A Black Hat

This may be more huff and puff than real news, at least to anyone in the security industry — it’s just all too common. These sorts of things happen at any and all organizations (though few are likely to admit it).

SEC staffers slammed for serious security snafus

“Staff at the Trading and Markets Division were found to have stored highly confidential and market-sensitive information on their laptops without any encryption, even when out and about. Some staff attended the Black Hat hacking convention with these unsecured laptops, an act of lunacy given the predilections of the attendees.”



You might think, how could regulated data be so easily exposed?

Someone is allowed to access company systems from their home computer, which inevitably leads to documents being downloaded locally. Others insist on personally administering their machines for ____ reasons and fail to follow internal best practice guidelines. It doesn’t matter what it is or was, and whether their governance documents disallowed it or not, this was a failure of management to effectively audit internal compliance.

Now, while I’m sure the SEC security architecture rivals most publicly listed firms, it’s telling that the government auditing body responsible for running threat models against all domestic securities trading systems can’t keep track of it’s own data.

The lesson here is that a security architecture only goes so far when on paper. User-level security awareness competency is an often overlooked, and risk assessments often give even the most risk-aware organizations a false sense of security when their paper models fail to take account of the simplest of human errors.

…. I wonder what percent of their information security budget line is consumed with internal compliance testing. Could it be more?