Blog: Bank

Early this year the tech world was rocked with the announcement of two unprecedented vulnerabilities named Meltdown and Spectre.

These two vulnerabilities are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Understandably there was a rush from three main industries, processor companies, operating system companies, and cloud providers to provide solutions. However, as a result of the urgent response, there were unanticipated update incompatibilities which crashed systems. This created a dilemma for IT professionals. "Do we install updates which may cause our systems to crash?" or "Do we sit-tight and remain vulnerable?"

Even in the weeks of uncertainty, there were calm voices of seasoned reasoning. Their message reminded us that basic security standards remain our first line of defense. No matter how bad an exploit may be, its impact can be limited if:

• The vulnerability doesn't have access to your systems
• Operating system or application weaknesses are patched
• Security software is installed (advanced end-point protection software with artificial intelligence is a game changer)

So how do you do achieve these standards? Here are some fundamental best practices:

1. Monitor availability of operating system and application updates. Be sure you find and establish good sources to inform you about the patches and updates for your systems and applications. Then, monitor the sources or subscribe to notifications.
   
   
2. Test updates to ensure compatibility. It is best if your update and patching process includes a test environment where non-production systems are updated first in order to test functionality and compatibility. This allows you to postpone or avoid updates which might crash systems or applications.
   
   
3. Apply updates and patches on a regular schedule. As a best practice, you should implement a schedule (at least monthly) to evaluate, test and install updates for systems and critical applications. In this way, your schedule can coincide with schedules of operating system and application vendors (e.g., Microsoft has "Patch Tuesday, the second Tuesday of each month).
   
   
4. Install and maintain security software (e.g., antivirus software, endpoint security software, etc.). If possible, explore and utilize behavior based end-point protection software. This genre of software "watches" system behavior to notice and stop suspicious action.
   
   
5. Prevent malicious code execution. The goal is to keep malicious code out of your network and systems. This is best accomplished with layers of security including Internet filtering, phishing detection, and security awareness training for system users. Security awareness is essential to help prevent users from falling prey to malicious emails.

This month, the New York State Department of Financial Services ("the Department") released results from a survey conducted in 2013 on cyber security.  154 institutions completed the survey, representing 60 community and regional banks, 12 credit unions, and 82 foreign branches and agencies.  The survey asked questions regarding information security framework; corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cyber security. [more]

In conclusion, the Department states:

"As part of its continuing efforts in this area, the Department plans to expand its IT examination procedures to focus more fully on cyber security.  The revised examination procedures will include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.  The revised procedures are intended to take a holistic view of an institution's cyber readiness and will be tailored to reflect each institution's unique risk profile.  The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York's financial services industry."

This report comes on the hills of the FFIEC webinar, Executive Leadership of Cybersecurity: What Today's CEO Needs to Know About the Threats They Don't See in which the FFIEC introduced expectations of new examination procedures.

To read the full Report on Cyber Security in the Banking Sector by the New York State Department of Financial Services can be found here - http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf

During a recent audit, we noticed one of the Internet domain names registered to the bank was displaying a website provided by the registrar (Network Solutions).  Upon discussing this issue with the bank, they told me they had registered the name because they use it internally as their Active Directory domain name and did not want anybody else registering the public name.  So the bank’s IT vendor dutifully registered the name, but did not do anything with it as far as pointing it to an existing bank website or an “under construction” site.  As a result the registrar parked the domain name and displayed an advertisement website.  The advertisements were for Gucci, Wells Fargo, Bank of America, etc.  The bank was not very happy when they found out their domain was being used to advertise other banks.

The Federal Financial Institutions Examination Council (FFIEC) issued an updated Retail Payment Systems Booklet.  The booklet is part of the IT Examination Handbook series and provides guidance to examiners, financial institutions, and technology service providers (TSPs) on identifying and controlling risks associated with retail payment systems and related banking activities.  To download the booklet and associated workprogram, visit http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

CoNetrix is pleased to announce the CoNetrix Information Security Risk Assessment software and Business Continuity Planning (BCP) software are candidates for the BankNews 2009 Innovative Solutions Award.

The Innovative Solutions Award, sponsored by BankNews, recognizes companies that have introduced or enhanced a product or service designed to help banks better serve their customers.  Entries are divided into four categories:

1. Architectural/Equipment Solutions
2. Consulting/Outsourcing/Training Solutions
3. Management Software Solutions
4. Online/Remote/Mobile Solutions

The CoNetrix Risk Assessment tool is listed under the category 2 "Consulting/Outsourcing/Training Solution", and the BCP tool is listed under the category 3 "Management Solutions".

To vote now, go to http://www.banknews.com/2009-Entries.704.0.html

To learn more about the Innovative Solutions Award, visit http://www.banknews.com/

We continue to hear positive things from many of our customers (community banks) - many have plenty of money to lend (but only to qualifying customers) - we have even visited with a few banks that are trying to send back the "bailout" money - here is a good article depicting the US community bank - http://www.nytimes.com/2009/05/17/magazine/17wwln-rendon-t.html?_r=2&ref=magazine

During IT audits, we routinely see banks granting all or some of their users local administrator rights on their PCs.  They are usually forced into allowing this level of access due to some software that will not work correctly without local administrator rights.  However, they can mitigate some of the risk by using a utility called DropMyRights.

In a recent Security Now! podcast, Steve Gibson talked about the DropMyRights utility.  It was written by a Microsoft engineer.  It allows you to run specific programs with less rights than your user account normally has.  For example, if you are given local administrator rights because the core banking software requires it, you can use DropMyRights to help protect yourself when running web browsers or your email client.  Simply create a shortcut for each program using DropMyRights in the command line.  For example, you could use the following command line to run Internet Explorer under a non-admin user context: [more]

C:\utilities\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

ICBA and Visa are providing a free Data Breach Toolkit available to all ICBA member banks.  The toolkit was developed due to the recent data breach at Heartland Systems, and is designed to help community banks answer customers' questions following a breach of credit and debit card account information.  The toolkit provides member banks with customizable materials, including cardholder letters, statement inserts, FAQs and media statements.  You can login to receive your toolkit at http://www.icba.org/publications/visa.cfm?ItemNumber=37529

The FBI, the U.S. Postal Inspection Service, and state and local authorities are investigating more than 60 threatening letters that have been received by Financial Institutions in Araizona, Caliofornia, Colorado, Georgia, Illinois, New Jersey, New York, Ohio, Oklahoma, Texas, Virginia, and Washington, D.C.  The letters began to be received on Monday, Oct. 20, 2008, and appear to all be originating from Texas - all have been postmarked in Amarillo, TX.  Most of these letters contain a powder substance with a threatening communication.  At this point, field and laboratory tests on the powder have been negative; however, additional testing is taking place.

To see a copy of one of the letters, visit http://www.fbi.gov/page2/oct08/threatletters_102308.html