[BreachExchange] How the SEC breach resembles immature teenage behavior

Fri Oct 13 15:02:08 EDT 2017

http://it.toolbox.com/blogs/itmanagement/how-the-sec-
breach-resembles-immature-teenage-behavior-78737

If you were like me growing up, you had some temper tantrums where you
expressed your emotions perhaps a little too much. As I got into my
mid-to-late teens, I remember it happening quite often. In one particular
situation, I got into a pretty heated fight with my older sister and,
thanks to my sister wearing a cast on her foot, my bedroom door ended up
with a hole in it. To prevent our dad from seeing the damage and, of
course, the inevitable consequences, we decided to strategically place a
recently-completed piece of school artwork on top of the hole. That hole
remained covered up for the next four or five years. Our dad never found
out about it until we were more mature and felt comfortable telling him. It
was our immaturity that led us not only to our initial fighting but also
our “fix”. We covered up the mess and we went on about our merry ways.
Interestingly enough, I see this behavior as it relates to information
security.

You may have heard the recent announcement by the Securities and Exchange
Commission (SEC) that their Electronic Data Gathering, Analysis, and
Retrieval System – known as EDGAR – was hacked back in 2016. The SEC
chairman, Jay Clayton, released a five-page statement on the organization’s
security practices which contained a single paragraph outlining that a
security event had occurred. Reportedly, the EDGAR breach, which allowed
illicit stock market trading, had been reported to the U.S. Department of
Homeland Security not long after it happened. However, SEC commissioners
and their former COO were apparently not made aware of the incident until
months later. Presumably, the former SEC chairman was out of the loop
altogether. As if the rulemaker’s shoddy security wasn’t enough, it appears
that certain people inside the SEC were trying to just sweep this breach
under the rug – not unlike how my sister and I immaturely did what we did.

Obviously, the consequences are greater in a large security breach such as
this one at the SEC. It begs the question: What gives? More details may
surface on this (it’s government agency so you never know) but not unlike
the recent Equifax debacle, why is this stuff happening at the hands of
grown professionals who are assumed to be expert in the basics of their
craft? Is it truly malicious? I think not. Is it because the people in
charge of security are in over their heads? Perhaps – I see that a lot. Or,
is it because everyone is so focused on “compliance” instead of security
that they know that compliance-related gaffes may have more detrimental
outcomes? I’m pretty sure that’s part of it.

The reality is that IT and security staff involved with breaches (at the
SEC or anywhere) could see the evidence, analyze it, and determine that
it’s insignificant and it management doesn’t need to get involved. Just
like my sister and I – we came up with a solution with no parental
involvement. Everybody wins! Well, maybe in our teenage situation but not
in the context of security breaches. There’s one common thread that I’m
seeing here: its management not being involved in negative security events
from the get-go or, worse, being out of the loop altogether. Bottom line:
executive management may not want to be involved but they should be
involved. Management involvement and security should already be part of
your culture. It’s time to make it part of your incident response
procedures as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171013/ac58978d/attachment.html>