Common IT Audit Findings

By: (CISSP, CISA, Security+)

Publication: The Colorado Banker , January/February 2013

Colorado Banker Jan/Feb 2013 A common axiom in the world of information security is that convenience and security are inversely related, or in other words, as security increases, convenience decreases. You have, no doubt, experienced this in your bank as well as in your personal life. From a banking standpoint, annual IT audits and exams are probably not the most convenient use of your time, but they should be testing current controls and showing you controls to add, thereby increasing your physical and logical security. Below are some of the most common security issues I see in banks.

Local Administrators: It is highly common for me to see users granted administrator privileges for their local workstations. It’s convenient for installing programs or updates, but also less secure, as most malicious software requires local admin privileges in order to install on a workstation. Limiting user privilege on workstations will remedy a high percentage of the malicious software introduced on your network. One obstacle to limiting local admin privileges might be some of the bank software you use, but this is a security issue worth discussing with your vendors.

Passwords: You have probably enforced password complexity requirements on your network. In spite of that, it’s not uncommon for me to see complex passwords that are not necessarily strong passwords. One classic example is Password1. This satisfies Windows complexity requirements, but is a very simple password and can only be avoided by training your users. Encourage the use of passphrases instead of passwords, and you’ll take care of these simple passwords in the process. Passphrases can be song lyrics or favorite quotes. By capitalizing and punctuating, their passphrases can end up being extremely strong, long passwords, but are also easy to remember.

Patch Management: Patches are hard to manage in a simple, home environment….in a complex bank network with many users and many programs, it is no wonder they fall through the cracks so often. As increasingly more complex viruses expose the weaknesses of antivirus software, patch management is more crucial now in defending your network from attacks than in years past. Most environments have a handle on Microsoft patches, but third-party software like Adobe and Java patches are still difficult to manage. Adobe and Java updates are typically released to address security vulnerabilities, so patching third-party software should be part of your regular network maintenance or automated with the use of patch management software solutions.

Mobile Devices: To revisit the convenience/security axiom, mobile devices are extremely convenient, so it would follow that they are not inherently secure. You have taken great care to physically and logically protect the workstations and servers in your bank, but mobile devices take your data outside of your alarm system and firewall protection. Because of that, laptop security controls should include whole disk encryption, personal firewalls, physical security controls (e.g. cable locks), and user security training.

A good security posture a layered security posture. Ensuring your network is adequately protected in the areas mentioned above will add several layers of protection and will help thwart many threats to your confidential bank and customer information.