendations • Required a PhD in Cybersecurity to understand and implement critical solutions • Provide “Million dollar solutions” for a “Thousand dollar problems” • Don’t understand your business/your industry
- 14. WhatTo Look For in a “Pen Tester” U.S.-based testers PenTesters possess Government/DoD clearances Experience with SEC/FINRA and NFA regulations Findings presented in understandable format Understand critical asset management related information, such as PII, Signals, and/or “Crown Jewel” data Testing is tailored to asset management and not just a “one-size fits all” solution
- 15. Questions BW Cyber Services 703-675-2242 BWCyberServices.com info@bwcyberservices.com TruShield 877-583-2841 TruShieldInc.com info@trushieldinc.com SEC3 212-706-4029 SECCC.com info@seccc.com