Last week LeapRate reported that SEC was being hacked despite warnings on security and its EDGAR system data may have been used for “illicit gain through trading”, as SEC Chairman Jay Clayton has issued in his statement.
We’re pleased to present our recent conversation with Alex Heid, white hat hacker and Chief Research Officer at SecurityScorecard – a cybersecurity rating and monitoring platform, on the topic.
LR: How can public and private sectors, such as the S.E.C. be more vigilant and take active steps towards recovery?
Alex: As with any cyber security incident, the measure of a successful response is determined by the speed of execution and strategies for remediation and future mitigation.
The recent incident with the SEC EDGAR web application involved unauthorized individuals gaining access to information before the public, and then profiting from pre-arraged trades using information that had been gleaned.
Attackers were most likely able to take advantage of a web application vulnerability that allowed them to see information that was not yet public, and had either registered their own account on the platform or taken over a pre-existing account to achieve the appearance of legitimate access to the system.
LR: What greater impacts could this potentially lead to, if the hacking led to illegal profit through trading?
Alex: The attack showcases the re-emergence of the ‘pump-and-dump’ stock fraud method, using the web application exploitation techniques as a way to gain foresight (or potentially manipulate) future stock movements.
The fact that the method was successful for attackers means that we are likely to see repeat scenarios, perhaps with foreign stock markets as the next target (or possible current targets).
LR: What are your thoughts on the need for more effective monitoring and management in areas where top-security should not be compromised?
Alex: In the case of web application vulnerabilities, enterprises are encouraged to implement OWASP development and testing methodologies in order to reduce known attack surfaces that are caused by insecure code development. In the case of account takeover risks, enterprises are encouraged to implement two factor authentication to reduce the risk of an account takeover through password reuse.
The security vulnerabilities of third party vendors are an often overlooked yet critical vector for cyber attacks. While a security team may have a good understanding of their own internal network controls, there is little visibility into the network security processes of third party vendors.
It is also recommended to implement a continuous information security monitoring system (such as SecurityScorecard) to continuously probe an enterprise digital footprint for exposures, as well as the digital footprint of associated vendors.
LR: What is your perspective on how this hack may affect investors and investment firms moving forward?
Alex: If the stock movements were indeed manipulated, then investors who were on the wrong side of the trades definitely experienced financial harm as a result of distributed misinformation. If the stock movements were not manipulated, instead the attackers simply profited from prior knowledge of company events, then the damage to investors would be similar to that of an insider trading incident. Things are complicated by the fact that it was not an insider, but an unauthorized third party using an emerging method of attack (web applications) as the means of obtaining the insider information.
From the perspective of trading on false information, investors and firms are advised to implement a process of verification of received intelligence before committing their trades, but this becomes difficult when the speed of a trade determines the success or failure – however, certain indicators or fraudulent or forged information may be observable and can be flagged – such as the presence of an in unusual amount typographical errors and odd misspellings.