Authentic8 Blog Category: Security

Interview: SEC Compliance and the Internet

Illustration: Interview: SEC Compliance and the Internet - Authentic8 Blog

Key Issues for Investment Management Firms

What are the challenges regulated investment management firms are facing when using the internet?

We asked Jane Jarcho, the former Deputy Director of the SEC's Office of Compliance, Inspection, and Examinations (OCIE) and head of the National Investment Adviser and Investment Company Exam program, who recently joined the Promontory Financial Group as a consultant on regulatory and exam issues.

At the OCIE, Jane Jarcho oversaw its program areas, including Investment Adviser/Investment Company (IA/IC), Broker-Dealer and Exchange, FINRA and Securities Industry Oversight, and Clearance and Settlement. Ms. Jarcho also led the IA/IC examination program. Under her leadership, the number of IA/IC examinations increased by more than 100 percent.

The interview was conducted by Chirag Vasavada, Head of Business Operations at Authentic8.

*

Chirag Vasavada: Jane, given your tenure and experience across the SEC's program areas, you're in an ideal position to speak to the challenges faced by regulated entities today. The industry is under

5 Must-Read Resources for Compliance and IT Leaders in Investment Firms

Illustration: 5 Must-Read Resources for Compliance and IT Leaders in Investment Firms - Authentic8 Blog

Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.

While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.

This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.

Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple

Browser Security: What's Up with WASM?

Illustration: Browser Security: What's Up with WASM? - Authentic8 Blog

WebAssembly, a newer type of “low-level” code that can be run by modern web browsers, is aimed at improving the web experience. The catch: Regular browsers execute such code locally. WebAssembly - merely a faster way for web-borne exploits to reach the local browser?

*

WebAssembly (WASM) is currently supported by major browsers including Firefox, Chrome, WebKit/Safari, and Microsoft Edge. Because the browser is running the WebAssembly code locally, any problems with that code also end up on the user’s machine and potentially pose a threat to the local IT environment.

How does WebAssembly work? WASM is not a high-level language. It is a way for language compilers (like those that read C, C++, and Rust high-level code) to express their assembly-level output in a different format. This output then can be directly executed by the browser.

Source: LogRocket Blog

By itself, WebAssembly code isn’t supposed to be able to do anything. It’s run inside a sandboxed virtual machine.

Why You Should Be Fed Up With the Cycle of FUD

Illustration: Why You Should Be Fed Up With the Cycle of FUD - Authentic8 Blog

The upcoming election has created the perfect opportunity for the $100 billion cybersecurity industry to throw some fear, uncertainty and doubt — colloquially known as “FUD” — into the daily conversation.

Vendors see this as an opportunity to double down on their marketing to help congressional offices “defend democracy.” But they’re selling the same solutions that got these offices in trouble in the first place. Isn’t it time to try a different approach?

It’s important to understand that unlike other branches of government, each congressional office is responsible for their own security when it comes to their IT infrastructure. In many instances, offices outsource management of their systems to contracting agencies, which contributes to the problem.

Additionally, congressional offices and political parties were targets long before the industry took notice. Party staff are juicy targets for social engineering, phishing, and other forms of targeted attacks from APT groups. Stealing the data they’re holding can be a windfall for political adversaries

5 Must-read Resources for SOC and Threat Intelligence Professionals

Illustration: 5 Must-read Resources for SOC and Threat Intelligence Professionals - Authentic8 Blog

Have SOCs made enterprise IT more secure? Over the past months, multiple surveys, research reports and white papers on the success of Security Operations Centers (SOCs) and threat hunting were published that attempt to answer this question.

From various angles, researchers have gauged the impact SOCs and threat intelligence gathering (manually and automated) have on improving the IT security posture of companies in the U.S. and worldwide.

Businesses made significant investments in AI/machine learning-based automated threat detection and prevention tools over the past year. So what do they have to show for it?

If you’re planning a SOC or devising the budget plan for an existing one, check out the reports reviewed below for useful facts and actionable insights.

*

1) Security Operations Centers: Not a Success Story (Yet)

Security operations centers (SOCs) are facing critical staffing and retention issues that prevent them from realizing their full potential. This is one key takeaway from the new report The Definition of