ELTENI’S CYBER SCOOP
In this newsletter, we uncover a major cybersecurity revelation. The SEC has taken action against SolarWinds Corporation and its CISO, Timothy G. Brown, for alleged fraud and internal control lapses tied to cybersecurity risks.
Want to download this in pdf? Enter the password from the email you received.
SEC Division of Examinations Announces 2024 Priorities
The Division will focus on registrants’ policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks. Part of this review will consider whether registrants adequately train staff regarding their identity theft prevention program and their policies and procedures designed to protect customer records and information.
The release of these priorities is a precursor to what we believe is the eminent approval of the SEC proposed rules on cybersecurity. Firms, regardless of size, should plan to have an effective cybersecurity program in place. Emphasis should be put on continually identifying and documenting risks relative to potential impact on business operations. Equally as important is implementing the proper controls or at least efficiently and effectively planning to apply those controls. Finally, policies, procedures and governance to effectively manage this process which includes proper documentation and reporting. Firms who may not have the personnel, bandwidth or expertise to implement an effective cybersecurity program should partner with a firm that both understands the risk landscape specific to their lines of business and has subject matter expertise in general cybersecurity matters.
The SEC Acts Against SolarWinds and their Chief Information Security Officer
The SEC has charged SolarWinds Corporation and their Chief Information Security Officer (CISO), Timothy G. Brown, with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. These actions were taken after an SEC investigation that believes SolarWinds and Brown “ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company”. The SEC believes that “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information”.
In the end, SolarWinds’ primary issue did not stem from their lack of cybersecurity controls, but rather from their choice to disregard these issues and portray themselves as operating within a secure cyber environment, which ultimately proved to be inaccurate. Many Chief Information Security Officers (CISOs) and their respective organizations may now be pondering how to prevent a fate similar to SolarWinds’. The key lies in recognizing that achieving a perfectly secure environment is nearly impossible. Therefore, regulatory emphasis should shift away from the presence of security flaws and lean more towards how a company and its staff handle these challenges. If a cybersecurity deficiency is identified, it must be diligently documented, and the company should maintain transparency by sharing this information with the relevant stakeholders.
The overarching lesson that companies should glean from the SEC SolarWinds charges is the importance of consistently documenting and communicating known risks and vulnerabilities to the appropriate parties. By taking these proactive measures, organizations can safeguard themselves against the same predicaments faced by SolarWinds and their CISO.
The results of this project are both intriguing and concerning from a cybersecurity standpoint. They show that generative AI can produce convincing phishing emails within minutes with just a few prompts. This highlights the evolving cyber threat landscape and the potential efficiency and adaptability that AI-driven attacks could bring. It is crucial to verify suspicious emails through other means instead of relying solely on poor grammar as the primary red flag. Incorporating techniques like vishing into training programs is also essential. In addition, strengthening identity and access management controls and fostering a culture of continuous adaptation and innovation are vital for staying ahead of cybercriminals.
Although some websites have addressed the OAuth security vulnerability, experts warn that other online platforms may still be susceptible to similar issues. Therefore, it is crucial for users to exercise caution and take measures to enhance their online security. This can include utilizing strong and unique passwords and frequently monitoring their accounts for any unusual activity.
In the AI era, model errors are poised to emerge as the most prominent compliance challenge, underscoring the critical need for enhanced expertise and robust testing methodologies.
This notification is to warn member firms of an ongoing phishing campaign that involves fraudulent emails purporting to be from FINRA and using the domain names “@rf-finra.org” and “@rfs-finra.org”. The domains “@rf-finra.org” and “rfs-finra.org” are not connected to FINRA, and firms should delete all emails originating from these domains and follow any internal procedures related to reporting phishing emails to the appropriate stakeholders. Member firms should be aware that they may receive similar phishing emails from other domain names in addition to the one identified in this Alert.
FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments, or clicking on any embedded links. FINRA has requested that the Internet domain registrar suspend services for “rfs-finra.org”.
The Federal Trade Commission (FTC) just officially approved an amendment to the Safeguards Rule requiring non-banking financial institutions to report certain data breaches and other security events to the agency. The FTC will require data breach notifications to include:
- Identification and contact details of the reporting financial institution.
- A description of the categories of information implicated in the notification.
- Where ascertainable, the date or date range of the notification event.
- The number of affected consumers.
- An overall narrative outlining the notification event.
DECODE THE TERMS
These days, the term “phishing” is typically generalized for a type of social engineering cyber-attack. However, it can also encompass a wide range of other specific situations. Let’s look at some of the terminology associated with phishing.
Phishing (aka Email phishing)
The practice of sending an email purporting to be from a reputable source to manipulate the recipient into revealing personal or sensitive information. Given the current range of communication channels, this has extended to other platforms outside of email (e.g. social media platforms like LinkedIn, “X” formally Twitter, Instagram, Facebook and WhatsApp)
A targeted phishing campaign, typically aimed at an individual or single entity.
A targeted phishing campaign typically aimed at high profile individuals (e.g., C-Suite executives).
Smishing (aka SMS phishing)
The practice of sending SMS/Text messages purporting to be from a reputable source with links or phone numbers to manipulate the recipient into revealing personal or sensitive information.
Vishing (aka voice phishing)
The practice of calling or leaving voicemails purporting to be from a reputable source manipulates the recipient into revealing personal or sensitive information.
Quishing (aka QR code phishing)
The practice of presenting fraudulent QR codes to manipulate recipients into revealing personal or sensitive information.