A new report from the U.S. Government Accountability Office (GAO) criticizes the Securities and Exchange Commission (SEC) for failing short in the area of cybersecurity.
While noting the SEC had made progress in strengthening security controls, the report took the agency to task for several security gaps, including failing to consistently identify and authenticate users and encrypt sensitive data. The GAO also criticized the SEC for other issues as well, such as not consistently applying software patches intended to fix vulnerabilities to servers and databases in a “timely manner.” Other criticisms included an inadequate segregation of duties in the SEC’s development and production environments and a failure to develop and disaster recovery plan that ensured the redundancy of a critical server.
“The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location,” according to the report. “Specifically, during the migration, SEC did not (1) consistently oversee the information security-related work performed by the contractor and (2) effectively manage risk.”
The report follows the announcement earlier this week of a new SEC initiative to analyze the cybersecurity practices of Wall Street firms.
“SEC continues to make progress in improving information security controls over its key financial systems,” according to the report. “However, information security control weaknesses in a key financial system’s production environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by the system. These included deficiencies in SEC’s controls over access control, configuration management, segregation of duties, and contingency and disaster recovery planning.”
“In addition, SEC did not consistently provide adequate contractor oversight and implement an effective risk management process during the migration of an important financial system to its new location,” the reported noted.
In a letter responding to the GAO’s findings, SEC Chief Information Officer Thomas Bayer stated that the findings in the report were due to a lack of oversight of a contractor during the migration of a financial system to one of the agency’s two new data centers. While he agreed that the appropriate oversight was not present during the process and the system was deployed without meeting the agency’s normal configuration requirements, he added that the situation was addressed as soon as the SEC was notified by the GAO.
“While we regret the lack of contractor oversight of the system migration, we remain confident that our layered defense architecture would have allowed us to detect and respond to attempted intrusions in a timely fashion, and our forensic investigation yielded no evidence of compromise to that system,” Bayer wrote.
The report is available online.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Minister: Cybercrimes Now 20% of Spain’s Registered Offenses
- Skybox Security Raises $50M, Hires New CEO
- Spies, Hackers, Informants: How China Snoops on the US
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Application Security Protection for the Masses
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
