This advisory contains information about the appointed senior advisor to SEC Chairman Jay Clayton for Cybersecurity, new cybersecurity rules under the Colorado Securities Act, and vulnerabilities reported in Cisco's software and WebEx browser extension.
SEC Announces Christopher Hetner to Remain as Senior Advisor to Chairman for Cybersecurity Policy
The SEC issued a press release on July 18 confirming that Christopher R. Hetner will continue to serve as Senior Advisor to Chairman Jay Clayton for Cybersecurity Policy. Hetner previously served under Chair Mary Jo White and Acting Chairman Michael Piwowar. Hetner coordinates efforts to address cybersecurity policy, engage with external stakeholders, and enhance the SEC's ability to assess cyber risks. Hetner has over 20 years of experience in information security and technology and joined the SEC in 2015.
Colorado Division of Securities Adopts New Cybersecurity Rules
The Colorado Division of Securities released new cybersecurity rules as a part of their Securities Act on May 19 that require financial services firms to protect the electronic information they collect and maintain.
In Colorado's new regulations, broker-dealers and investment advisers must establish and maintain written policies and procedures reasonably designed to ensure the security of Confidential Personal Information. When assessing whether policies and procedures are reasonably designed, the commissioner will consider the firm's:
- Relationships with third parties;
- Policies, procedures, and training of employees with regard to cybersecurity practices;
- Use of electronic communications;
- Automatic locking of devices that have access to Confidential Personal Information; and
- Process for reporting of lost or stolen devices.
The cybersecurity policies and procedures must include:
- An annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information;
- The use of secure email for email containing Confidential Personal Information, including use of encryption and digital signatures;
- Authentication practices for employee access to electronic communications, databases, and media;
- Procedures for authenticating client instructions received via electronic communication; and
- Disclosure to clients of the risks of using electronic communications.
Colorado is the second state to regulate and enforce security standards for financial services. The rules share similarities with the New York State Department of Financial Services' cyber regulations in Article 24 Part 500 which also require risk assessments, vendor assessments, employee training, and written policies and procedures. However, NY DFS 500 is more comprehensive, requiring a designated CISO, establishing an incident response plan, maintaining an audit trail of activity, and more.
SNMP Vulnerability in Cisco IOS and IOS XE Software
Cisco reported that the Simple Network Management Protocol (SNMP) subsystem of their IOS and IOS XE Software contains vulnerabilities that could allow an attacker to remotely execute code on an affected system or cause an affected system to reload. To exploit these vulnerabilities, an attacker sends an SNMP packet to an affected system via Internet Protocol version 4 or 6. The vulnerabilities affect all versions of SNMP including Versions 1, 2c, and 3. To exploit vulnerabilities via SNMP Version 2c or earlier, the attacker needs to know the SNMP read-only community string whereas the attacker needs user credentials to exploit vulnerabilities via SNMP Version 3. Cisco has released software updates that address these vulnerabilities.
For more information and a complete list of affected products, see Cisco’s advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp
ACA Aponix Guidance
- Only allow trusted users to have SNMP access on an affected system.
- Monitor affected systems by using the show SNMP host command in the command-line interface.
- Mitigate vulnerabilities by disabling MIBs, as listed in advisory, on devices.
Cisco WebEx Browser Extension Vulnerability
Cisco reported a vulnerability in their WebEx browser extensions for Google Chrome and Mozilla Firefox that allows a remote attacker to execute code with the privileges of the affected browser on an affected system. The vulnerability is the result of a design defect in the browser extensions for Cisco WebEx's meetings server, centers, and meetings on Microsoft Windows computers. The attacker would need to convince users to follow their link with an affected browser to exploit the vulnerability. Cisco has released software updates to address this vulnerability.
For more information and a complete list of affected products, see Cisco’s advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex
ACA Aponix Guidance
- Remove all WebEx software from affected Windows systems using the Meeting Services Removal Tool.
- Use Internet Explorer or Microsoft Edge to join WebEx sessions.
If you would like to receive guidance regarding the Colorado Securities Act or have any questions, please contact your ACA Aponix consultant or email us at email@example.com.