Articles

Cyber Threat Hunting has been popular for some time. There is a good reason for this. Threat hunting actually involves actively going out and iteratively searching your networks in order to detect and isolate advanced threats. This is a proactive exercise which is a total contrast to typical cyber defense where it seems like we just wait for an inevitable breach to occur. Too often the breach is discovered when a kind third-party (hopefully not a regulatory agency or law enforcement) make contact and informs one of the situations. Threat hunting is very appealing because it gives the sense of being active and not sitting idle.

For many financial institutions, Business Continuity Plan (BCP) tests are easy to identify and trivial to document as senior management is familiar with the concept and the tests occur on a fairly frequent basis, either because they are scheduled in advance or because Internet/phone/power outages happen to every business at some point. When it comes to the Incident Response Plan (IRP) tests, however, the situation is not so clear. Whether this is because the FFIEC actually includes Incident Response Testing as part of the Business Continuity Planning Booklet or because, like things that happen in Vegas, incidents aren't spoken of after they occur. Additionally, it may depend on who you ask and if there's any resulting reputational damage, just to make things even muddier.

In the course of my work, I find myself visiting several financial institutions throughout the year. Although these institutions vary in size and complexity, many of them share several common deficiencies. Some of the prevalent security mistakes listed in this article may be resolved with relatively simple implementations, but others can take more substantial amounts of time and user training to remediate. Fixing these five deficiencies would greatly help to improve the security of any institution.

Utilizing Default Credentials

One common security mistake that is more common than you might realize is that of not updating default account credentials. If default credentials are left unchanged in a system or application, an attacker may be able to use those credentials to obtain legitimate authentication and thereby circumvent a large number of security controls. Also, due to the fact that the attacker is able to authenticate to the system with proper credentials, it is quite difficult to identify and respond to these intrusions. Make sure to update all default credentials when systems are set up on the network and change default administrator account names.

"But I don't even have an iCloud account!" my aunt said over the phone, as the realization of her fear began to set in. "Is this just a scam?!"

At this point, vishing scammers had already installed remote software on her PC and were attempting to have her purchase Google Play Store prepaid cards and send them the codes so the "problem" with her "account" would be "fixed."  In response, the plug was pulled, the hard drive destroyed and passwords were changed. A diploma from the school of close calls was earned that day. If only my aunt knew – if only she had been "patched!"

Some of our apps are for fun things like accessing social media websites, and others are for utilitarian things like paying bills, managing insurance, or overseeing banking accounts. With apps like these having access to our most intimate details, we should closely monitor the apps we use and what these apps can access on our mobile devices.

You can determine the access you give to apps by going to your mobile device's settings. Consider the messaging application, Slack, as an example. Often used in professional office settings, Slack allows you to create groups and send messages. The mobile app for Slack can optionally access your Photos, Camera, and even Siri. Allowing apps like Slack the ability to access photos, camera, or other information is a reasonable choice since Slack uses this information to make the experience better, but other applications may not need to access this information.

Several years ago my wife and I enrolled in country western dance lessons offered in our community. I have a reputation for being challenged in the areas of rhythm and coordination, but it sounded like fun. Over several weeks we learned multiple dances ranging from the supposedly simple two-step to more complex dances. I learned that I could manage on a dance floor as long as I stuck to the basic dances like the two-step and that I never would have rhythm or coordination.

In 1984, a fantasy movie involving a young boy, a rock-eater, a weird dog-dragon hybrid, an entity known as The Nothing, and an assortment of other strange characters was released. This movie, titled The NeverEnding Story, is remembered by many people not only because of the story itself but because of the main title track which lingers long after the credits have rolled. After watching the movie, one could be caught belting out "NeverEnding Stooooooryyyyyyyy! Ah, ah, ah!" for anyone nearby to listen. While this song is easily adapted for a number of tasks in everyday life (never ending laundry, dishes, or bills), for those in IT roles it has become "NeverEnding Paaaaaattccheeeeees!"

One of the challenges community banks face in selecting an IT audit partner is the confidence they are comparing apples to apples when reviewing security-testing proposals. Not only do the definition of terms vary, some audit firms sell an "IT Audit" that is nothing more than a GLBA regulatory compliance audit. Though confirming your Information Security Program meets your examiners' expectations is important, an audit without a thorough internal network assessment really is not an IT audit. Your technical controls like patch management, malware protection, user access controls, Internet content filtering, file access controls, etc. are where the rubber meets the road. If these controls are not functioning as intended, it becomes a moot point you have them faithfully listed in your InfoSec Risk Assessment and Policies.

Several months ago, I stumbled across a comic that was a perfect representation of the battle institutions and IT departments face every day. It was a boxing ring, with a ring announcer introducing the participants in the corners of the ring. One corner contained firewalls, encryption, antivirus software, and other layers of data security while the opposing corner contained "Dave," a hapless user wearing a shirt emblazoned with the words "Human Error." This comic is both funny, because many of us know a "Dave," and disheartening, because no matter how much money and time are spent on network layout, configuration, and security, the harsh reality is it only takes one user on the other side of the mouse, clicking on the wrong item, to wreak havoc on your network. While incidents are still going to occur, they can be reduced with routine and thorough employee security awareness training.