April 11, 2013
According to the Office of the Inspector General, the Securities and Exchange Commission may need to implement significant email security improvements. According to CSO, a report found email monitoring and control mechanisms were lacking within the agency, putting sensitive documents at risk.
The OIG said SEC employees and contractors who use the email system were not prevented from sending and saving documents to non-official computers, which means information not intended for the public could make it outside of the agency. Whether employees wanted to or not, data was vulnerable to being easily mishandled and leaked. CSO noted this has already happened at the SEC. One such incident happened in 2011, when a former employee destroyed many files in high-profile inquiries, including some from the investigation of famed Ponzi scheme ringleader Bernie Madoff.
There were two other reports at the SEC, with one finding the SEC's evaluation of security controls need better documentation. According to report, the agency "cannot validate that security controls are functioning as intended" and SEC should improve how it examines its security controls. The third report, according to CSO, said SEC's IT department didn't monitor the effectiveness of security controls in regard to their standing with National Institute of Standards and Technology guidelines. There are penetration testing and vulnerability scanning solutions in place, but OIG said this is not enough to meet NIST requirements.
"However, we found that penetration testing is not sufficient to meet the continuous monitoring strategy requirements per NIST Special Publication (SP) 800-137," the report stated. "We also found that OIT did not test some areas between the three year certification and accreditation (C&A) assessment cycle, or on a continuous basis for critical security controls. As a result, OIT's continuous monitoring program needs improvement."
NIST best practices
NIST's rules on email security said securely installing, configuring and using mail clients means companies should consistently patch and upgrade the client applications, configure authentication access, configure security features and make sure the host operating system is secured. Organizations should also implement solutions for protection against malware, testing, regular data backup and follow procedures that allow for recovery from email security compromises.
"Organizations should also consider running more than one vulnerability scanner,' NIST said. "As previously discussed, no scanner is able to detect all known vulnerabilities; however, using two scanners generally increases the number of vulnerabilities detected. A common practice is to use one commercial and one freeware scanner. Network- and host-based vulnerability scanners are available for free or for a fee."