One of the challenges community banks face in selecting an IT audit partner is the confidence they are comparing apples to apples when reviewing security-testing proposals. Not only do the definition of terms vary, some audit firms sell an "IT Audit" that is nothing more than a GLBA regulatory compliance audit. Though confirming your Information Security Program meets your examiners' expectations is important, an audit without a thorough internal network assessment really is not an IT audit. Your technical controls like patch management, malware protection, user access controls, Internet content filtering, file access controls, etc. are where the rubber meets the road. If these controls are not functioning as intended, it becomes a moot point you have them faithfully listed in your InfoSec Risk Assessment and Policies.

CoNetrix is pleased to announce two candidates for consideration in the BankNews 2018 Innovative Solutions Awards. The 2018 Innovative Solutions Awards, sponsored by BankNews, recognize companies that have introduced or significantly enhanced products designed to help community banks become more efficient, expand their capabilities and, ultimately, better serve their customers. The Innovative Solutions Awards are presented in five categories:

What is Colorado Cybersecurity Regulation (HB 18-1128)? On January 19, 2018, the General Assembly of the State of Colorado introduced House Bill 18-1128, Concerning Strengthening Protections for Consumer Data Privacy. The regulation was signed into law on May 29, 2018 and goes into effect on September 1, 2018.

We had a customer report that all browser windows were closing for users and this was increasing in frequency. Most of the users reporting the issue were at the corporate office, which has about 150 users and is where the IT department is located. I performed a remote session with on the users and confirmed the issue. Internet Explorer, Chrome, and Firefox all would close, not crash, at the same time.

Several months ago, I stumbled across a comic that was a perfect representation of the battle institutions and IT departments face every day. It was a boxing ring, with a ring announcer introducing the participants in the corners of the ring. One corner contained firewalls, encryption, antivirus software, and other layers of data security while the opposing corner contained "Dave," a hapless user wearing a shirt emblazoned with the words "Human Error." This comic is both funny, because many of us know a "Dave," and disheartening, because no matter how much money and time are spent on network layout, configuration, and security, the harsh reality is it only takes one user on the other side of the mouse, clicking on the wrong item, to wreak havoc on your network. While incidents are still going to occur, they can be reduced with routine and thorough employee security awareness training.

How do you know what due diligence documents to gather from each of your vendors? There are many methods available, but some result in more accurate documentation than others. Today, I'm going to review two of the primary methods and discuss the effectiveness of each method. Method #1: The Bucket Method

We recently moved a customer from a datacenter at one of their locations to a large datacenter in the Dallas/Ft. Worth area. One of the devices we moved was a Meraki MX84 being used as a VPN concentrator. A VPN concentrator works by extending the network the VPN concentrator is on to the access points. Basically, wireless clients at all locations get an IP address on the same layer two network. This is important for a few reasons. First, the VPN concentrator needs to be in it's own VLAN/DMZ. Second, something on the layer two network the VPN concentrator is connect to needs to be handing out DHCP addresses. In our case, we used a Fortigate UTM to run the DHCP server for that subnet. Third, traffic needs to be allowed outbound to the Internet from all clients on the VPN concentrator layer two network so clients can connect to the Internet. The traffic is tunneled from the access points to the VPN concentrator, so the traffic does not intermix with the normal network traffic.

As a part of a recent data center move we had to reconfigure several APC management cards. The first thing that I did to each of these NMCs was to reset to factory defaults and update the firmware.