Articles

By: (Network+, CISA)
Publication: VACB (Virginia Association of Community Banks)The Community Banker, Fall 2019

VACB Fall 2019Account passwords are required for security and accountability but are often despised by users that must remember them and network administrators that must reset them when users ultimately forget after a long weekend or a donut-infused sugar coma. While recommendations have changed slightly over the years, the base settings remain the same: sufficient length to prevent easy guessing or cracking (currently around 14 characters), complexity levels to discourage the use of names and dictionary words (3 of 4 types of characters – uppercase, lowercase, numbers, or special characters), and password change cycles to force new passwords that are fully up-to-date with policy settings and not used anywhere else (30 – 90 days, typically).

Read Full Article

 

By: (ISACA Cybersecurity Fundamentals, CompTIA A+, Security+)
Publication: The Kansas Banker, July/August 2019

KBA | July/August 2019While sitting outside the Principal's office, David Lightman, the main character of that classic 80's gem, WarGames, cautiously slides open a panel on a nearby computer desk to reveal a list of words. The last word on the list, "pencil," is the only one that isn't crossed out, which David understands to be the newest password to the school's grading system and a shortcut to an easy "A." While David goes on to save the world from thermonuclear destruction[DL1] , the movie took time to make a point - writing down passwords was a bad security practice in 1983, yet this practice continues to this day. [DL2] 

Read Full Article

 

By: (GCIH, GPEN, GWAPT)
Publication: VACB (Virginia Association of Community Banks)The Community Banker, 2019 Summer

VACB Summer 2019Cyber Threat Hunting has been popular for some time. There is a good reason for this. Threat hunting actually involves actively going out and iteratively searching your networks in order to detect and isolate advanced threats. This is a proactive exercise which is a total contrast to typical cyber defense where it seems like we just wait for an inevitable breach to occur. Too often the breach is discovered when a kind third-party (hopefully not a regulatory agency or law enforcement) make contact and informs one of the situations. Threat hunting is very appealing because it gives the sense of being active and not sitting idle.

Read Full Article

 

By: (Network+, CISA)
Publication: The Kansas Banker, March/April 2019

KBA March/April 2019For many financial institutions, Business Continuity Plan (BCP) tests are easy to identify and trivial to document as senior management is familiar with the concept and the tests occur on a fairly frequent basis, either because they are scheduled in advance or because Internet/phone/power outages happen to every business at some point. When it comes to the Incident Response Plan (IRP) tests, however, the situation is not so clear. Whether this is because the FFIEC actually includes Incident Response Testing as part of the Business Continuity Planning Booklet or because, like things that happen in Vegas, incidents aren't spoken of after they occur. Additionally, it may depend on who you ask and if there's any resulting reputational damage, just to make things even muddier.

Read Full Article

 

By: (Security+, ISACA Cybersecurity Fundamentals)
Publication: The Nebraska Banker, March/April 2019

NBA, March/April 2019In the course of my work, I find myself visiting several financial institutions throughout the year. Although these institutions vary in size and complexity, many of them share several common deficiencies. Some of the prevalent security mistakes listed in this article may be resolved with relatively simple implementations, but others can take more substantial amounts of time and user training to remediate. Fixing these five deficiencies would greatly help to improve the security of any institution.

Utilizing Default Credentials

One common security mistake that is more common than you might realize is that of not updating default account credentials. If default credentials are left unchanged in a system or application, an attacker may be able to use those credentials to obtain legitimate authentication and thereby circumvent a large number of security controls. Also, due to the fact that the attacker is able to authenticate to the system with proper credentials, it is quite difficult to identify and respond to these intrusions. Make sure to update all default credentials when systems are set up on the network and change default administrator account names.

Read Full Article

 

By: (ISACA Cybersecurity Fundamentals, CompTIA A+, Security+)
Publication: The Nebraska Banker, Jan/Feb 2019

NBA Jan/Feb 2019"But I don't even have an iCloud account!" my aunt said over the phone, as the realization of her fear began to set in. "Is this just a scam?!"

At this point, vishing scammers had already installed remote software on her PC and were attempting to have her purchase Google Play Store prepaid cards and send them the codes so the "problem" with her "account" would be "fixed."  In response, the plug was pulled, the hard drive destroyed and passwords were changed. A diploma from the school of close calls was earned that day. If only my aunt knew – if only she had been "patched!"

Read Full Article

 

By: (ISACA Cybersecurity Fundamentals)
Publication: VACB (Virginia Association of Community Banks)The Community Banker, Winter 2018

VACB Winter 2018Some of our apps are for fun things like accessing social media websites, and others are for utilitarian things like paying bills, managing insurance, or overseeing banking accounts. With apps like these having access to our most intimate details, we should closely monitor the apps we use and what these apps can access on our mobile devices.

You can determine the access you give to apps by going to your mobile device's settings. Consider the messaging application, Slack, as an example. Often used in professional office settings, Slack allows you to create groups and send messages. The mobile app for Slack can optionally access your Photos, Camera, and even Siri. Allowing apps like Slack the ability to access photos, camera, or other information is a reasonable choice since Slack uses this information to make the experience better, but other applications may not need to access this information.

Read Full Article

 

By: (GCIH, GPEN, GWAPT)
Publication: The Kansas Banker, Oct/Nov 2018

KBA Oct/Nov 2018Several years ago my wife and I enrolled in country western dance lessons offered in our community. I have a reputation for being challenged in the areas of rhythm and coordination, but it sounded like fun. Over several weeks we learned multiple dances ranging from the supposedly simple two-step to more complex dances. I learned that I could manage on a dance floor as long as I stuck to the basic dances like the two-step and that I never would have rhythm or coordination.

Read Full Article

 

By: (Network+, CISA)
Publication: VACB (Virginia Association of Community Banks)The Community Banker, Fall 2018

VACB Fall 2018In 1984, a fantasy movie involving a young boy, a rock-eater, a weird dog-dragon hybrid, an entity known as The Nothing, and an assortment of other strange characters was released. This movie, titled The NeverEnding Story, is remembered by many people not only because of the story itself but because of the main title track which lingers long after the credits have rolled. After watching the movie, one could be caught belting out "NeverEnding Stooooooryyyyyyyy! Ah, ah, ah!" for anyone nearby to listen. While this song is easily adapted for a number of tasks in everyday life (never ending laundry, dishes, or bills), for those in IT roles it has become "NeverEnding Paaaaaattccheeeeees!"

Read Full Article

 

By: (CISA, CISSP)
Publication: The Kansas Banker, August 2018

2018 August KBA One of the challenges community banks face in selecting an IT audit partner is the confidence they are comparing apples to apples when reviewing security-testing proposals. Not only do the definition of terms vary, some audit firms sell an "IT Audit" that is nothing more than a GLBA regulatory compliance audit. Though confirming your Information Security Program meets your examiners' expectations is important, an audit without a thorough internal network assessment really is not an IT audit. Your technical controls like patch management, malware protection, user access controls, Internet content filtering, file access controls, etc. are where the rubber meets the road. If these controls are not functioning as intended, it becomes a moot point you have them faithfully listed in your InfoSec Risk Assessment and Policies.

Read Full Article