SEC security alert warns about misconfigured NAS, DBs, and cloud storage servers

SEC OCIE inspections finds that companies have failed to properly secure network-accessible storage systems.

bn-fd6851022sej20141022173346.jpg

Securities and Exchange Commission.

(Image: WSJ/Twitter)

A security risk alert sent out by the US Securities and Exchange Commission warns companies, especially broker-dealers and investment firms, about the dangers of storing customer information on network storage solutions -- such as NAS devices, database servers, and cloud storage accounts.

The alert was sent out at the end of May by the SEC's Office of Compliance Inspections and Examinations (OCIE), following recent examinations and inspections at real world companies.

More specifically, the alert warns about companies misconfiguring network-accessible storage systems, leading to accidental data exposures.

"Although the majority of these network storage solutions offered encryption, password protection, and other security features designed to prevent unauthorized access, [OCIE] examiners observed that firms did not always use the available security features," the agency noted.

Misconfigurations and a lack of oversight

OCIE staff highlighted three main problems with network storage solutions used by broker-dealers and investment firms.

The first was the issue of companies misconfiguring the security settings on storage systems, which could lead to unauthorized access to customer data.

Second, companies did not have adequate oversight of vendor-provided third-party services.

"Firms did not ensure, through policies, procedures, contractual provisions, or otherwise, that the security settings on vendor-provided network storage solutions were configured in accordance with the firm's standards," SEC OCIE staff said.

This usually leads to situations where companies end up using NAS, databases, or cloud storage accounts with default settings, which for some services/devices could mean "open-by-default."

Third, OCIE examiners also found that companies didn't classify their data based on its sensitivity, and because of this, hadn't set up different storage systems with different access controls, leading to situations where sensitive data was stored on open systems, together with non-sensitive information.

Belgian police: Don't forget about offline redundancy

None of the three root causes listed by the SEC in its advisory are particularly new. All of these are common scenarios that we've seen in the past.

For the past three-four years, security researchers have been finding and reporting data leaks at major companies, most of which were caused by misconfigurations of databases and cloud storage accounts.

Misconfigured databases and cloud servers have caused leaks at analytics firms, data brokers, law firms, healthcare orgs, banks, government agencies, and more.

No major financial and investment firms have been hit, and the SEC would like to keep it so by urging companies to address any potential issues within their network storage systems.

But if companies are smart, besides setting up proper security configurations for their network storage systems, they'll also use alternative offline storage systems as backups; an advice Belgian police gave out in an advisory it sent out yesterday, warning companies that they may end up losing data if they rely on cloud-based storage systems alone.

Related government coverage: