Most small to medium-sized community banks rely on an outside vendor to perform security testing, often times in the form of a penetration test or IT/GLBA security audit. Engagements performed by independent third parties can help identify security oversights and issues that might be out of the internal staff's expertise. However, developing an in-house security testing plan is also critical to the overall success of information security and cybersecurity programs.
While not currently mandatory, working through the FFIEC Cybersecurity Assessment Tool is an excellent starting point to gain a greater understanding of your institution's overall risk profile. Working through the tool is a great exercise that allows you to step back and take a more objective view of your security program. Performing the initial assessment provides financial institutions with baseline data that identifies the activities and products posing the greatest risk or concern. Subsequent assessments can then be used to track progress as the information and cybersecurity programs continue to grow and adapt.
Developing verification processes and checklists would a great starting point for smaller institutions that outsource some, or all, IT functions. For example, developing a new computer checklist can help make sure all of the intended controls are working on newly implemented systems. A simple checklist might include verifying the following:
v Antivirus software is installed with up-to-date definitions.
v Web-filtering rules are restricting access appropriately.
v Removable media (USB, CD/DVD, etc.) controls are working.
v Screensavers are set to lock after a specified time of inactivity.
Setup checklists can also be used to perform periodic spot checks, or for regression testing, to ensure primary security controls are working as intended. For example, you might want to spot check several workstations to ensure antivirus controls are still working as expected after installing an update to endpoint security software. For more established in-house IT departments, security baseline checklists can be used by a second administrator, or possibly audit personnel, to ensure the intended controls are implemented.
Since outsourced external penetration testing is typically performed on a periodic basis, it is important to develop and run some verification tests on newly deployed systems that are exposed to the Internet. SSL/TLS vulnerabilities and configuration weaknesses on exposed web services are common issues that we see when performing external penetration tests. Several SSL/TLS vulnerabilities made world-wide headlines over the last few years (e.g. POODLE and Heartbleed). Often, these weaknesses are discovered on dedicated appliances like VPN firewalls or secure email gateways because they are assumed to be securely configured by default. Qualys' SSL Labs SSL Server Test (https://www.ssllabs.com/ssltest) is a simple-to-use, but extensive, free service that could be used to validate the configuration of any SSL/TLS service.
The ever-changing threat landscape makes entering into the security testing realm seem very overwhelming. However, as with developing any other skillset, the hardest step is the first step. It is unrealistic to expect to know everything about security testing. A quote from Nelson Mandela comes to mind, "It always seems impossible until it's done." As we continue to learn and develop security skillsets, tasks like assessing risk and developing appropriate mitigating controls will start to become easier and, hopefully, more proactive.
Craig Schurr is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com.