Articles

Most small to medium-sized community banks rely on an outside vendor to perform security testing, often times in the form of a penetration test or IT/GLBA security audit. Engagements performed by independent third parties can help identify security oversights and issues that might be out of the internal staff's expertise. However, developing an in-house security testing plan is also critical to the overall success of information security and cybersecurity programs.

While not currently mandatory, working through the FFIEC Cybersecurity Assessment Tool is an excellent starting point to gain a greater understanding of your institution's overall risk profile. Working through the tool is a great exercise that allows you to step back and take a more objective view of your security program. Performing the initial assessment provides financial institutions with baseline data that identifies the activities and products posing the greatest risk or concern. Subsequent assessments can then be used to track progress as the information and cybersecurity programs continue to grow and adapt.

It is a cool foggy morning out on the lake. Dawn is just beginning to break on what is going to be a great weekend. The fishing tournament is getting started and it is every fisherman's dream to land the big one. So too, is the dream of every phisherman In recent years, a new phenomenon in phishing known as whaling has been on the rise.  Whaling is similar to a regular phishing email, but the initial target is a top level executive.The Federal Bureau of Investigation claims that it has seen a rise in whaling cases by 270% in 2015!

As a security consultant, I have spent time talking with management and members of the Board of Directors at several institutions, and I can tell you that they run the gamut of security-mindedness and technology knowledge.  I have met directors who like to know what’s going on in the IT department and are well versed in information security and cybersecurity threats, and there are others who want nothing to do with anything IT related.  With the release of the FFIEC’s Cybersecurity Assessment Tool also comes the release of a set of Board expectations.

"Dear Jerrod, you are receiving this email because you recently requested a password reset or unlock of your account.  If you didn't make this request, it's likely that another user has entered your email address by mistake and your account is still secure. If you believe an unauthorized person has accessed your account, you should change your password as soon as possible by going to Your Account." 

By clicking on the above link, your business could change.  Phishing is not something new, but the targets have changed. In 2015, a new pattern emerged in which the target of phishing switched from bank customers to bank employees. Most people might think that only the largest banks are at risk for phishing campaigns, especially spear phishing attacks where specific employees are targeted.  However, over the past ten years "puddle-phishing," or phishing attacks at smaller banks, have been on the rise.  In our own security testing in 2015, we found employees at smaller banks (holding <$250M) failed phishing tests 24% of the time. Some believe this may be due to a lack of adequate resources to defend against attacks. Fortunately, because employees are a captive audience, there are some strategies that can help mitigate the risk to a financial institution.

Are you familiar with the typical ransom movie? The bad guy steals a kid or a wife and demands money in exchange for their safe return. Requests often come in the form of magazine clippings. Perhaps you're more familiar with the ever-classic bank hold-up; the bad guy wants money in exchange for the safety of hostages who happen to still actually go into a bank. Times are changing. Ransom doesn't work the way it used to. You can't see the bad guy headed toward you from the window.

A red plaid flannel shirt or an axe are not required to be a lumberjack in our digital age. However, a passion for logs is essential. These are not logs from Larch, Pine, Giant Redwood, or Sequoia trees. Instead they are event logs from switches, routers, firewalls, servers, intrusion detection devices, etc. Logs data contains the "who, what, when, where, why and how" about information technology infrastructure and business applications. The ability to gather, process, report on, alert on and retain these logs is a foundational piece of information technology.

Why be a logger

Many of our vendor relationships have the power to help or hurt our overall information security level.  The request for proposal (RFP) for software vendors must go beyond the typical due diligence questions in order to maintain or increase your information security level. Technical questions must be asked and it may be necessary to have the questions forwarded to the vendor's technical support or development staff. Asking a software vendor the following questions and getting appropriate answers helps to ensure you are buying secure software and also reveals the maturity level of the vendor.

As an auditor, one of the most common weaknesses that I see is third-party application patching. Java and
Adobe applications have been the most popular attack avenues in recent years for two simple reasons: first, they are installed everywhere and secondly, they are not typically updated very quickly. Reasons for these applications not being updated in a timely manner range from the applications not being included in patch management processes to vendor requiring specific versions of the third-party software. Furthermore, having these applications up-to-date does not mean they are secure, it just means that some of the previously known vulnerabilities have been patched.

If you have ever been in a field that involves customer service, you learn to expect certain questions. You may
even be able to predict some. For example, if you are demonstrating a product, one question you can typically count on is: "How long does it take to do this?" And, as you probably suspect, the tried-and-true answer is, "It depends."

The same question and answer routine is understandable. We all want to know what everyone else is doing. I am a software support specialist and I am frequently asked, "How do you see other banks handling issue XYZ?" We depend on each other to understand the world around us. We want to know, what are other people doing to get it right?