Monday, April 19, 2010

Bad security a financial industry issue, not just banks

Alan of Sun Country's Weblog reports that FINRA (the Financial Industry Regulatory Authority) recently fined the brokerage firm Davidson & Co. $375,000 for failing to use adequate security measures to protect customers information.

The breach occurred in 2007, but Davidson & Co. didn't find out until 2008. To make it worse, they didn't find it, one of the hackers tried to extort money in return for not releasing the stolen data to the public.

According to FINRA, Davidson made such basic security blunders as not encrypting customer data, keeping the customer data on a web server with default admin password, and keeping the insecure webserver online 24 hours a day. The company also failed to follow a 2006 auditors recommendations that it implement an intrusion detection system and review server logs so that they could have detected the breach sooner.

According to a Davidson spokeswoman the FINRA statement ignored some pertinent information, such as a third party auditor being unable to break into their systems shortly before the breach, and the attack using what were, at the time, very cutting edge techniques.

What the FINRA report does tell us is that the attack was a SQL injection attack. In 2007 SQL injection was going on 10 years old, hardly cutting edge. Changing the default admin password is basic security. So is encrypting your customer data and not placing the database on a server directly connected to the web. Different companies use different terminology for the same tasks, so I suspect Davidson was looking for a pentester and hired something else, but I can't be sure. Any pentester should have hacked a server using the default admin password in no time. But an auditor might not even try.

These types of problems are coming to light often enough to show that a large segment of the financial sector has major security problems. I would like to see the industry police itself, but the stakes are too high, and the industry moves too slow. It's time for regulatory involvement.