In the course of my work, I find myself visiting several financial institutions throughout the year. Although these institutions vary in size and complexity, many of them share several common deficiencies. Some of the prevalent security mistakes listed in this article may be resolved with relatively simple implementations, but others can take more substantial amounts of time and user training to remediate. Fixing these five deficiencies would greatly help to improve the security of any institution.
Utilizing Default Credentials
One common security mistake that is more common than you might realize is that of not updating default account credentials. If default credentials are left unchanged in a system or application, an attacker may be able to use those credentials to obtain legitimate authentication and thereby circumvent a large number of security controls. Also, due to the fact that the attacker is able to authenticate to the system with proper credentials, it is quite difficult to identify and respond to these intrusions. Make sure to update all default credentials when systems are set up on the network and change default administrator account names.
Lack of Controls on Mobile Devices
In the ever-growing mobile device landscape, it is important to have controls in place to protect data on those devices. Utilizing some kind of mobile device management application is imperative in environments in which sensitive information, such as company email, is stored on mobile phones or tablets. This type of software can enforce security policies such as requiring a passcode or allowing remote wiping of a device in the event of the device being lost or stolen. A mobile device management application can enforce encryption on devices as well.
Unsupported Hardware and Software
Another common security mistake that institutions make is that of utilizing unsupported hardware or software in the network. When a hardware appliance or software application reaches its end of support date, its vendor stops producing security updates and any vulnerabilities that are subsequently discovered are no longer patched. Staying abreast of end-of-life dates takes organization and foresight, but is necessary in order to ensure that hardware and software are updated before they are vulnerable. Maintaining accurate hardware and software inventories, which include accurate end-of-life dates, is a key step to take toward ensuring that these systems can be replaced in a timely manner.
Inadequate Training Against Phishing and Social Engineering Attacks
All companies face risks associated with social engineering attacks in which the attacker targets the human element of security. In social engineering attacks, the attacker tries to convince an employee to perform an unknowingly malicious action. Therefore, it is important to train employees to be suspicious of any unsolicited calls, emails, or even face-to-face interactions in which someone is asking about confidential information. Employees should be instructed to avoid clicking links or opening attachments unless they can verify that they are legitimate. To supplement training, utilize internal social engineering tests that simulate an actual attack to help employees identify and respond to malicious activity.
Failing to Follow Established Policies and Procedures
The final frequently observed security mistake to avoid is that of employees not being aware of – or not following – documented company policies and procedures. As with social engineering awareness, extensive employee training is needed to ensure all applicable employees are made aware of the proper procedures to follow. When new policies are put into place or existing policies are updated, employee training processes should be changed accordingly, and employees should be made aware of the changes in a timely manner.
These vulnerabilities are not secret, and most attackers know to look for these weaknesses. In the midst of the ever-changing security landscape, it is important to address these common areas attackers know are often vulnerable. Take the necessary steps to ensure appropriate technical controls are in place and train employees to be security-minded. Addressing these five common mistakes will greatly increase the security of your institution.