What best practices can we derive from FINRA based on the attack and subsequent response by Davidson & Co.?
A common statement by practitioners is that regulation speak to intent and reasonable security safeguards, but do not stipulate precisely what exactly is required for satisfying a regulation. It is understood by most that security and managing risk is a fluid process, so (thankfully) most regulations allow for time as a factor in meeting the needs of the consumers of such systems and technologies. This breach provides excellent quantitative factors to consider for any security program, regardless of industry.
Davidson & Co. was breached using SQL Injection – a nasty and highly successful type of attack. Records were stolen and FINRA fined the business $375,000 based on a number of factors to include:
- No known use of stolen customer data (the fine is based on the lack of proof that the data was used maliciously, despite the fact there was a blackmail attempt by the perpetrators.)
- Davidson & Co. were cooperative with law enforcement
Safeguards that were highlighted considered necessary to prevent the breach by FINRA:
- Sensitive data must be encrypted
- Vendor passwords should be changed from default settings
- Network logs should be actively managed and reviewed sufficiently to identify network intrusions
- Firewalls and application services should be configured to minimize direct connections to the public internet (including databases)
- Deploying an active detection solution, such as Network Intrusion Detection
Finally, an interesting point – Davidson & Co. stated they had a 3rd party auditor conduct a penetration test and failed to breach the security. This is an important point as it speaks to the necessity to ensure that such tests are done in balance to a full information security program. Such practices must at least include an internal evaluation of firewalls; network configurations; server management; change control; people-process; and essential IT Controls are required to ensure a satisfactory level of operational integrity (secure; compliant; happy customers).
FINRA through this judgment clearly states what is expected – encrypted sensitive data (as is encouraged by over 50+ state and federal laws); current security safeguards; and serious attention wherever required. The FTC, SEC, and UK counterparts have provided exceptional such detail over the past few years and should be considered through regular updates to each companies GRC programs.
Link to the ComputerWorld article is here.
Link to another great write up is here at Wired’s Threat Level (more details of perpetrators).
Thoughts / Insights?