Publicly Available Information Heightens Need for Cybersecurity Vigilance

For any business, “ports” that allow for communication generally need to be open (for example, ports 80 and 443 for websites, and port 500 for VPN access). While most of these ports allow you to engage in critical functions, there are often ports that remain open despite being unneeded or unused. These available ports present an attack surface that can be exploited.

A scary development in cybersecurity is that specialized skill is no longer required to hack into firms; indeed, “how-to” videos found on YouTube can be easily followed to create a breach. The point of a penetration test is to try to find vulnerabilities on your network before the bad guys do.

If you have been hacked or breached, there are certain sites on the web, such as Pastebin, where hackers post your information.

Criminal hackers search for any information that will make their jobs easier, and often search publicly available web tools for any vulnerable network devices, Cyber 51 LLC’s Martin Voelk and Ascendant’s Adam DiPaolo recently told attendees at Ascendant’s “Compliance Disruptors: Seismic Shifts of the Regulatory Landscape” conference.

Shodan.io is a vulnerability search engine that allows anyone to see internet-connected devices. “Google dorking” is another way to search for specific documents like confidential documents relating to a certain company that may have been posted online, intentionally or inadvertently.

Once you identify what’s on the network, such as type of firewall and version number, then you can search vulnerability databases for vulnerabilities relating to that device and version.

Reporting of threats should be made using the Common Vulnerability Scoring System (CVSS). Scores are calculated based on various metrics and measure from a 0 to 10 range, with 10 being the most severe. It is a great way for senior management to easily understand high, medium, and low risks.

You can have 999 non-critical vulnerabilities but if you find one critical vulnerability, that alone makes your overall risk profile critical.

Firms should engage in scanning as well as internal and external pen testing, with the testing process described in a report. Scanning is a passive enumeration of vulnerabilities and usually involves software tools that are designed to test for exposure to known vulnerabilities. A penetration test is more active in that it attempts to exploit those vulnerabilities. Using a combination of all these tests in an effort to identify vulnerabilities and their severity levels remain a key part of a vigilant cybersecurity program.

Latest Content

Schedule 13D/13F Clarity on ETF Issues

Do I need to file a 13D or 13G if my client accounts hold in excess of 5% of an ETF? Generally, no. The SEC has granted no-action relief to ETFs with respect to compliance with Section 13(d) of the Securities Exchange Act. Section 13(d) was designed to require disclosure when holders begin to accumulate … Continued

New Remedy Coming for SEC’s Custody Rule?

The SEC’s Custody Rule continues to be a common source of confusion and a landmine for noncompliance. Custodial paperwork has caused huge headaches for investment advisers, who are not a party to the agreement and may not even have a copy of the custodial new account paperwork. The issue with existing guidance is that it … Continued

SEC Issues MiFID II No-Action Relief

Some industry anxiety was assuaged on October 26 with three no-action letters that offer relief for some US regulated broker-dealers and investment advisers regarding European MiFID II regulations. The letters followed consultation with the European authorities, and are designed to address concerns that investors could lose access to valuable research. MiFID II is a series of regulations … Continued

Regulatory Changes Impacting RICs and Service Providers

A year ago, the SEC adopted Investment Company Reporting Modernization Rules and Forms, as well as rules pertaining to liquidity risk management programs and swing pricing. New forms N-Port and N-Cen along with amendments to Regulation S-X significantly change the current reporting regime for most registered investment companies (RICs) because they require more comprehensive disclosure and … Continued

How To Build An Effective Service Provider Oversight Program In Three Easy Steps

Investment advisers of all sizes face new and growing challenges in today’s competitive and evolving environment. As the investment management industry becomes more consumer-focused, individual investors are pressing advisers for more innovative products and a personalized client experience. Further, the growth of passive strategies has created fee pressure across the spectrum, leading to contracting margins.1 … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.