The May 2019 Microsoft patch releases included an update for a very high-risk vulnerability (CVE-2019-0708, aka BlueKeep) that affects Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2. This vulnerability allows an unauthenticated attacker (or malware) to remotely execute code on the vulnerable system. It is considered as VERY high risk, particularly for systems with Remote Desktop Protocol (RDP, port 3389) directly exposed to the Internet. However if a system inside the network is compromised it could easily spread to other PC's and servers because RDP is enabled by default.

What is the FSSCC Cybersecurity Profile? The FSSCC Cybersecurity Profile was published on October 25, 2018 by the Financial Services Sector Coordinating Council (FSSCC). The FSSCC is a private entity comprised of 70 members from financial services organizations. Their cybersecurity profile has multiple tiers, which allow users to answer a scalable set of questions. This scaling is designed to provide an expedited assessment of the user's organization's cybersecurity preparedness.

Cybersecurity budgets for financial institutions are continuing to increase in an effort to keep pace with advances in technology. CoNetrix conducted a survey to gain insights into cybersecurity and how institutions are using their funds to support their cybersecurity program. 

On April 2, 2019, the Federal Deposit Insurance Corporation (FDIC) released a new financial institution letter (FIL-19-2019) called "Technology Service Provider Contracts." Why was this guidance published? When FIL-19-2019 was published, it had been five years, almost to the date, since the last vendor management guidance was released by the FDIC (see FIL-13-2014, published on April 7, 2014). Presumably, it was a good time for a reminder about vendor management expectations.

For many financial institutions, Business Continuity Plan (BCP) tests are easy to identify and trivial to document as senior management is familiar with the concept and the tests occur on a fairly frequent basis, either because they are scheduled in advance or because Internet/phone/power outages happen to every business at some point. When it comes to the Incident Response Plan (IRP) tests, however, the situation is not so clear. Whether this is because the FFIEC actually includes Incident Response Testing as part of the Business Continuity Planning Booklet or because, like things that happen in Vegas, incidents aren't spoken of after they occur. Additionally, it may depend on who you ask and if there's any resulting reputational damage, just to make things even muddier.

On April 24th, CoNetrix released their inaugural report, The State of Cybersecurity in the Financial Institution Industry. In order to understand the industry better, CoNetrix distributed a 44-question survey to individuals of financial institutions. The survey remained open from November 1, 2018 through January 31, 2019. At the end of that timeframe, CoNetrix received 243 completed survey responses.

Nearly 200 auditors, bankers, examiners, and credit union professionals gathered in Allen, Texas for the 9th annual CoNetrix KEYS Conference. Designed to provide Knowledge Essential to Your Security (KEYS), the April 2019 event attracted attendees from financial institutions across the United States.

In the course of my work, I find myself visiting several financial institutions throughout the year. Although these institutions vary in size and complexity, many of them share several common deficiencies. Some of the prevalent security mistakes listed in this article may be resolved with relatively simple implementations, but others can take more substantial amounts of time and user training to remediate. Fixing these five deficiencies would greatly help to improve the security of any institution.

Many businesses and financial institutions have seen an increase in the number of employee-owned devices over the past few years. Employees are using these devices to access email, download files, launch a remote desktop, or use a Virtual Private Network (VPN) connection for a remote "on network" experience.

Microsoft has been emphasizing Office 365 subscription services since the public introduction in 2011. As a result, the popularity of these services has grown to over 155 million active users as of October 2018, and is gaining new users at over 3 million seats per month. With this growth, on-going marketing, and the increasing acceptance of public cloud services, many businesses and financial institutions are starting to look at Office 365.

When something really messes up Chrome, being logged into your Google account and having Chrome sync settings makes repairing things pretty painless.  Recently, I couldn't get my LastPass Chrome extension to log into my LastPass account. Since I rely heavily on LastPass to handle various website credentials, I'm handicapped if I can't get it working in the browser extension.

I came across a few customers having trouble opening PDF attachments while in Quickbooks. The following message would be displayed, and sometimes it would be random. "There is a problem with Adobe Acrobat/Reader. If it is running, please exit and try again. (523:523)"