ELTENI’S CYBER SCOOP
In this newsletter, we highlight the FINRA regulatory oversight report, law enforcement continuing their crackdown on cyber criminals and the impact of Artificial Intelligence on cybersecurity.
FINRA Publishes 2024 Regulatory Oversight Report
In January, FINRA published their 2024 Annual Regulatory Oversight Report, which was formally known as the Report of FINRA’s Examination and Risk Monitoring Program. There were some new topics discussed around Crypto Asset Development and Advertised Volume which is inflating trade volume and having unreasonable supervision. Other topics discussed were around Anti-Money Laundering, Reg BI and Form CRS, Consolidated Audit Trail (CAT), and Cybersecurity where FINRA highlighted a noticeable uptick in cyber incidents including imposter websites, insider threat, ransomware, and critical third-party vendor events. FINRA assists its members by providing guidance on best practices for identifying, preventing, and mitigating incidents. Information can be found by visiting FINRA’s Cybersecurity Topic Page and/or its Industry Risks and Threats Resource Page.
The escalating complexity and frequency of cybersecurity incidents serve as a catalyst for regulatory bodies, such as FINRA, to publicly reinforce their established cybersecurity regulations. This initiative aims to educate and empower member firms in implementing robust controls to alleviate risks posed to their clients, investors, and their own operations. The underlying aspiration is for firms to proactively adopt preventive measures, opting for proactive approaches rather than reactive ones. Whether they opt to internally manage cybersecurity measures or entrust them to reputable external firms with specialized expertise, it is imperative for firms to adopt a comprehensive approach, extending beyond solely technology-dependent aspects of their operations.
Member of notorious international hacking crew sentenced to prison
A 22-year-old French citizen, Sebastian Raoult (aka “Sezyo Kaizen”) from Epinal, France was sentenced to three years in prison and $5 million in restitution for participating in illicit cybersecurity activity. Millions of dollars in reported losses to companies and unmeasurable additional losses to millions of individuals whose data was sold to other cyber criminals. Raoult and his co-conspirators stole customer records and personally identifiable information (PII) threatening to leak or sell the stolen data and sometimes in fact selling the data on the Dark Web. He is also purported to have run phishing campaigns, included creating fake websites imitating the login pages of legitimate companies and then sending phishing emails directing people to those fake websites to capture their login credentials to steal their data.
With the constant evolution of technology and the anonymity afforded by the digital realm, traditional methods of enforcement are often inadequate to address the sheer volume and sophistication of cyber threats. However, instances where perpetrators are apprehended and their involvement conclusively established serve as crucial milestones. These successes not only signify a triumph in individual cases but also underscore the effectiveness of multifaceted enforcement strategies.
There’s the proactive aspect of cyber policy enforcement, which includes measures such as data protection laws, cybersecurity standards for businesses, and international cooperation agreements to combat cyber threats across borders. Then there’s the reactive approach of investigating and prosecuting cybercrimes in real time utilizing specialized cybercrime units within law enforcement agencies in collaboration with cybersecurity firms, forensic experts, and other stakeholders equipped with the technical expertise and tools necessary to trace digital footprints and gather evidence. When these enforcement strategies converge to successfully identify, apprehend, and prosecute individuals responsible for cybercrimes, it delivers justice to the victims and sends a resounding message to would-be offenders. These successes contribute to the broader deterrence of cybercrimes by raising awareness and underscores the importance of continued investment in cybersecurity measures, collaboration between public and private sectors, and the adaptation of legal frameworks to address emerging challenges in the digital landscape.
12 terabytes of information with over 26 billion records were discovered by Bob Dyachenko, owner of SecurityDiscovery.com and Cybernews as part of a massive data leak. The data is comprised of data leaked from previous breaches and spans billions upon billions of records on an open instance where the owner is likely to remain unknown. Researchers believe the owner could be malicious in nature given the staggering size of the data contained within. The data could be leveraged by threat actors to perform phishing scams and commit identity fraud. In addition, the information could be used to gain unauthorized access to information and facilitate cyberattacks. Although researchers believe that some of the data could be duplicated, the size and type of information contained within the dataset should be cause for concern. Most of the information is sensitive; therefore, is valuable to threat actors.
On January 10, 2024, the US Security and Exchange Commissions (“SEC”) X (formerly known as Twitter) account was hacked announcing its approval of the use of Bitcoin Exchange Traded Funds (ETF). 20 minutes later, the announcement was taken down and the SEC confirmed that their X account had been compromised. The SEC has recently disclosed details regarding the breach. The SEC X account was breached by a SIM-swapping attack where an actor gained control of an SEC user’s phone by transferring the account and number to a new SIM card. Access to the SEC’s X account could have been avoided if the SEC had not disabled its own multi-factor authentication due to “issues while attempting to login”. This resulted in the attacker being able to simply change the SEC’s X account password to gain access. Although the incident was considered minor, it is a clear message that attackers can cause market volatility by simply posting a message. Bitcoin price jumped to $48,000 before dropping by 6% when the statement was confirmed as false. This should leave one question looming in investors’ minds: “If a simple post such as this could cause a 6% dip in value, what would happen if the US Department of Defense, for example, X account was hacked announcing war?” This could have dire global consequences as it risks a global market collapse.
With the development of AI, the technical understanding of the processes for carrying out cyber-attacks are no longer needed allowing less technical individuals to enter the world of cybercrime. James Smith, the Assistant Director in charge of the FBI’s New York field office, indicated that the FBI has already seen an uptick in cybercrimes due to the development of AI. Federal prosecutors believe the use of AI may increase cybercrimes aimed at the financial sector, bolstering the importance of having and enhancing firm cybersecurity programs. One example provided was an AI-generated image used to trick a banking institution into verifying an individual to open accounts, withdraw money, etc.
DECODE THE TERMS
DR (Disaster Recovery) – Disaster recovery refers to the process, policies, and procedures put in place to enable the restoration or continuation of vital technology infrastructure and systems following a natural or man-made disaster. The primary objective of disaster recovery is to minimize downtime and data loss, ensuring that critical business operations can resume as quickly and smoothly as possible after an adverse event.
BCP (Business Continuity Plan) – Similar to disaster recovery, the primary objective of business continuity planning is to minimize the impact of disruptions on critical business operations, thereby safeguarding the organization’s ability to deliver products or services, maintain customer satisfaction, and uphold its reputation. However, instead of recovering from a disruption, Business Continuity refers to the proactive processes and strategies implemented by organizations to ensure that essential functions can continue or be rapidly resumed in the event of a disruption. These disruptions may arise from various sources, including natural disasters, technological failures, human error, or malicious attacks.
RTO (Recovery Time Objective) – is a crucial metric in disaster recovery and business continuity planning. It represents the targeted duration within which an organization aims to restore its systems, applications, and services to a functional state following a disruptive event. In simpler terms, RTO indicates the maximum tolerable downtime (MTD) for specific processes or systems after an incident occurs. Establishing a clear RTO helps organizations prioritize recovery efforts, allocate resources effectively, and ensure timely restoration of essential functions.
RPO (Recovery Point Objective) – is another vital metric in disaster recovery and business continuity planning. It represents the maximum tolerable amount of data loss that an organization is willing to accept in the event of a disruption. In other words, RPO specifies the point in time to which data must be recovered to resume normal operations after a disruptive incident, such as a system failure, cyberattack, or natural disaster. Establishing a clear RPO helps organizations set priorities for data protection measures, such as backup frequency, replication strategies, and disaster recovery solutions.