E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


REPORT: SEC, AND ITS SECRETS, ARE AT MERCY OF HACKERS

Source: National Post

Posted on March 29, 2005

      The U.S. Securities and Exchange Commission has left financial transactions, regulatory files and other "mission critical information" such as enforcement documents vulnerable to unauthorized disclosure and potential tampering because it doesn't have proper computer security, the U.S. Government Accountability Office has warned.

      About 500 Canadian companies have shares that also trade in the United States and are required, along with over 12,000 U.S. companies, to regularly send highly confidential and sensitive information to the SEC. The security lapses uncovered by the Government Accountability Office (GAO), the auditing arm of the U.S. Congress, would be enough to curl the hair of executives at any firm.

      It details fired SEC employees who retained access to the network, a computer in a public area logged on to the main network, widespread failure to implement proper account and password controls or even limit network access to full-time SEC staff.

      The security lapses are bound to sting the world's most powerful stock market regulator, which has made companies clean up their acts in the wake of Wall Street financial scandals through a series of stringent internal controls. Many complain the controls are too expensive and too heavily bureaucratic.

      "This seems pretty ironic," a lawyer at a major U.S. corporation said yesterday. "I guess enforcement actions will have to go on the back burner until the pot is no longer calling the kettle a very dark shade of charcoal grey."

      The SEC processes more than 600,000 financial documents a year and collects more than US$1-billion in filing fees, penalties and disgorgements.

      In its report to SEC chairman William Donaldson, the GAO makes it clear it cannot be guaranteed those transactions were secure.

      "Information systems controls were not effective at the SEC," the report says. "We identified numerous weaknesses.... As a result, financial and other sensitive information was at increased risk of unauthorized disclosure, modification or loss, and operations at risk of disruption.

      "Without proper safeguards, there is risk that individuals and groups with malicious intent may ... use this access to obtain sensitive information, commit fraud, disrupt operations or launch attacks against other computer systems and networks."

      GAO auditors studied the SEC's information systems between April and November as part of its 2004 audit of the commission's financial statements.

      Corey Booth, the SEC's chief information officer, says the regulator has been working with the GAO on the audit since last summer. "We hired a new head of information security and significantly expanded our resources in this area. Since then, we have been working to identify areas of concern, install new generations of security-related technology, and address each of the issues that the GAO auditors have highlighted. More fundamentally, we have been building up a comprehensive security program that will allow us to systematically identify and mitigate areas of security risk going forward."

      Among the many requirements under the Sarbanes Oxley Act, U.S. companies must implement information-system controls to protect the integrity, confidentiality and availability of their financial and sensitive data. Canadian companies that trade in the United States have a grace period, but will also have to comply.

      In the 25-page report, the Government Accountability Office report makes it clear the regulator's own system controls fall far short, and sometimes in some surprisingly elementary areas.

      "For example, our testers found a workstation located in an area of an SEC building readily accessible by the general public that was logged into the SEC computer network," the report says. "With access from this workstation, a potential attacker would have direct access to the SEC's internal network.

      "Also, because of weakness in system audit logs ... the likelihood of detection would have been remote."

      People who had been laid off or fired sometimes retained the ability to log on to the network, the report says, "including one terminated employee who still had access to the SEC's information system eight months after termination."

      In a wider problem, the GAO auditors say the commission failed to properly control the user accounts and passwords of the 4,100 employees who have access to its main system.

      SEC staffers sometimes use easy-to-guess passwords, and both the user accounts and passwords were "inappropriately" stored in clear text - increasing the likelihood a hacker could gain unauthorized access to the main network, the report says.

      It also found contract staff "granted themselves access to key financial systems without SEC approval."

      Release on the cusp of the Easter long weekend, the report appears to have attracted little attention.

      GAO auditors say the SEC - which polices U.S. financial markets - has been using outdated and misconfigured networks, and "did not consistently secure its network against well-known software vulnerabilities.

      It also didn't have procedures to ensure communications to its internal system from external contractors and business partners were securely configured.

      There were also marked weaknesses in physical security that terrorists or mischief makers could seize upon.

      GAO auditors discovered six wiring closets containing key network equipment that were left "unlocked and unattended."




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.