Articles

By:
Publication: VACB (Virginia Association of Community Banks)The Community Banker, Spring 2020

As technology has advanced, it has grown to a place where employees are able to stay connected to their work, even after clocking out for the day. Employees can use their laptops, phones, and tablets to continue working or to respond to emails. This is a great aspect for better communication and increasing productivity; however, the security of these devices can get overlooked.

A small percentage of companies supply mobile devices for their employees, but a vast majority of employees bring their own devices. The challenge many companies face is how to secure those devices to protect the sensitive information that is stored on the device or is accessible on it.

Read Full Article

 

By: (Security+)
Publication: VACB (Virginia Association of Community Banks)The Community Banker, Winter 2019

VACB Winter 2019Do you have outsourced technology services? If so, are you getting a copy of their business continuity plans?  More importantly, do you know what you're looking for when you review them? Due diligence document gathering and reviewing is a critical part of outsourcing. While the service is provided by another company, your institution still maintains responsibility, and ultimate accountability, to your customers. That's where due diligence documents come into play.

First, what is an outsourced technology service? This is a service that provides technology solutions for your bank. This doesn't necessarily include all vendors who use technology to deliver their service to you, but instead those providing solutions to your technology needs. Ask this question to help determine if something is a technology service, "Would the bank be significantly affected if the vendor's services were temporarily unavailable?" I take "significantly affected" to mean: irreparable damage to the bottom line or customer confidence due to service disruption from any cause. Only if the answer to this question is yes are you likely looking at an outsourced technology service.

Read Full Article

 

By:
Publication: The Kansas Banker, September/October 2019

KBA Sept./Oct 2019In the course of reviewing a financial institution's information security program, we will invariably come to the point of assessing the organization's business continuity plan. In doing so, it's not uncommon to need to provide clarification as to the difference between business continuity planning, disaster recovery preparations, and incident management and response.

There is certainly a degree of overlap or redundancy among each of these three strategies, but each has its place in an organization's planning and preparing regimen, and each addresses its own collection of unique considerations. Those responsible for maintaining their financial institution's information security program must have a clear understanding of each of these aspects of continuity planning, recognize their similarities and differences, and be able to integrate each into a comprehensive strategy for addressing interruptions in their organization's processes.

Read Full Article

 

By:
Publication: VACB (Virginia Association of Community Banks)The Community Banker, Fall 2019

VACB Fall 2019Account passwords are required for security and accountability but are often despised by users that must remember them and network administrators that must reset them when users ultimately forget after a long weekend or a donut-infused sugar coma. While recommendations have changed slightly over the years, the base settings remain the same: sufficient length to prevent easy guessing or cracking (currently around 14 characters), complexity levels to discourage the use of names and dictionary words (3 of 4 types of characters – uppercase, lowercase, numbers, or special characters), and password change cycles to force new passwords that are fully up-to-date with policy settings and not used anywhere else (30 – 90 days, typically).

Read Full Article

 

By:
Publication: The Kansas Banker, July/August 2019

KBA | July/August 2019While sitting outside the Principal's office, David Lightman, the main character of that classic 80's gem, WarGames, cautiously slides open a panel on a nearby computer desk to reveal a list of words. The last word on the list, "pencil," is the only one that isn't crossed out, which David understands to be the newest password to the school's grading system and a shortcut to an easy "A." While David goes on to save the world from thermonuclear destruction[DL1] , the movie took time to make a point - writing down passwords was a bad security practice in 1983, yet this practice continues to this day. [DL2] 

Read Full Article

 

By:
Publication: VACB (Virginia Association of Community Banks)The Community Banker, 2019 Summer

VACB Summer 2019Cyber Threat Hunting has been popular for some time. There is a good reason for this. Threat hunting actually involves actively going out and iteratively searching your networks in order to detect and isolate advanced threats. This is a proactive exercise which is a total contrast to typical cyber defense where it seems like we just wait for an inevitable breach to occur. Too often the breach is discovered when a kind third-party (hopefully not a regulatory agency or law enforcement) make contact and informs one of the situations. Threat hunting is very appealing because it gives the sense of being active and not sitting idle.

Read Full Article

 

By:
Publication: The Kansas Banker, March/April 2019

KBA March/April 2019For many financial institutions, Business Continuity Plan (BCP) tests are easy to identify and trivial to document as senior management is familiar with the concept and the tests occur on a fairly frequent basis, either because they are scheduled in advance or because Internet/phone/power outages happen to every business at some point. When it comes to the Incident Response Plan (IRP) tests, however, the situation is not so clear. Whether this is because the FFIEC actually includes Incident Response Testing as part of the Business Continuity Planning Booklet or because, like things that happen in Vegas, incidents aren't spoken of after they occur. Additionally, it may depend on who you ask and if there's any resulting reputational damage, just to make things even muddier.

Read Full Article

 

By:
Publication: The Nebraska Banker, March/April 2019

NBA, March/April 2019In the course of my work, I find myself visiting several financial institutions throughout the year. Although these institutions vary in size and complexity, many of them share several common deficiencies. Some of the prevalent security mistakes listed in this article may be resolved with relatively simple implementations, but others can take more substantial amounts of time and user training to remediate. Fixing these five deficiencies would greatly help to improve the security of any institution.

Utilizing Default Credentials

One common security mistake that is more common than you might realize is that of not updating default account credentials. If default credentials are left unchanged in a system or application, an attacker may be able to use those credentials to obtain legitimate authentication and thereby circumvent a large number of security controls. Also, due to the fact that the attacker is able to authenticate to the system with proper credentials, it is quite difficult to identify and respond to these intrusions. Make sure to update all default credentials when systems are set up on the network and change default administrator account names.

Read Full Article

 

By:
Publication: The Nebraska Banker, Jan/Feb 2019

NBA Jan/Feb 2019"But I don't even have an iCloud account!" my aunt said over the phone, as the realization of her fear began to set in. "Is this just a scam?!"

At this point, vishing scammers had already installed remote software on her PC and were attempting to have her purchase Google Play Store prepaid cards and send them the codes so the "problem" with her "account" would be "fixed."  In response, the plug was pulled, the hard drive destroyed and passwords were changed. A diploma from the school of close calls was earned that day. If only my aunt knew – if only she had been "patched!"

Read Full Article

 

By:
Publication: VACB (Virginia Association of Community Banks)The Community Banker, Winter 2018

VACB Winter 2018Some of our apps are for fun things like accessing social media websites, and others are for utilitarian things like paying bills, managing insurance, or overseeing banking accounts. With apps like these having access to our most intimate details, we should closely monitor the apps we use and what these apps can access on our mobile devices.

You can determine the access you give to apps by going to your mobile device's settings. Consider the messaging application, Slack, as an example. Often used in professional office settings, Slack allows you to create groups and send messages. The mobile app for Slack can optionally access your Photos, Camera, and even Siri. Allowing apps like Slack the ability to access photos, camera, or other information is a reasonable choice since Slack uses this information to make the experience better, but other applications may not need to access this information.

Read Full Article