[Dataloss] SEC must fix data security weaknesses

Sat Apr 29 19:09:47 EDT 2006

SEC must fix data security weaknesses

By John Poirier
Reuters
Saturday, April 29, 2006; 11:01 AM
http://www.washingtonpost.com/wp-dyn/content/article/2006/04/29/AR2006042900
556_pf.html

WASHINGTON (Reuters) - It's a nightmare scenario: A hacker accesses e-mails
in U.S. Securities and Exchange Commission computers and splashes them
across the Internet, revealing an inquiry into a company that shakes
investor confidence before the probe is complete.

Such an attack has never happened at the SEC, but computer experts say it
could if the agency fails to tighten security.

The SEC, an investor protection agency that demands tight internal controls
from the companies it oversees, was recently criticized by congressional
investigators for not having its own house in order when it comes to cyber
security.

The Government Accountability Office (GAO) said last month the SEC had
failed to limit remote access to its servers, establish controls over
passwords, securely configure all network devices, and adopt security
monitoring procedures.

A successful hacker could use nonpublic information to make trouble for a
targeted company or rival.

"It wouldn't necessarily be manipulation" of data by a hacker that would do
the most harm, said Paul Kurtz, a former White House cyber security
official. "It would be to expose information to damage another firm."

The SEC relies on computer systems to oversee the activities of stock
exchanges, brokerage firms, clearing agencies and some 12,000 companies. It
collects more than 600,000 public documents annually from companies, as well
as confidential information in connection with enforcement cases.

LENGTHY REVIEW

The GAO staff spent five months last year assessing security at the agency's
headquarters, a relatively new building in Washington D.C., and at its
computer facility in nearby Alexandria, Virginia. The SEC also has 11
regional and district offices, which were not examined.

"Overall, the SEC has not effectively implemented information security
controls to properly protect the confidentiality, integrity, and
availability of its financial and sensitive information and information
systems," the GAO concluded.

The investigators said the SEC has made "little progress" in tightening
internal controls to protect its information.

If a hacker successfully entered some of the SEC computers, "it's likely
they (the agency) may not be able to detect it," said Gregory Wilshusen,
lead author of the GAO report.

There are no reports of an outsider burrowing into the SEC's computer
systems, but there have been other incidents that make experts uneasy.

Last year, the SEC charged an Estonian financial services firm and two of
its employees with fraud for allegedly hacking into Business Wire and
stealing corporate press release data that had not yet been made public. The
pair made at least $7.8 million by strategically timing long, short and
options trades based on the stolen information, according to the SEC.

Corey Booth, director of the SEC's office of information technology, said
there needs to be a cultural shift in the way the agency's more than 3,800
employees handle passwords, share information and develop systems at the
agency.

"At the end of day, it's about people who are in possession of data," Booth
said. "We are fully committed to cleaning this stuff up by the end of this
fiscal year" on September 30.

ASSESSING RISK

Kurtz, who is now executive director of the Cyber Security Industry
Alliance, an information security advocacy group, agreed with Booth that SEC
employees must help guard systems.

"This is not all about technology (such as) 'Do you have the right firewall
and the right authentication technology?"'

In its March report, the GAO said the SEC corrected eight of 51 weaknesses
previously identified by the GAO. But the GAO audit also uncovered 15 new
weaknesses that reflect the SEC's failure to develop a comprehensive
security program.

GAO investigators said the SEC increased security personnel and created a
backup data center, but has not yet developed procedures to assess risks and
analyze security incidents.

"These controls are essential to ensure that financial information is
adequately protected from inadvertent or deliberate misuse, fraudulent use,
improper disclosure, or destruction," the GAO investigators said.

SEC Chairman Christopher Cox, who inherited the agency's computer
shortcomings when he took over in August, has said information security is
one of his top priorities in 2006 and steps have been taken on his watch to
improve data security.

For instance, the SEC has a new incident response program and a disaster
recovery procedure for a dozen major computer applications using the SEC's
back-up data center.

"My feeling is that he (Cox) is on the right track, and that with increased
technology, the SEC will be able to achieve the important objectives of the
GAO's report," said Harvey Pitt, a former SEC chairman who is now a
consultant.