Blog

By:

CoNetrix recently assisted two customers with targeted phishing attacks in which the attackers attempted to redirect wire transfers. This activity is not new, however, some of the tactics utilized in the attack are noteworthy and provide insight into how organizations can better protect themselves.

How did the attackers gain entry into corporate accounts? 

The entry point for the attackers was corporate email accounts that were exposed to the Internet and accessed using a web browser. The email accounts of the victims were compromised by guessing passwords or reusing previously-compromised passwords. Once access was gained to the email accounts, mailbox rules were configured to direct emails about wire transfers to the "RSS Feeds" folder. This effectively hid the email messages from the victim, while allowing the attacker access to them.

Next, the attacker sent email messages from a domain name similar to the domain name of the compromised email account. The fake messages said the previous email messages concerning money transfers were in error and provided different destination bank routing and account numbers where the money would be accessible by the attackers.

Take steps to mitigate the risks of phishing attacks 

In these cases, the fraudulent email messages were noticed by the recipients and the attacks failed. However, these attacks are routinely successful, and it is necessary to take steps to mitigate the risk, especially when corporate email accounts are accessible using a web browser (e.g. Office 365, Outlook Web Access (OWA), cloud-hosted email, any email account that can be logged into using a web browser and public Internet access).

  • Review your organization's email services to see if Internet-facing email access is enabled. One way to do this is to ask the question, "can we log in to our email accounts using a web browser from any Internet connection (e.g. a coffee shop, at home, at a hotel)?"
  • If Internet-facing email access is enabled disable access for employees who do not need it.
  • For employees who need Internet-facing email access, enable dual-factor authentication.
  • Look for inbox forwarding or redirect rule changes. Logging for these changes can be enabled in the email system's administrative console.
  • On firewall or intrusion prevention devices, enable rules to block traffic that is sourced from countries where known malicious traffic originates.
  • Utilize security event monitoring technologies to monitor web server logs for abnormal login activity.
  • Do not rely solely on email or other electronic communications for initiating or modifying financial transactions. Implement out-of-band approval procedures such that financial transactions and changes to financial processes must be verified using a different form of communication. For example, if a request to change a receiving bank account number is initiated via email, it must be verified via a phone call to a number that is already on file.

 


 

CoNetrix strongly recommends all organizations implement the appropriate updates or mitigation measures for this confirmed vulnerability. CoNetrix has installed updates or implemented the mitigation steps for all affected CoNetrix Technology and Aspire customers.

On December 17, 2019, Citrix announced a directory traversal vulnerability in the Citrix Application Delivery Controller (formerly NetScaler ADC) and Citrix Gateway (formerly NetScaler Gateway) products. If exploited, this vulnerability could allow an unauthenticated attacker to perform arbitrary code execution. This is similar to the Fortigate vulnerability in 2019.

Citrix Security Bulletin: https://support.citrix.com/article/CTX267027, including information about updates to address this vulnerability.

If you cannot install the updates, Citrix has provided some configuration changes that mitigate the issue: https://support.citrix.com/article/CTX267679

How to Quickly Check for this Vulnerability

CoNetrix Security penetration testers were able to confirm the vulnerability by checking the response when browsing to a specific URL (https:// <IP address> /vpn/../vpns/cfg/smb.conf). If you perform the same action and are able to read the smb.conf file, this is confirmation that your system is vulnerable. If the mitigation is in place you will receive a 403 Forbidden error (or potentially some other error message). Also, CoNetrix Technology engineers discovered IDS/IPS signatures for this exploit, but they were not set to 'block' by default by the IDS/IPS vendor.

How to Mitigate this Vulnerability

This is being actively exploited in the wild, so we encourage you to install the fixed versions or apply the recommended mitigation steps as quickly as possible.

Steps to Take Post-Mitigation

Remember, it is important to validate the mitigation is working as expected after applying the configuration.

Citrix and FireEye have developed a scanner to detect if your NetScaler installation has been compromised: https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/

Once the mitigation steps have been implemented, here are a few addtional action items: 

  1. Review the systems active processes and connections to the Internet.
  2. Work with Citrix to review system logs for any potentially suspicious connections attempts.
  3. Work with your IDS and/or firewall vendor to review any potentially suspicious connections attempts.
  4. Check for newly created XML files in the /netscaler/portal/ /var/tmp/netscaler/portal/ directories and sub-directories.
  5. Search for and review any newly created files or scripts. Some exploit intel has indicated Perl scripts being added to the /netscaler/portal/scripts/ directory.
  6. Look for any CRON jobs that have been added to provide an attacker persistence even after the vulnerability is patched.

CoNetrix has installed the update for all CoNetrix Technology and Aspire customers. CoNetrix Security has reviewed data collected during penetration tests from the previous year and notified customers that had this vulnerability. If you are not a CoNetrix customer and would like additional information or assistance with implementing these mitigation steps, we encourage you to contact us.


 

Recently, we had received reports from several external parties that they were unable to send email to conetrix.com addresses. The NDR message reported "MX record not found for conetrix.com".
 
Simple solution, right? Not our problem. I checked several external and global DNS caches including OpenDNS, CloudFlare, and Google, and all successfully resolved records without issue. One aspect that all parties had in common was they were sending email via Gmail, specifically Google Apps accounts. I've got a Google Apps account on a personal domain, so I sent a test email that was delivered without any issues. At this point, we figured it was a transient issue and moved on.
 
Except it wasn't. Over a period of time, it became apparent that this issue was still occurring with fair regularity and that there was something still going on. So what if this actually is our problem? What could any possible solution be?
 
I had taken vacation during the troubleshooting period and came back to the office following my PTO with a mini-epiphany. We host our own DNS records. Could it be possible that these Google Apps customers couldn't connect to our nameservers to resolve the MX records correctly?
 
On a whim, we updated the geoblocking rules on our external firewall cluster to allow inbound DNS requests from any country (not any traffic, only DNS requests). After reaching out to the external parties to send us new email, those messages were successfully delivered and we have not seemed to have had any issues since then.

I don't know why unencrypted Google Apps DNS requests were routed through foreign countries – especially countries that were added to our geoblocking list as housing potentially malicious traffic – but it seems pretty likely that this was the case.
 

 

I came across a GPO that had a few proxy server related settings configured in "Extra Registry Settings" which I needed to remove.  The "Extra Registry Settings" configuration does not show up in GPMC for later OS versions to edit these settings.
 
Powershell can be used to remove "Extra Registry Settings" with the "Remove-GPRegistryValue" command to specify the GPO name, the registry key, and the value. 
 
 

 

We had a customer with multiple FortiGates that were reporting they could not get the Internet at multiple sites. In investigating, I found that the FortiGates at these sites did not have a connection to FortiGuard and were therefore unable to assess web traffic. Running the command get webfilter status from the CLI of the FortiGates that were having problems showed that they were unable to connect to the FortiGuard. You can also it in the screenshot below on the System > FortiGuard page:
 
 
The solution in this instance was to change the connection of how they FortiGate connects to FortiGuard from HTTPS to UDP. This setting can be found under System > FortiGuard. It can also be set via the CLI commands below:
        config system fortiguard
                set protocol udp
                set port 8888
                 set update-server-location usa
end
 
It is important to note that all of the Fortinet products connect to FortiGuard to download definitions for licensing, web filtering, anti-spam, etc. If the connection to FortiGuard is down, there may be issues.

 

When a secondary public IP address is utilized for VPN connections, the configuration of an IPSEC VPN versus an SSL VPN is quite different.  For an IPSEC VPN, it's as easy as turning flipping a switch and selecting the IP address:  

For SSL VPN it takes a couple of steps: First a Virtual IP (VIP) has to be created that points the primary IP at the secondary IP.  Additionally include port forwarding for the SSL port to be utilized:  

Second, an IPv4 policy needs to be created using the WAN interface for both incoming and outgoing, with the destination being the VIP:


 
 

When doing maintenance on an Exchange server environment configured with a DAG, one of the things that you have to be aware of is how to temporarily remove one of the servers from the DAG before you disrupt any of the Exchange services (i.e. reboot) so that it doesn't inadvertently cause a failover of your databases or make some databases unavailable. Microsoft wrote a blog post a while back talking about the proper way to place an Exchange server into maintenance mode and it's a bit clunky - https://blogs.technet.microsoft.com/nawar/2014/03/30/exchange-2013-maintenance-mode/ 

Fortunately, there's a script readily available that takes care of most of this for you, including failing over the database to another Exchange server if needed. Located in 'Program Files\Microsoft\Exchange\V15\Scripts', take a look at the StartDagServerMaintenance.ps1 and StopDagServerMaintenance.ps1 scripts (and the RedistributeActiveDatabases.ps1 script. Running the script is simple, just pass the server name that you're starting or stopping maintenance on to their respective scripts and let PowerShell take care of the rest! Easy, no? 

Well, sorta. You see, for a few versions now (including Exchange 2013 and Exchange 2016), the StartDagServerMaintenance.ps1 script has a typo in it – specifically the part of the script that actually pauses the node in the cluster. In the parameters, Microsoft has set "$pauseClusterNode" equal to "$false" instead of "$true".   

Left alone like this, the cluster node will never be paused and potentially could cause issues when you reboot, not to mention that when you run the StopDagServerMaintenance.ps1 script, you'll receive a warning that "Call-ClusterExe: cluster.exe did not succeed" meaning it didn't do anything. Just change that parameter to "$true" and you're good to go.


 

"You need a pen test. This is a vulnerability assessment. Have you considered Red Team testing?"

You might have been told this by a regulatory examiner, your IT vendor, a senior partner, a Board member, or read it in an article. It's a common statement in the penetration testing space these days and with good reason. The scope and methodology of penetration tests is not standardized or regulated, so each provider can create their pen test service as they see fit. This puts more responsibility on you, the customer, to determine if they are meeting your needs.

In this article:

We covered these topics in our webinar Choosing Pen Tests & Real-Life Horror Stories. In this webinar we discussed:

  • The different types of penetration tests available
  • The pros and cons of different penetration tests
  • How to choose the best penetration test for your organization
  • Stories of real-world exploits
  • How to make the most of your penetration testing budget


What is Penetration Testing?

Many terms are used to describe penetration testing…

Red Team, Physical Intrusion, Gray Box Testing, Phishing, Reconnaissance, Privilege Escalation, Precision Strike, War Dialing, Black Box Testing, Social Engineering, Capture the Flag, Web Application Testing, Purple Team, White Box Testing, Blue Team, Pivoting, Internal Testing, External Testing

They overlap, they conflict, they can be misleading.

What is Penetration Testing?


So, what is pen testing?

Whether it's physical, logical, or human, pen testing shows you how an attacker would look at your organization. They look for holes and possibilities to disrupt the way you work.

Penetration testers look for holes and vulnerabilities that could disrupt the way you work.

According to the FFIEC IT Exam Handbook for financial institutions, there are many types of penetration tests . . . and management should determine the level and types of tests employed to ensure effective and comprehensive coverage.* The regulators are giving you the responsibility for figuring out what level and type of pen test you need.

So, what terms mean something, and what is terminology fluff? What should you look for when determining the pen test you need and what vendor to use?

Choosing and understanding penetration test vendors and knowing the terminology is important. Our aim in this article is to help remove some of the mystery around pen testing and help you feel confident in determine the best solution for your company.


What type of Pen Test do you need?

What is the type or level of penetration testing that you need?
Let's go back to the regulation:
"A penetration test subjects a system to real-world attacks selected and conducted by the testers." - FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016 (emphasis added)

Essentially you are choosing what you want tested, you are not telling them how you want them to test it. That should be up to the penetration tester. The reason is, the penetration tester should have the expertise to know what the attackers are doing, and they are going to choose the real-world attacks that the attackers would choose. They have done the research, gone through the certifications and the training to know what types of methods to use. So it's important to know you're not telling them how to do the test, you're telling them what you want tested.

You figure out WHAT you need tested and the penetration tester will figure out HOW to test it.

Here is a simple definition of penetration testing that doesn't use any of the fancy marketing terms. Let's start here.

At its core, penetration testing should show you how an attacker would see you and describe specific attacks they would choose to use against you. That means you don't need to tell the pen testers HOW to do the testing. You just need to tell them WHAT to test and ensure their METHODOLOGY meets your needs and keeps you safe.

So, how do you determine WHAT you need?


Start with a Risk Assessment

When done correctly, a risk assessment will inform you of what you need to do for security testing.

Let's use an example to illustrate. Here is a simple risk assessment.

Simple Risk Assessment

  • What attacks do we hear about from IT, in the news, etc.?
    • Phishing!
    • Ransomware
    • Website attacks
  • What assets do those attacks target for us?
    • Employees
    • Corporate email and perimeter defenses
    • Web servers
  • What testing do we need?
    • Email social engineering for ALL employees
    • Internet perimeter testing for ALL of our public IP addresses

In this sample risk assessment, we are showing that as a company that offers services via the Internet our top concern is cybersecurity; but more specifically, we are concerned with phishing, ransomware, and website attacks.

So how do those threats apply to us? Phishing relies on our employees to click a link or open an attachment, so testing our people is important. Ransomware is typically introduced from the outside, so our corporate email defenses and perimeter defenses, such as firewalls, are important. Website attacks target our webservers directly, so those are also important targets.


Translate your Risk Assessment

After you perform a risk assessment, you will need to translate the results to answer the questions "What" to test and "Why" test it. The penetration test company will figure out "How" to test it.

For our sample risk assessment illustrated above, here is what we would choose:

  1. What to test? — Internet exposed systems
    Why test it? — These are our most exposed systems. They are what our attackers are going to hit first.
  2. What to test? — Employee responses to social engineering, because our employees are the ones who will protect us from phishing attacks.
    Why test it? — Phishing attacks are frequent and successful. They are hurting other people and happen all the time.

TIP: Test against common attacks. Attackers stick with what works. We're tempted to say "It's so common, let's look for the next big thing instead." Attackers will stick with what works as long as it works. So if you're hearing about things in the news, like ransomware and you're worried about it, then that is a valid threat to test against. It will continue to happen until it's no longer profitable for the attacker.

Test against common attacks. Attackers stick with what works as long as it works.

Whether your risk assessment is a formal or informal process is not as important as the results. You need to identify the areas where you are exposed, where your most critical assets are, and where attacks are most likely to occur. These decisions come from knowing your organization and knowing what types of attacks are common. We see these attacks in the news and other places all the time.


Determine the testing you need

Going back to our simple risk assessment example, we can take the assets we identified in the first step and translate them into the type of testing we need. In this case, we decided on email social engineering for all employees and Internet perimeter testing for all of our public IP addresses.

Be specific!

It is important to be very specific when communicating to your penetration testing company what type of testing you want performed. In a minute, we will look at what could happen if we don't communicate clearly.


Choosing a Pen Test Provider

Now that we know what we want to test, we need to define the scope of the testing. Do we want to test just our web servers or our entire Internet exposure? Do we want to test a specific group of employees or are we specifically concerned about a certain department that performs risky tasks – maybe they initiate wire transfers for our company.

In this example, we will define the scope as:

  • All public IP addresses
  • All employees

TIP: Include ALL external IP addresses, active and inactive. You never know when an inactive IP address might become active. Mistakes and misconfigurations happen and attackers are looking for them.

This scope can be modified over time. Maybe we want to test all employees the first time and then focus on a risky department the next time.

What can happen if you don't communicate clearly?

Check out what happened when pen testing services were requested by Iowa State Court Officials. As reported in this news article, the scope of testing was defined as "test the security of the court's electronic records . . . through various means." Not specific enough! It only defined an asset, not what the organization was worried about or what they wanted tested. The result: two pen testers were arrested in Adel, Iowa for attempting to physically break into the court house. The State's response: "[we] did not intend, or anticipate, those efforts to include the forced entry into a building."

In other words, if we want our employees tested against phishing and our Internet perimeter tested against a remote attacker, we don't want the pen testers to do this to our front door:

Unrelated to the Iowa incident, this gentlemen is well-known for his pen testing of physical controls, but would you want this sort of testing when you are concerned about ransomware coming in through phishing emails?


Set the Rules of Engagement

The final step in our pen test selection process is to set the boundaries for our pen testers to follow. Remember that we get to choose WHAT they target, but they get to choose the attacks that would be most effective – what the real attacker might choose. By settings boundaries on those attacks or rules of engagement, we can ensure the pen test won't go too far and cause harm.

In this step you will agree on:

  • What the pen testers WILL attempt
  • What the pen testers WON'T attempt

"The test mimics a threat source's search for and exploitation of vulnerabilities to demonstrate a potential for loss." - FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016 (emphasis added)

Going back to our regulatory reference, these boundaries are stated as "demonstrating the potential for loss." Notice it doesn't say "demonstrating the loss," but rather the potential for loss. This is an important word to highlight because it identifies the need for pen test boundaries. We want our pen test firm to show us how an attack could happen and how it could negatively impact our organization, but we don't want them to go so far as to actually cause loss or have a significant negative impact.

Here's an example set of the rules of engagement that CoNetrix will use. Because we typically test live, operational systems, we put certain rules into place to make sure the testing stays within bounds.

Rules of Engagement
  • Do no harm. It's not a good penetration test if the penetration test company leaves you more vulnerable than you were when you started. What would that look like? If they went into a system and they installed malware and left that malware sitting there and didn't tell you they installed it. That malware may be opening a door to the internet that you didn't have before. If the pen testers create new exposure, then it would leave you worse off than when you started.
  • No significant customer impact. You don't want customers calling in saying: "I can't get into my internet banking account," "I can't log in to this website," "the website is down." The penetration test company needs to be very aware of who your customers are and how they use your systems. They need to make sure that everything they do does not impact the customer. Some tests can't be performed unless there is some customer impact. How would a penetration company handle that? The way it should go is: 1) Identify the vulnerability and the potential exploit for that vulnerability. 2) Contact the customer and let them know about it. If they would like us to perform the exploit, inform them it may cause some downtime and it might affect their customers. 3) Coordinate with the customer on when to perform the exploit testing. Maybe we do it after hours. Or it may be they are great with just knowing the vulnerability exists and don't need the exploit performed due to the possible negative impact.
  • No unplanned operational impact. A penetration test company may discover that your system or website is extremely vulnerable to a certain kind of denial of service attack. If exploited, it could be taken down for hours on end. That's great to know, but the penetration test company should not exploit that vulnerability without coordinating with you first. That would cause unplanned operational impact and now your IT department is scrambling and your customers or your internal staff are upset because they can't do their job or access your services.
  • Limited system recovery time/money. This is an important one and not always obvious. If you're not careful, a penetration tester that is not very good at what they're doing could say "well, we could do this and they would just have to restore from backup". That's easy for the penetration tester to say, but they aren't the ones who have to do the work to restore from backup. A lot of times restoring from backup can be a complicated process and can take a while. It might cost a lot of time and money, and that may not be obvious to a penetration tester. Just having a dedicated person to go recover a system can be a big impact to other projects and tasks you have going on. If an exploit is going to take significant effort or money to recover from, then that needs to be out of bounds, unless you have coordinated about it ahead of time.
  • Attempted exploits need to provide value. Penetration testing can be flashy and glamorous. It shows up in movies, TV shows, YouTube, etc. Make sure that the exploits that are being performed are providing value. Flashy and glamorous is fine for the movie screen, but real world pen testing must provide value to your company by helping improve your security posture.
  • If an exploit might break the rules, report the vulnerability. A penetration test company may say they found this vulnerability, but if exploiting it is going to break the rules, then it would be better to just report the vulnerability and say what needs to be fixed. It's better to do that than to cause your customers and staff a lot of grief. The vulnerability can be talked about and remediated without causing problems.

These are the rules of engagement we practice here at CoNetrix when performing penetration tests.


Evaluate a Pen Test Provider

So let's wrap up how to choose a pen test provider with some ways you can evaluate pen testers and then we'll move on to the fun stuff – the exploits!

  1. Know what you need tested and clearly communicate that in the project scoping and quoting process. We talked about identifying what you need tested. Make sure the pen test company's expertise matches with what you need tested. As we saw earlier, some pen testers excel in physical security testing. Others excel at Internet-based testing. Some are industry-specific such as SCADA pen testers. Make sure you find out what their strengths are.
  2. Make sure their report is understandable and well-organized. Many pen testers are great at successfully demonstrating attacks. After all, that's the fun part – the part that gets put into the movies. Buy many don't put as much effort in communicating what they did and how you can improve your defenses. Make sure the format of the report and the way information is communicated in the report is going to help you improve your security. Is it actionable for you and your IT/security staff?
  3. Check out their certifications on top of experience. Certifications are a great way of making sure a pen test company has the knowledge and skills necessary. Some examples include Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), and any certification that shows they have knowledge of the area you need tested.
  4. Make sure the penetration test company will help you understand the report. We believe security testing is most useful when it is a partnership, not a stand-alone service. Ask how the pen test company will help you understand what the issue is and what you can do about it. Do they review their results with you? Do they provide remediation recommendations? Or do they drop a bunch of results on you and wish you good luck.

Phases of Pen Testing

So now let's talk about the fun side of pen testing—exploitation. It's good to know that exploitation is part of the process. Many times it is because of this process that a penetration test report may look like a vulnerability assessment. Every pen test process follows a similar process—identify how the target is exposed—identify vulnerabilities that could be attacked—exploit those vulnerabilities—report both the vulnerabilities and any successful exploits.
But what if no exploits were possible—at least not within the rules of engagement? In that case, the report would only identify vulnerabilities and could look a lot like a vulnerability assessment. But through your pen test selection process, you made sure the firm would exploit vulnerabilities when safe and possible and their documented methodology should reflect that approach.
Phases of Pen TestingOne of the best things you can do when evaluating a pen test company is ask them for examples of what they have done. See how they did it and whether you're comfortable with the things they are capable of doing.

One of the best ways to evaluate a pen test company is to ask for some examples of their successful exploits.

*FFIEC IT Exam Handbook, Information Security Booklet, Sep 2016
**This blog post is for information purposes only. Evaluate your risks before acting on any ideas presented in this article.


 

On Wednesday, November 14th, the Federal Financial Examination Council (FFIEC) released an updated version of the Business Continuity Management Booklet. One of the changes is related to business continuity and disaster recover exercises and tests. In the new booklet, the FFIEC redefines the testing methods and introduces more delineation between a BCP exercise and a BCP test.

What is a BCP Exercise?

According to the new booklet, "an exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures" (p. 37). Each exercise can look different depending on the scope, goals, and objectives of the test. Some exercises can be discussion only (i.e. tabletop discussion) while others could be comprehensive (i.e. full-scale exercise).

What is a BCP Test?

The new booklet defines a test as a "type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment" (p. 37). Tests typically focus on a system or set of systems. An example of a test might be verifying back on a server is functions or verifying recovery time objectives (RTOs) are acceptable for a system. The big difference according to the booklet is, "exercises address people, processes, and systems whereas tests address specific aspects of a system" (p. 38).

How are the testing methods different in the new booklet?

Examples of testing methods from the older 2015 Business Continuity Planning Booklet included (p. 18):

  • Tabletop Exercise Structured Walk-Through Test. "[The tabletop exercise structured walk-through tests] primary objective is to ensure that critical personnel from all areas are familiar with the BCP and that the plan accurately reflects the financial institution's ability to recover from a disaster."
  • Walk-Through Drill/Simulation Test. "A walk-through drill/simulation test is somewhat more involved than a tabletop exercise/structured walk-through test because the participants choose a specific event scenario and apply the BCP to it."
  • Functional Drill/Parallel Test. "Functional drill/parallel testing is the first type of test that involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the BCP."
  • Full-Interruption/Full-Scale Test. "In a full-scale test, a real-life emergency is simulated as closely as possible."

The new testing methods introduced in the 2019 Business Continuity Management Booklet map closely to its predecessor; however, they are renamed and have slight differentiators (pp. 42-44).

  • Full-Scale Exercise. "A full-scale exercise simulates full use of available resources (personnel and systems) prompting a full recovery of business processes."
  • Limited-Scale Exercise. "A limited-scale exercise is a simulation involving applicable resources (personnel and systems) to recover targeted business processes."
  • Tabletop Exercise. "A tabletop exercise (sometimes referred to as a walk-through) is a discussion during which personnel review their BCP-defined roles and discuss their responses during an adverse event simulation."
  • Tests. "Management uses tests to verify the quantifiable performance and reliability of system resilience."

What does this mean for me?

The new FFIEC guidance highlights the "people and processes" aspects of your organization's BCP. This is a shift in focus from the 2015 BCP booklet in which testing guidance more heavily emphasized testing IT systems and system components. This change can be seen in the definitions of the testing methods. Personnel are specifically included in all four of the "exercise" definitions whereas the definition of "tests" is only concerned with validating system resilience.

What hasn't changed is BCP exercises and tests are used to validate one or more aspects of an enterprise-wide BCP. Financial institutions should incorporate a variety of exercises and tests into their overall BCP test program in order to ensure the institution can restore operations and recover from business interruptions. While the test program will be different based on each institution's size and complexity, strong test plans include strategies to evaluate all aspects of the institution's BCP, including people and processes as well as IT systems.

Resources

For more information about the updated booklet, visit: