That is especially true if you are using a router supplied by your ISP.  Get rid of it.  Now.

If you already have a decent router in place, go through this checklist to make sure you have it hardened correctly.

​

This guide shows a user in an easy-to-follow way how to improve the privacy and security settings of Firefox, which, when combined with a privacy VPN, gives a user a strong framework for protecting their firm and client's information.

This guide is broken down into sections, each addressing different areas of security and privacy settings within Firefox. It should also be noted that these settings will break some websites, especially the components that block scripts. These problems will improve over time as the sites that you routinely visit will be fixed by your settings changes in the recommended plugins. Some websites are enemies of privacy and will not be usable securely or privately due to security flaws that break functionality or intentional blocking by the websites that cannot track you.

Also, when Firefox installs updates, it is common for some of these settings to revert back to their defaults. When Firefox notifies you that it has updated, it is a good idea to review this guide again and make sure that no settings have changed. This page will also be routinely updated with the latest information, so it is good to check this page for updates.

Section 1: Privacy Add-ons/Extensions for Firefox 

Block ads with uBlock Origin – Not to be confused with uBlock, uBlock Origin is a powerful ad-blocking tool that prevents most types of ads from appearing in your browsing or streaming. Unlike Adblock Plus and other alternatives, uBlock Origin does not have a whitelist and universally blocks all of the ads that it can. It is crucial to block ads because it is a common vector for both surveillance and malware.

Block much more with uMatrix – uMatrix is a powerful and script, cookie, and cross-site request blocker. It can recognize and block tracking through media and image files, and gives you granular control over what you allow and what you disallow on a per-site basis. It is important to block scripts and XHR requests as they are the most common attack vectors for malware and intrusion. Their is an easy uMatrix guide here!

Block behaviorally with Privacy Badger – extensions like Disconnect and others block cookies by comparing the cookies to known ones. The EFF’s Privacy Badger blocks cookies by tracking their behavior rather than comparing them to repositories. This allows Privacy Badger to actively block new threats as they appear, even with no frame of reference to work from.

Make sure your web is encrypted by default with HTTPS Everywhere – While the web is increasingly encrypted by default thanks to Let’s Encrypt, many sites are still unencrypted or running both encrypted and unencrypted content, either out of laziness or error. HTTPS everywhere makes sure that all of the requests coming from your browser request SSL encryption, so that if it is available, it is used by default.

Check your work with Firefox Lightbeam – Once you’ve made the changes in this guide, you can check the impact of your changes using Lightbeam. Lightbeam monitors the requests that are made when you are visiting a website and gives you a visual layout so that you can see where your data is going. We have a short LightBeam guide here!

Section 2: Options in Firefox Quantum to Improve Security and Privacy

General – No Major Changes
The built in Firefox spell checker operates using local language libraries that are built into the browser. This means that your keystrokes and what you write are not uploaded to Mozilla or any 3rd party by the spellchecker. Do note that websites can disable the built-in spell checker and use their own, like gmail. This means when you are on websites you should be aware that your keystrokes within that page can always be recorded by the site and/or any 3rd party scripts running on that site.

Home – New Windows and Tabs Should be Blank Pages – Disable All “Home” Checkboxes
Having a homepage that is not a blank page allows the site in question to know every time you’ve opened Firefox or started a new tab.
Pocket is a semi-controversial system that is built into Firefox that attempts to give users a relevant homepage without receiving any data from the user. It works by Firefox downloading a list of high quality articles from pocket servers daily, and then locally, pocket compares your browsing history against the list of articles to make relevant recommendations. This allows Mozilla to push relevant content to users without ever seeing their browser history. It also has a “sponsored article” system that shows paid-for articles alongside the high quality content. The criticisms of the system are that Mozilla gets to decide what is high quality content and what is not, and that this a way to get ads (paid content) on a user’s home page by default. While pocket doesn’t pose any blatant security or privacy risks and it is open-source, I recommend disabling it for performance reasons as well as the criticisms above.

Search – Change the default search engine to DuckDuckGo – Disable Suggestions
DuckDuckGo is a private search engine that does not store or cache user results. This means that your searches remain private and are not traded or sold for marketing or surveillance purposes. Because of the non-invasive approach of DuckDuckGo, some focused searches may not give you the most relevant results. To fix this, you can use a feature called Bangs to have DuckDuckGo redirect your search to another engine like Wikipedia or Startpage in a private way. For Startpage you do this by preceding your search in the navigation bar with a !sp. For example, if I wanted to search for information on Alabaster and use Startpage through DuckDuckGo,

I’d type:
!sp Alabaster

And I’d get a private Google search result from Startpage.

Search Suggestions is a feature that tries to predict what you’re typing in the search bar and provide you with relevant results before you finish typing out your search. It does this by analyzing your keystrokes in real-time through an interactive service. This means that the search provider is getting all of your information on keystrokes that type into the bar as soon as you hit the spacebar, not when you complete typing your search. This isn’t a huge privacy concern unless you leave a non-private search engine as your default.

Privacy and Security
Do not save passwords or autofill – Both of these store information that can be exfiltrated from you.
Do Not Store History as it can be pulled by plugins and shared.
Do not allow 3rd party cookies as these are nearly exclusively used for tracking.
You should leave first party cookies enabled because this gives you the option of allowing a cookie for a specific site with the uMatrix plugin. This corrects a lot of site-breaking issues for sites that you frequently visit in which specific cookies are okay.

Do not allow any suggestions in the search bar, as these broadcast your activity to 3rd parties.

Tracking protection can be enabled, but it is handled by addons as well, so it is redundant.

Block popups because not only are they annoying, but also because they are a common method of delivering malware payloads through malicious pages.
You want Firefox to warn you when sites try to install addons, as these have all kinds of security and privacy consequences.

Accessibility services are typically used in surveillance plugins for corporate networks and privacy unfriendly addons for Firefox, they should be disabled.
Do not share telemetry data with Mozilla.

On Blocking Dangerous and Deceptive Content – There is some false information circulating around in other guides about how this feature works in Firefox due to confusion about Google’s SafeBrowsing initiative. Google has two different methods of doing safe browsing, one is private and one is not. The Lookup API is the non-private method of checking URLs. This sends queries to Google servers every time you browse to a site to check if they are “safe.” This essentially hands Google all of your browsing information. The second, safer method is called the Update API. This stores a list of unsafe sites and domains locally, and you download a list from Google periodically that updates this list of domains. This method does not give Google any information from the user and it is what Firefox uses. You DO NOT need to disable this feature for privacy reasons and it does generally boost your security by checking your browsing against the blacklisted sites.

Special Section for Trusted Root CAs
This section is revisited in detail at the end of this article.

Firefox Account
Synchronizing your account across multiple devices has multiple privacy and security risks that should be avoided. Do not sign in to a Firefox account.

Section 3: Advanced privacy and security improvements with about:config settings changes

Firefox is highly configurable for privacy, and to access hundreds of advanced settings, you type about:config into the navigation bar where you normally type web addresses.

You will see a warning telling you to be careful! It is a warning worth heeding as setting things up incorrectly can make your browser crash or cause all kinds of issues. Misconfiguration can require a full reset of browser settings that will make you have to start over the process of hardening your browser.

The changes below are designed to significantly reduce the number of methods that websites can profile your activity. Why each setting is selected to be changed is included in the description of the setting.

Disable WebRTC – WebRTC is a protocol related to digital rights management that helps content websites track users. It has the capability to give up your real IP address even while connected to a VPN or Tor.

To disable WebRTC, in the search bar type media.peerconnection.enabled and double click on the setting to change it to false. This disables WebRTC.

Enable Fingerprint Resistance – This setting actually manages many behaviors in Firefox, it is a group of settings that are used by the Uplift project (a sub-project of Tor) to make the browser ignore most types of fingerprinting requests.
To enable Fingerprint Resistance – Type privacy.resistfingerprinting into the search bar and double click on the setting to set it to “true.” This hardens the browser against most types of fingerprinting.

Disable the 3DES cipher – This setting allows the 3DES cipher, which has multiple known security weaknesses. It needs to be disabled.
To disable 3DES – Type security.ssl3.rsa_des_ede3_sha into the search bar, and double click on the setting to set it to “false.” This prevent 3des from being supported.

Require Safe Negotiation – This setting is for preventing a serious code injection attack related to how clients and servers negotiate which encryption settings to use. This setting forces only safe negotiation methods to be used.
To enable Require safe negotiation – Type security.ssl.require_safe_negotiation into the search bar, and double click the setting to set it to “true.” This prevents this code injection attack from working.

Disable TLS versions 1.0 and 1.1 – Transport Layer Security (TLS) is a protocol created by industry consensus for creating secure connections between web resources and applications. The current standard version of TLS is 1.2 and version 1.3 is rapidly being adopted at the time of this writing. TLS version 1.0 and 1.1 (1.0 esecially) have some known flaws with negotiation and cryptography in certain situations, and should be disabled for security reasons.

To Disable TLS 1.0 and TLS 1.1 – Type security.tls.version.min into the search bar, and double click on the setting. In the box that pops up, type 3 and hit okay. This will force Firefox to only use TLS 1.2 and TLS 1.3.

Disable 0-RTT – Zero Round Trip Time Resumption (0-RTT) is a feature that is new in TLS 1.3 that allows a client and server to negotiate a connection with fewer steps, allowing https websites to load more quickly. There are two problems with this. First, in order to do this you lose forward secrecy (generating a new key for every session and throwing away the key when the session is over). Secondly, 0-RTT requires special implementation in order to prevent replay attacks, which some web developers will certainly fail to protect from. Disabling 0-RTT enhances security and privacy.
To Disable 0-RTT – Type security.tls.enable_0rtt_data into the search bar, and double click on the setting to set the feature to false. This will force full secure negotiation for all connections made by Firefox.

Disable Automatic Formfill – Formfilling requires that information be cached in the browser, this can include valuable information like usernames and passwords and the information can reference visited sites even with history disabled.
To Disable Formfill – Type browser.formfill.enable into the search bar, and double click on the setting to set the feature to false. This will prevent Formfill from caching any information about your browsing.

Disable All Disk Caching – Websites can write temporary information to hard drives such as access tokens, security keys, browsing data, secure scripts, and more. This information is usually deleted after a secure session is terminated, however, deleted information is trivially recoverable if it is not overwritten. Complicated firmware and drivers for flash memory based devices like SSDs introduce features like wear leveling that hide components of the storage from the OS entirely, making it very hard to verify that deleted information is actually deleted in an unrecoverable way.
To Disable all Disk Caching – Type browser.cache into the search bar. This will pull up many settings. Look for these specific settings: browser.cache.disk.enable and double click to set it to false, browser.cache.disk_cache_ssl and double click to set it to false, browser.cache.memory.enable and double click it to set it to false, browser.cache.offline.enable and double click it to set it to false, browser.cache.insecure.enable and double click it to set it to false. This will disable all types of disk caching in Firefox.

Disable Geolocation Services – Geolocation services are bad for privacy for obvious reasons. You don’t want people lasering on your exact location.
To Disable Geolocation – Type geo.enabled into the search bar, and double click the setting to set it to false. This will prevent geolocation services from working. (Note: WebRTC should also be disabled as mentioned above, as it uses a different method of generating location data.)

Disable Plugin Scanning – Plugins can query what extensions and plugins that you have installed on Firefox to profile users. Disabling this feature improves both privacy and functionality while browsing privately.
To Disable Plugin Scanning – Search for plugin.scan.plid.all and double click the setting to set it to false. This will disable the feature.

Disable ALL Telemetry Features – These are features that explicitly collect data.
To Disable All Telemetry – Type “telemetry” into the search bar. A large number of settings will pop up in the search. Search for the following and set them all to false:
browser.newtabpage.activity-stream.feeds.telemetry browser.newtabpage.activity-stream.telemetry
browser.pingcentre.telemetry
devtools.onboarding.telemetry-logged
media.wmf.deblacklisting-for-telemetry-in-gpu-process
toolkit.telemetry.archive.enabled
toolkit.telemetry.bhrping.enabled
toolkit.telemetry.firstshutdownping.enabled
toolkit.telemetry.hybridcontent.enabled
toolkit.telemetry.newprofileping.enabled
toolkit.telemetry.unified
toolkit.telemetry.updateping.enabled
toolkit.telemetry.shutdownpingsender.enabled
These changes prevent all kinds of metadata from being stored about your connection both locally and by Mozilla.

Disable Prefetching – Firefox by default will pre-load all linked pages on pages that you visit. This becomes a privacy issue because this leads to your browser broadcasting a list of the links that are on the page you are currently visiting, which can allow outside parties to profile your browsing habits from your DNS traffic, or, if you’re not on a VPN it can allow your ISP to infer what web pages you visit within secure sites by looking at the prefetch resources.

To Disable DNS Prefetching – Type network.dns.disableprefetch into the search bar and double click on the option to set the option to True. This will prevent the browser from broadcasting your browsing habits through DNS requests. You also need to disable network.prefetch-next

To Disable Network Prefetching – Type network.prefetch-next into the search bar and double click the option to set it to false.

Disable Referral Headers – Websites use referral headers to track users movements from one site to another. This tells the website you are visiting what site that you came from. To Disable HTTP Referral Headers – Type network.http.sendRefererHeader into the search bar and double click the setting which will open a dialog box. Type 0 into the box that pops up and hit okay to completely disable Referral headers.


Disable WebGL – WebGL is an application interface that allows websites direct access to your graphics card. This introduces a huge attack surface for potential security risks as well as unique types of fingerprinting. It should be disabled.
To Disable WebGL –  Type webgl.disabled into the search bar, and double click on the option that is displayed to set it to true.


Disable Battery API – The Mozilla API can allow a site to track the current battery life of a device, which can be used in conjunction with other methods to identify and track users. To Disable the Battery API – Type dom.battery.enabled into the search bar and double click the option listed to set it to false.

Disable web handshakes that re-use credentials – (more info: SuperCooKeys)

Disable Session Identifiers (HIDDEN FEATURE)
To disable session identifiers: Type about:config into your navigation bar in Firefox, in the screen that pops up, you must right click on a blank area of the page and select new -> boolean.

In the window that pops up, we have to enter the exact name of the hidden feature: security.ssl.disable_session_identifiers and hit OK.

Then we have to search for the feature that we added and make sure that it is set to TRUE.

Enable First-Party Isolation
This feature prevents the browser from making requests to sites outside of the primary domain from the site. This prevents large ubiquitous services from following your keys around the web like a supercookie, and it also prevents all kinds of 3rd party data tracking.To enable first party isolation: Type about:config into your navigation bar in Firefox. In the screen that pops up, enter privacy.firstparty.isolate into the search bar, and make sure that the setting is set to TRUE. (This setting can break websites that rely heavily on 3rd party libraries and scripts.)

Disable TLS False Start
This is because it does not allow the client to fully complete its handshake before starting the actual session. There is more info here from the IETF: https://tools.ietf.org/html/rfc7918#section-4 (See section 5. Security Considerations)
To disable TLS false start: Type about:config into your navigation bar in Firefox. In the screen that pops up, enter security.ssl.enable_false_start into the search bar, and make sure that the setting is set to FALSE.

About Camera and Microphone Access – There are many settings in Firefox related to access to the Camera and Microphone. Recently, Firefox has implemented a number of good security and privacy features surrounding access that make editing these settings unnecessary. Disabling these features in about:config will disable Mic and Camera access globally, rather than allow you to permit access to services that you want (like Jitsi Meet for audio/video chat).
If you NEVER want to use a microphone or webcam through your browser, you can manually disable access. Otherwise, you should allow your permissions built into Firefox to manage access.
------------------------------------------------------------------------

The folks over at PIA VPN wrote designed this awesome framework on how to harden Firefox and make it as safe as possible.  We have use PIA VPN for several years and it is a company that we recommend for our clients.  Their service and pricing is top notch and their technology is very user friendly.  PIA's VPN service is one of the most cost effective cybersecurity tools you could possible implement. 

We are not affiliated with or compensated by PIA (or any other company).  We just believe in their product.

Section 4: Editing Trusted Certificate Authorities

This step takes some trial and error, but dramatically helps reduce your attack surface by outside parties.

First, we need to discuss how the certificate system works. Certificates around the web tell your browser if a site is genuine and they are managed by a group of “root certificates” from organizations around the world. These organizations vouch for the security of their own root certificate and vouch for the validity of all certificates that are made from it. This means that when Typhoon (fake name used for example) creates a certificate for a website, they are telling your browser “this site is genuine because Typhoon says it is.” You are relying on the reputation of Typhoon to keep your browser safe from spoofing.

There’s some inherent problems with this system. How do we know that Typhoon’s security standards are perfect? How do we know that Typhoon would never create an invalid certificate for someone else accidentally? How do we know that Typhoon would never create a fake certificate for a law enforcement agency or spy organization?

Therein lies a large problem. Firefox (and all browsers and operating systems) trust hundreds of these root certificates by default, and for most users around the world, you don’t encounter most of these root certificates in your day to day web use.

You can remove many of these root certificates from Firefox to make it so that you trust far fewer authorities. To access the certificate manager, you go to the settings menu in Firefox, and click on the Privacy and Security pane on the left side. Then you scroll to the bottom of the page and click on “View Certificates…” In the window that opens up, you can scroll through all of the possible certificate authorities and remove trust (by clicking on the Delete or Distrust… button) from all of the authorities for sites that you do not visit or do not trust for ethical reasons.

This step does require some research, you have to find out which certificates are used by the sites you visit, and limit your trusted certificates to those. Also, many of the big American certificate authorities (such as the Amazon Root CAs, DigiTrust, RapidSSL, GeoTrust, GlobalSign) will break a majority of the Internet if you mistrust them.

Personally I tend to mistrust all certificates from languages that I do not speak (which means it is unlikely that i’ll ever run into those certificates around the web) and also eliminate any certificates that cater to local regions such as Taiwan, Switzerland, the Netherlands, etc.

If you accidentally mistrust a certificate that you want to trust once again, you can click on the “edit trust” button in the certificate manager window, and check the boxes for the services that should trust this certificate authority.​

I want to share a quick story from a pen-test I did today because this should terrify you. 

Often times I find interesting vulnerabilities so I wanted to share them with you because I think the idea of what goes on during a pentest is often nebulus to a firm's owner and CCO.  I think the extent of understanding what can be exploited is also lost.

The Client:  $1.6B SEC Registered RIA in Los Angeles.  15 employees.  2 custodians.

The Vulnerability:   I was able to take control of the RIA owner's home surveillance system (16 different internal cameras) and gained admin access to his security system.  I was able to watch his wife fold laundry in the living room. I did ALL of that without ever once having to enter a password.

How did I do it?  Check out the video below.

My thoughts: Penetration testing isn't just for regulatory compliance.  Often times, we are able to catch these major privacy vulnerabilities before others do.  These tests are about protecting your privacy and protecting your client's data.

Not a day goes by where I don't hear some form of the statement: "My BD/RIA/Cloud Storage Provider/Custodian/Landlord/girlfriend  provides all of our cybersecurity needs." 

Unfortunately, many firms are mislead with statements from these providers and they believe their clients are protected.

You can ask yourself these two simple questions to know if you are fully protecting your clients and meeting your compliance obligations:

1.  Do they send you the audit reports each time they do a vulnerability scan?  If the SEC or FINRA comes knocking, you are expected to have the documentation ready.  Curious what documentation they request?  Read here. 
As the old saying goes, "If it isn't documented, it didn't happen."

2.  Does your service provider scan your local network for vulnerabilities and provide a vulnerability assessment report at least annually?  I didn't think so.  If they aren't providing these scans, how do you expect to produce the documentation needed for an exam?

This quick video describes why you might not be protected like you thought you were.

Original release date from CISA: July 30, 2019

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have released a Joint Ransomware Statement with recommendations for state and local governments to build resilience against ransomware:

1. Back up systems—now (and daily). Immediately and regularly back up all critical agency and system configuration information on a separate device and store the backups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than the one lost, fully patched and updated to the latest version.
2. Reinforce basic cybersecurity awareness and education. Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing, and suspicious links—the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.
3. Revisit and refine cyber incident response plans. Have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA, and MS-ISAC, in the event of an attack.

​
CISA encourages organizations to review the Joint Ransomware Statement and the following ransomware guidance:

• MS-ISAC Security Primer on Ransomware
• CISA Tip Sheet on Ransomware
• NGA Disruption Response Planning Memo
• NASCIO Cyber Disruption Planning Guide

Every firm needs a Tech Use policy that should be thorough and distributed to employees during on-boarding and at least once annually as part of your cybersecurity compliance audit.  Make sure you have employees sign off that they both received and read this document.

Here is a sample template you can use to help craft your document.

This is a pastedump of different questions we have seen FINRA/SEC examiners send firms before showing up for an onsite interview.

All questions have been Copied and Pasted Directly from SEC and FINRA requests.  They are not organized in any particular fashion (yet….) If you have any you would like to add to this list, please send me an email
---------------------------------------------------------------------------------------

​For each of the following practices employed by the Firm for management of information security assets, please provide the month and year in which the noted action was last taken; the frequency with which such practices are conducted; the group with responsibility for conducting the practice;
and, if not conducted firmwide, the areas that are included within the practice. Please also provide a copy of any relevant policies and procedures.

• Physical devices and systems within the Firm are inventoried.
• Software platforms and applications within the Firm are inventoried.
• Maps of network resources, connections, and data flows (including locations where customer data is housed) are created or updated.
• Connections to the Firm’s network from external sources are catalogued.
• Resources (hardware, data, 2 factor-authentication,  and software) are prioritized for protection based on their sensitivity and business value.
• Logging capabilities and practices are assessed for adequacy, appropriate retention, and secure maintenance.

------------------------------------------------------------------------------
Please provide a copy of the Firm’s written information security policy and employee usage agreements.

------------------------------------------------------------------------------
Please indicate whether the Firm conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, physical vulnerabilities and potential business consequences.  If such assessments are conducted: a. Who (business group/title) conducts them, and in what month and year was the most recent assessment completed? b. Please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated. 

------------------------------------------------------------------------------
Does the Registrant use any cloud-based storage (e.g., Dropbox, SkyDrive, Google Docs, etc.) for data backup or any other purpose? If so, please list the vendors used and all due diligence research associate with each vendor.  Is the Registrant using a personal or business version of the cloud storage? Please provide a copy of the terms of service agreement from each cloud storage vendor that the Registrant is using.

------------------------------------------------------------------------------
Does the Registrant have any written policies and procedures to govern the use of/access of firm data? If so, please provide copies of the policies and procedures.

------------------------------------------------------------------------------
Has the Registrant every had any data breaches or any other cybersecurity issues (e.g., hacking incidents, ransomware, etc.)? If yes, please provide a timeline and describe the nature of the incident.  If no, please describe how you monitor for breaches.

------------------------------------------------------------------------------
If cybersecurity roles and responsibilities for the Firm’s workforce and managers have been explicitly assigned and communicated, please provide written documentation of these roles and responsibilities. If no written documentation exists, please provide a brief description. 

------------------------------------------------------------------------------
Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists. 

------------------------------------------------------------------------------
Does the Firm have a Chief Information Security Officer or equivalent position? If so, please identify the person and title. If not, where does principal responsibility for overseeing cybersecurity reside within the Firm?

------------------------------------------------------------------------------
Does the Firm maintain insurance that specifically covers losses and expenses attributable to cybersecurity incidents? If so, please briefly describe the nature of the coverage and indicate whether the Firm has filed any
claims, as well as the nature of the resolution of those claims. 

------------------------------------------------------------------------------
Does the Registrant allow employees (or any person) to access any personal web-based e-mail accounts (e.g., Google, Yahoo Mail, Hotmail, etc.) from the firm’s networks? If no, what steps has the Registrant taken to block network access to personal e-mail?

------------------------------------------------------------------------------
Does the Registrant allow employees (or any person) to use their personal e-mail for business purposes? If yes, what types of information are transmitted via web-based e-mail? Is web-based e-mail used for client communications?
------------------------------------------------------------------------------
Does the Registrant use a web-based e-mail provider’s or its own server for e-mail? If the Registrant is using a web-based e-mail account does it have a business account with the provider?  Do any other entities share the same email server?

------------------------------------------------------------------------------
Please provide a copy of the terms of service agreement from each web-based e-mail provider that the Registrant is using.

------------------------------------------------------------------------------
Does the Registrant maintain records of web-based e-mail communications? If so, how are the records maintained? Does compliance review web-based e-mail communications?

------------------------------------------------------------------------------
Does the Registrant have any written policies and procedures to govern the access to/use of/maintenance of/review of web-based e-mail? If yes, please provide copies of the policies and procedures.

------------------------------------------------------------------------------
Please identify any published cybersecurity risk management process standards, such as those issued by the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO), the Firm has used to model its information security architecture and processes. 

------------------------------------------------------------------------------
Please indicate which of the following practices and controls regarding the protection of its networks and information are utilized by the Firm, and provide any relevant policies and procedures for each item. 

1. The Firm provides written guidance and periodic training to employees concerning information security risks and responsibilities. If the Firm provides such guidance and/or training, please provide a copy of any related written materials (e.g., presentations) and identify the dates, topics, and which groups of employees participated in each training event conducted since January 1, 2013. 
   
2. The Firm maintains controls to prevent unauthorized escalation of user privileges and lateral movement among network resources. If so, please describe the controls, unless fully described within policies and procedures. 
   
3. The Firm restricts users to those network resources necessary for their business functions. If so, please describe those controls, unless fully described within policies and procedures. 
   
4. The Firm maintains an environment for testing and development of software and applications that is separate from its business environment. 
   
5.  The Firm maintains a baseline configuration of hardware and software, and users are prevented from altering that environment without authorization and an assessment of security implications. 
   
6. The Firm has a process to manage IT assets through removal, transfers, and disposition. 
   
7. The Firm has a process for ensuring regular system maintenance, including timely installation of software patches that address security vulnerabilities. 
   
8. The Firm’s information security policy and training address removable and mobile media.
   
9.  The Firm maintains controls to secure removable and portable media against malware and data leakage. If so, please briefly describe these controls. 
   
10. The Firm maintains protection against Distributed Denial of Service (DDoS) attacks for critical internet-facing IP addresses. If so, please describe the internet functions protected and who provides this protection. 
    
11. The Firm maintains a written data destruction policy. 
    
12. The Firm maintains a written cybersecurity incident response policy. If so, please provide a copy of the policy and indicate the year in which it was most recently updated. Please also indicate whether the Firm conducts tests or exercises to assess its incident response policy, and if so, when and by whom the last such test or assessment was conducted. 
    
13. The Firm periodically tests the functionality of its backup system. If so, please provide the month and year in which the backup system was most recently tested.
    

------------------------------------------------------------------------------
Please indicate whether the Firm makes use of encryption. If so, what categories of data, communications, and devices are encrypted and under what circumstances? 

------------------------------------------------------------------------------
Please indicate whether the Firm conducts periodic audits of compliance with its information security policies. If so, in what month and year was the most recent such audit completed, and by whom was it conducted? 

------------------------------------------------------------------------------
Please indicate whether the Firm provides customers with on-line account access. If so, please provide the following information:
a. The name of any third party or parties that manage the service.
b. The functionality for customers on the platform (e.g., balance inquiries, address and contact information changes, beneficiary changes, transfers among the customer’s accounts, withdrawals or other external transfers of funds). c. How customers are authenticated for on-line account access and transactions.
d. Any software or other practice employed for detecting anomalous transaction requests that may be the result of compromised customer account access.
e. A description of any security measures used to protect customer PINs stored on the sites.
f. Any information given to customers about reducing cybersecurity risks in conducting transactions/business with the Firm. 

------------------------------------------------------------------------------
Please provide a copy of the Firm’s procedures for verifying the authenticity of email requests seeking to transfer customer funds. If no written procedures exist, please describe the process. 

------------------------------------------------------------------------------
Please provide a copy of any Firm policies for addressing responsibility for losses associated with attacks or intrusions impacting customers. a. Does the Firm offer its customers a security guarantee to protect them against hacking of their accounts? If so, please provide a copy of the guarantee if one exists and a brief description. 

------------------------------------------------------------------------------
If the Firm conducts or requires cybersecurity risk assessments of vendors and business partners with access to the Firm’s networks, customer data, or other sensitive information, or due to the cybersecurity risk of the outsourced function, please describe who conducts this assessment, when it is required, and how it is conducted. If a questionnaire is used, please provide a copy. If assessments by independent entities are required, please describe any standards established for such assessments.

------------------------------------------------------------------------------
If the Firm regularly incorporates requirements relating to cybersecurity risk into its contracts with vendors and business partners, please describe these requirements and the circumstances in which they are incorporated. Please provide a sample copy.

------------------------------------------------------------------------------
Please provide a copy of policies and procedures and any training materials related to information security procedures and responsibilities for trainings conducted since January 2017 for vendors and business partners authorized to access its network. 

------------------------------------------------------------------------------
If the Firm assesses the segregation of sensitive network resources from resources accessible to third parties, who (business group/title) performs this assessment, and provide a copy of any relevant policies and procedures? 

------------------------------------------------------------------------------
If vendors, business partners, or other third parties may conduct remote maintenance of the Firm’s networks and devices, describe any approval process, logging process, or controls to prevent unauthorized access, and provide a copy of any relevant policies and procedures. 

------------------------------------------------------------------------------
For each of the following practices employed by the Firm to assist in detecting unauthorized activity on its networks and devices, please briefly explain how and by whom (title, department and job function) the practice is carried out.
• Identifying and assigning specific responsibilities, by job function, for detecting and reporting suspected unauthorized activity.
• Maintaining baseline information about expected events on the Firm’s network.
• Aggregating and correlating event data from multiple sources.
• Establishing written incident alert thresholds.
• Monitoring the Firm’s network environment to detect potential cybersecurity events.
• Monitoring the Firm’s physical environment to detect potential cybersecurity events.
• Using software to detect malicious code on Firm networks and mobile devices.
• Monitoring the activity of third party service providers with access to the Firm’s networks.
• Monitoring for the presence of unauthorized users, devices, connections, and software on the Firm’s networks.
• Evaluating remotely-initiated requests for transfers of customer assets to identify anomalous and potentially fraudulent requests.
• Using data loss prevention software.
• Conducting penetration tests and vulnerability scans. If so, please identify the month and year of the most recent penetration test and recent vulnerability scan, whether they were conducted by Firm employees or third parties, and describe any findings from the most recent risk test and/or assessment that were deemed to be potentially moderate or high risk but have not yet been addressed.
• Testing the reliability of event detection processes. If so, please identify the month and year of the most recent test.
• Using the analysis of events to improve the Firm’s defensive measures and policies.

------------------------------------------------------------------------------
Did the Firm update its written supervisory procedures to reflect the Identity Theft Red Flags Rules, which became effective in 2013 (17 CFR § 248—Subpart C—Regulation S-ID)?
a. If not, why? 

------------------------------------------------------------------------------
How does the Firm identify relevant best practices regarding cybersecurity for its business model? 

------------------------------------------------------------------------------
Since January 1, 2016, has your Firm experienced any of the following types of events? If so, please provide a brief summary for each category listed below, identifying the number of such incidents (approximations are acceptable when precise numbers are not readily available) and describing their significance and any effects on the Firm, its customers, and its vendors or affiliates. If the response to any one item includes more than 10 incidents, the respondent may note the number of incidents and describe incidents that resulted in losses of more than $5,000, the unauthorized access to customer information, or the unavailability of a Firm service for more than 10 minutes. The record or description should, at a minimum, include: the extent to which losses were incurred, customer information accessed, and Firm services impacted; the date of the incident; the date the incident was discovered and the remediation for such incident.
• Malware was detected on one or more Firm devices. Please identify or describe the malware.
• Access to a Firm web site or network resource was blocked or impaired by a denial of service attack. Please identify the service affected, and the nature and length of the impairment.
• The availability of a critical Firm web or network resource was impaired by a software or hardware malfunction. Please identify the service affected, the nature and length of the impairment, and the cause.
• The Firm’s network was breached by an unauthorized user. Please describe the nature, duration, and consequences of the breach, how the Firm learned of it, and how it was remediated.
• The compromise of a customer’s or vendor’s computer used to remotely access the Firm’s network resulted in fraudulent activity, such as efforts to fraudulently transfer funds from a customer account or the submission of fraudulent payment requests purportedly on behalf of a vendor.
• The Firm received fraudulent emails, purportedly from customers, seeking to direct transfers of customer funds or securities.
• The Firm was the subject of an extortion attempt by an individual or group threatening to impair access to or damage the Firm’s data, devices, network, or web services.
• An employee or other authorized user of the Firm’s network engaged in misconduct resulting in the misappropriation of funds, securities, sensitive customer or Firm information, or damage to the Firm’s network or data.
 
------------------------------------------------------------------------------
Since January 1, 2016, if not otherwise reported above, did the Firm, either directly or as a result of an incident involving a vendor, experience the theft, loss, unauthorized exposure, or unauthorized use of or access to customer information? Please respond affirmatively even if such an incident resulted from an accident or negligence, rather than deliberate wrongdoing. If so, please provide a brief summary of each incident or a record describing each incident. Please indicate whether it was reported to the following:
• Law enforcement (please identify the entity)
• FinCEN (through the filing of a Suspicious Activity Report)
• FINRA • A state or federal regulatory agency (please identity the agency and explain the manner of reporting)
• An industry or public-private organization facilitating the exchange of information about cybersecurity incidents and risks 
------------------------------------------------------------------------------
What does the Firm presently consider to be its three most serious cybersecurity risks, and why? 

------------------------------------------------------------------------------
Please feel free to provide any other information you believe would be helpful to the Securities and Exchange Commission in evaluating the cybersecurity posture of the Firm or the securities industry.  

Are you a new CCO looking to get your head around your cybersecurity framework or a seasoned pro looking for a checklist?

Either way, these 12 steps help you strengthen your cybersecurity defenses.

To be clear: These are not a "nice to have" or "a cool feature". This stuff is mandatory for ALL firms.
​

1. Install and maintain firewalls to protect data
2. Change default passwords on all firm  devices and systems (ESPECIALLY your router and modem)
3. Encrypt all hard drives.
4. Encrypt transmission of client data.
5. Use Antivirus and Antimalware software on all firm devices. Use VPN services for all mobile devices.
6. Use only software and systems that allow for 2-factor authentication. Physical keys like Yubiko or Thetis are preferred.
7. Restrict access to sensitive data. Only those with a need get access.
8. Assign unique usernames to all employees who access your client's data. No sharing of passwords. Ever.
9. Restrict physical access to the data. Lock your office, enable mobile wipe, GPS tracking, etc.
10. Monitor and log all access to data and network resources.
11. Perform vulnerability scans and penetration tests on your network at least annually.
12. Document Everything! If you don't properly document it, it didn't happen.

​

It is a chore. I get it. But, as CCO, you are required to be performing cybersecurity due diligence audits on all third-party vendors that "touch" your client's personally identifiable information (PII).

Here is a quick guide to help you streamline this process.

Understand what data you will be providing to the vendor.
Not all vendors have the same access. Determine the sensitive nature of the data, the source of the data, and which internal systems the vendor will have access to.

Understand which products and services you are interested in (or using)
A vendor may offer both hosted services and on-premise software. Each service provider and service offering will have a different set of questions that need to be asked. If you let the vendor know which services you are using or interested in the vendors can provide the most relevant information. If you ask for an assessment applicable to all their products and services you’re much less likely to get a usable response.

Craft the questions to the specific risks associated with that particular vendor:
The vendor may already have documentation readily available that covers your concerns (and many more) so be sure to ask for that. If they have a been through a third party cybersecurity audit, you can ask for those results (Heads Up : The vendor will usually require an NDA before providing you with the reports.)

If adequate documentation is not available, here are some customizable vendor security questionnaires you can start with to craft your own:

• Consensus Assessments Initiative Questionnaire (CAIQ) offered by the Cloud Security Alliance
• Standardized Information Gathering (SIG) questionnaire sold by Shared Assessments
• Vendor Security Alliance questionnaire

When choosing which questions to include in your outreach, consider the following:

• Where will the vendor store your data?
• How will the vendor encrypt your data? (In transit, in use, and at rest?)
• How robust is the vendor’s ability to identify, respond to and notify you of a security incident affecting your data/systems? What protocols and systems are in place?
• How long will the vendor retain the data? Do they meet SEC and FINRA compliance requirements?

If this vendor is a critical part of your business operations (trading platform, custodian, etc), you will also want to understand:

• What steps does the vendor take to ensure resilience and business continuity in the event of external and internal disruptive events?

Ongoing Maintenance
I suggest that you reassess your due diligence assessment annually as part of your annual compliance review.
And, of course, if you don't document this process, it didn't happen.

Document everything.



​