Attacks/Breaches
10/5/2012
01:17 PM
Connect Directly
RSS
E-Mail
50%
50%

Exclusive: Anatomy Of A Brokerage IT Meltdown

Regulators last year issued the SEC's first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.

In the bigger picture, it's unclear where the SEC was during all of this activity. "How is it that GunnAllen was an examined entity and they had no security policy?" said independent privacy expert Andrew M. Smith, an attorney at Morrison & Foerster. "Say you're 25 years old, recently graduated college, you're an SEC inspector, what's the first thing you're going to do? You're going to ask for their policies and procedures, and when you see that it takes up less than a quarter of a page, there's going to be something wrong."

Of course, that perspective assumes that the SEC or FINRA had in fact audited GunnAllen's compliance. "Is it possible that they never examined this broker-dealer? If so, that's fair enough," Smith says. In fact, it's not clear if FINRA or the SEC ever audited GunnAllen's policies before they began their relevant enforcement actions, or whether the additional security violation revelations detailed by Sago in mid-2011 might lead the agencies to reopen their investigation.

Officials at both FINRA and the SEC declined to comment on any examinations or audits their agencies may have conducted of GunnAllen. But FINRA's publicly accessible records for GunnAllen make no mention of the agency having audited or examined the company before evidence of the Ponzi scheme emerged.

What could have been done to help the SEC spot brokerages with poor IT policies? In 2008, the agency proposed amendments to Regulation S-P, also known as the Safeguard Rule, to increase customer data protection requirements for the businesses it regulates. According to Chris Wolf, an attorney who directs law firm Hogan Lovells' privacy and information management practice, these include requiring "a written security program, identification of specific employees to run it, identification of documentation for reasonably foreseeable security risks, as well as implementation of safeguards for managing those risks, as well as training, oversight, and so on, including for providers." Wolf added, "It would also have a data breach notification obligation, which currently does not exist."

But those proposed amendments have remained stalled since they were first proposed in March 2008. An SEC spokeswoman declined to comment on the status of the proposed Reg S-P amendments, or whether the agency is still backing them.

Life After GunnAllen

Knowing what they now know, would the Revere Group IT employees who worked at GunnAllen have done anything differently? "Things probably should have been told directly to GunnAllen, but we were in such fear of keeping our jobs," Lynott said. "Looking back and thinking back now, I probably would have gone back and told the GunnAllen people. But they may already have known."

Ultimately, Lynott said, he quit The Revere Group. "I got to the point where I morally couldn't go to work anymore," he said. One week after he left, he heard that the network engineer who'd allegedly sabotaged the IT systems was fired.

Saccavino, meanwhile, said he suspects GunnAllen had no idea what was happening in the IT department. "They weren't told the whole truth, and I don't think they were told even part of the truth," he said. "Shame on them for not having a check and balance in place, but you can't blame them for being the victim."

Smith, the privacy expert, offered four takeaways for any company that outsources its IT department: "One, you need to do your due diligence up front so you know that your service provider can keep this safe. Two, you need to have contractual obligations that allow you to keep this data safe, and audit that. Three, monitor so you know it's safe. And four, if there's unauthorized access, have your service provider notify you promptly."

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Previous
3 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
1/4/2013 | 2:27:29 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
You're misrepresenting the story, queuester. The story doesn't "tie the demise of GunnAllen to the actions of Revere." In the very first paragraph, the story states that GunnAllen's "IT problems were only a symptom of widespread mismanagement and deeper misconduct at the firm." The facts laid out in the story support that thesis.
queuester
50%
50%
queuester,
User Rank: Apprentice
11/17/2012 | 11:55:43 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
This article at best was a one sided and inaccurate accounting of the IT staff that worked for the company after Revere was shown the door.Trying to tie the demise of GunnAllen to the actions of Revere is the same as trying to tie mother's milk to heroin addiction. There is no doubt that Revere was a drag on GunnAllen and did nothing in the interest of their client. That changed when GAF appointed their own CTO who subsequently rid the company of this incompetent and self serving consultancy. To place so much weight on the quotes of Revere help desk manager whose greatest contribution was writing poems about eating donuts doesn't really seem to be great investigative journalism. I was there as an employee of GAF during the time and worked for the CTO who was a very competent technologist as were many of the people who were kept on. I was also there as we were forced to decommission all of the systems at the behest of FINRA who also displayed an amazing amount of indifference and incompetency during the process. GAF is shut down for a cash reserve deficiency of $100k while the SEC and FINRA allowed MF Global and John Corzine to "misplace" $1.2 billion of investor money. They (the SEC and FINRA) were only successful at dragging the name of one of the only ethical members of the executive management team throught the mud. Maybe a little more research might help next time as the only parties that really were hurt were the customers and that was done by FINRA not the company.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/9/2012 | 8:01:34 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
Reads like a company I had experience with and yes, it was a calculated plan on the part of the IT "engineer". Maybe more akin to the doctor/nurse who causes a patient's ills to be seen as the hero for relieving them or a fireman who starts fires to put them out. In the case I was familiar with, the engineer calculated that management would look favorably on him for saving them and unfavorably on anyone who would attack him as being jealous of his expertise rather than invest to independently investigate and perhaps uncover his intentional staging of the cases. He was right. The company fired two of his superiors for harassing the engineer who had "saved" the company.
Recognizing that RevereGroup and GunnAllen are not islands in this respect, there are still more than a few questions surrounding the validity of Sago's accusations (he did work there for what looks to be an extended period before being let go at the height of the 2008 financial crisis). A little vendictiveness? Some of these IT informants seem to share a little responsibility themselves if nothing else for complacency (why didn't DiMarzio take care of RG personnel problems internally without relating full details to GunnAllen?).
Allaun
50%
50%
Allaun,
User Rank: Apprentice
10/9/2012 | 5:34:48 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
The words that come to mind are Malicious, incompetent and hubris. I can understand not liking your job. I can understand having a bad day. But by the great FSM! I have never read about a company that seems so eager to destroy itself. Not even when MCI was around, did I ever see such cavalier disregard for both customer data.
jabadie
50%
50%
jabadie,
User Rank: Apprentice
10/9/2012 | 1:11:02 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
I have always felt embarrassed when I come in on monday and something needs fixing, let alone a trivial 5 minute fix. That guy was a dishonorable idiot.

Interesting article. Read like a horror story.
FireRose
50%
50%
FireRose,
User Rank: Apprentice
10/9/2012 | 3:23:22 AM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
I worked at GunnAllen in the IT dept for 13 months - 2004/2005 - and one of the "urban legends" from prior to 2004 was that a senior IT programmer was fired for running a porn site on unused space on the web servers. I don't know the truth about this, but it was interesting to hear. I was "downsized" after making the GunnAllen CIO and staff unhappy during the planning of the national convention - no big loss for me, in hindsight!
rlawson346
50%
50%
rlawson346,
User Rank: Apprentice
10/8/2012 | 8:50:42 PM
re: Exclusive: Anatomy Of A Brokerage IT Meltdown
It almost reminds me of the type of behavior seen in arsonists. It's as if the guy enjoys "starting fires", in the IT sense. Also seems like passive-aggressive behavior... but more aggressive than passive. Like he "forgot" to change the settings back.

Really strange. Was it incompetence or sabotage?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio