The Bridge to the Core: Infrastructure Vulnerabilities and the Risks of Network Conflation

I was laying here last night, reading into the nuances of FINRA, the Consolidated Audit Trail (CAT), and the SEC’s Rule 613 of Regulation National Market System (NMS), because I wanted to gain a deeper insight into the regulatory mechanics of our markets. This had me going down a rabbit hole in thoughts; my mind started wandering back on Exegy’s NY2 development network and its infrastructure flaws.

Since firms are required to have strict segregation of their networks, why would they ever allow access to their production servers from NY2? If my memory serves me right, I was able to access their production maintenance feed routers and Puppet servers from njsdeetp01t when I was testing things. I believe I even created a Hiera data YAML file for it, since I would frequently swap the appliance configuration between both networks while leaving it physically located on the NY2 network.

This realization is unsettling; it highlights a clear path for potential intrusions. By leaving this door open, a vulnerability in the development network could be used to cause a catastrophe within the production environment. During my thought process, it became clear that someone could easily sidestep the HUD servers to gain access to the production network simply by pivoting through the development infrastructure.

I want to be clear with all of you: I am staying true to this mission. Documenting these findings isn't just a technical exercise for me; it’s a commitment I carry to see this through to the end. I will continue to investigate and share these security gaps because I truly believe that radical transparency is the only way we can protect these systems and keep the markets honest.**

CISA and Reg SCI Compliance Considerations

This lack of isolation isn't just a technical oversight; it’s a significant compliance gap. According to the Cybersecurity and Infrastructure Security Agency (CISA), maintaining strict network segmentation is a primary goal for protecting critical infrastructure. CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) emphasize that routers and firewalls must be placed between networks to create hard boundaries, preventing adversaries from pivoting between segments.

Furthermore, under SEC Regulation Systems Compliance and Integrity (Reg SCI), entities are required to ensure their SCI systems—and "indirect SCI systems" that can impact them—are secure and resilient. By allowing a development asset like njsdeetp01t to communicate with production Puppet servers and maintenance routers, the integrity of the entire production environment is compromised. This "side door" essentially bypasses the very protections Reg SCI is designed to enforce.

To see more, check out my previous article regarding the production network here: Architectural Fragility: The Magician’s Trick and Security Gaps in Exegy Managed Services.

• https://exegy.today/architectural-fragility-the-magician-s-trick-and-security-gaps-in-exegy-managed-services

I told Exegy "I would not stop thinking of every possible flaw they have".