Blog: Security and Compliance

The world of cybersecurity has had some fundamental shifts in the past several years that have made the vast majority of companies unprepared for today's threats. The extensive use of malware, for example, has dramatically reduced the value of traditional security solutions, such as firewalls, IDS/IPS, and anti-virus software. These solutions that used to adequately prevent attacks are now very limited in their risk mitigation value. Many organizations have not updated their cybersecurity technology and solutions to stop today's threats. It's like monitoring your front door for a break in while someone comes in through the back window.

Even companies that have taken cybersecurity seriously have not always been led the right way by cybersecurity vendors. In the past, an organization who was serious about cybersecurity was told that they needed 24x7x365 monitoring - paying for really smart cybersecurity professionals to watch the alerts and events as they happen in real-time so they could respond at a moment's notice to malicious events.

But legacy technologies have relied mostly on human review, not machine intelligence. A common metric for a traditional Managed Security Service Providers (MSSP's) is to have a security engineer for every 30 devices under management. In the U.S., the average cybersecurity professional makes $116,000/year. This means the cost to monitor a single device is $322/month, forcing traditional MSSP's to charge between $500 and $1500/device/month to be profitable. Does this sound like your MSSP?

At those rates most customers can only afford for a few devices to be monitored; usually the firewall, IDS/IPS, and possibly a Windows domain controller. When asked why they don't need to monitor more devices, these MSSP's would state "As long as you are monitoring the choke points, you are safe."

Using the home security system analogy, imagine being told that monitoring the front and back doors are enough and then having your child kidnapped through a bedroom window. No choke point only security system would detect that, allowing the worst-case scenario to happen without your system even tripping. Home security systems relied upon a few choke points because it was very expensive to run wires to the whole home (especially after it was already built). However today many home security systems use wireless technology which has made it possible to place multiple sensors throughout the house without the use of wires. This makes the cost of securing the entire home from multiple threats much less expensive.

Thankfully, IT cybersecurity has evolved as well. Automated correlation and analytics from a properly deployed, configured, and tuned Security Information and Event Management (SIEM) solution has the ability to increase the ratio of devices per cybersecurity professional exponentially. Today, SIEM technology can quickly and efficiently find the "needle in a haystack" with far less human interaction. This dramatically reduces the number of cybersecurity professionals needed for a traditional Security Operation Center (SOC) which means a lower cost per device for customers. With a lower cost to monitor each device, we can now monitor more devices. Rather than just monitoring choke points, we can monitor all of the windows, doors, and rooms; which is really what was needed from the beginning.

When all of the critical devices are being monitored and correlated, you can now stitch together pieces of information across different systems and areas of the network to give you a much more accurate picture of what is happening. In other words, the more devices that you monitor, the more accurate the monitoring becomes and, therefore, the better economies of scale can be achieved.

So, what should a customer monitor? It's still a good idea to monitor the firewall and IDS, but we need to go beyond that and focus on today's threats. Routers, servers (especially Active Directory servers), wireless access points, and endpoint security solutions should all be monitored. With current SIEM technology, you can monitor all of these systems for about the same price as you used to be able to monitor just the firewall and IDS/IPS.

Monitoring only choke points and smaller areas of a network will not protect your organization from today's threats. Cybersecurity monitoring is more important than ever, but real risk mitigation comes with a holistic approach to monitoring all of the possible security events from every possible device. Stop only monitoring your front door for a break-in and assuming that your business is safe... because your back window is open.

Contact Technology Sales at 806-698-9600 or email techsales@conetrix.com if you want to improve your Cybersecurity Monitoring and Response solution AND lower the annual cost.


 

What is the FSSCC Cybersecurity Profile?

The FSSCC Cybersecurity Profile was published on October 25, 2018 by the Financial Services Sector Coordinating Council (FSSCC). The FSSCC is a private entity comprised of 70 members from financial services organizations. Their cybersecurity profile has multiple tiers, which allow users to answer a scalable set of questions. This scaling is designed to provide an expedited assessment of the user's organization's cybersecurity preparedness.

The FSSCC has publicized their Cybersecurity Profile as a resource, designed to simplify the regulatory burden placed on financial institutions. According to the FSSCC's Benefits to Financial Institutions section of their website, the tool offers a "73% reduction for community institution assessment questions" when compared to the FFIEC CAT.

In addition to the tool's claims of efficiency, the tool's development is largely credited to organizations familiar to the financial services industry. The Press Release includes names such as the American Bankers Association, Bank Policy Institute, the Institute of International Bankers, and more.

Beyond this, the FSSCC has made multiple appeals to the Cybersecurity Profile's usefulness in regulatory examinations, going so far as to claim, "The numerous and substantial benefits [of using the FSSCC Cybersecurity Profile] to the financial services sector are: […] Supports tailored supervision, examinations, and collaboration among state, federal, and international supervisors," per the FSSCC Overview and Users Guide.

What is the FFIEC Cybersecurity Assessment Tool?

The FFIEC Cybersecurity Assessment Tool (CAT) was initially published on June 30, 2015, and updated May 31, 2017. The CAT was designed by the Federal Financial Institutions Examination Council (FFIEC), a formal interagency body, comprised of members from the FRB, FDIC, NCUA, OCC, CFPB, and SLC. The CAT is standardized, which allows users to answer a specific set of questions, designed to provide a thorough assessment of their organization's cybersecurity preparedness.

The FFIEC CAT includes 494 cybersecurity maturity statements, which has resulted in some complaints. However, it is not only designed to provide a detailed assessment of a financial institution's current state of cybersecurity preparedness, it also enables targeted and long-term planning for growth and improvement.

With regard to examinations:

• The FDIC continues to heavily rely on the InTREx Work Program. While InTREx does state financial institutions are not required to use the FFIEC CAT to assess cybersecurity preparedness, the program also states FDIC examiners will reference the CAT's Appendix A when performing examinations.

• The NCUA is currently implementing the Automated Cybersecurity Examination Tool (ACET). The ACET is based on the FFIEC CAT, with a document request list to help credit unions understand, gather, and organize the documents needed for the examination. Read our blog on FAQs about the ACET

• In their Spring 2018 Semiannual Risk Perspective, the OCC announced they had "implemented the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) into its examination process." In addition, an OCC representative at the 2019 CoNetrix KEYS Conference Examiner Panel indicated the OCC is piloting their own segmented version of the FFIEC CAT, to be fully completed on a three-year cycle.

• The FRB's supervisory letter about the tool, SR 15-9, indicated the CAT's planned use in examinations, and the FRB was a contributor in the May 2017 update of the tool, per their 2017 Annual Report. Additionally, a list of Information Technology Guidance was published, including the FFIEC CAT as a "Policy Letter."

Will the FSSCC Cybersecurity Profile Replace the FFIEC Cybersecurity Assessment Tool?

While the FSSCC Cybersecurity profile has fewer questions, and the FSSCC has expressed interest in seeing the tool used during regulatory examinations, the federal banking agencies have not yet expressed the same interest.

In addition, while completing the FFIEC CAT is not required, four years into the CAT's implementation, examiners are now familiar with the tool and the agencies continue to supplement and reference the CAT in their own examination programs. In light of this, using the CAT to assess cybersecurity preparedness could help expedite the examination process, as the tool may be used during an exam.

At this point in time, it is not clear what the future holds for the FSSCC Cybersecurity Profile. Due to the thorough nature and widespread adoption of the FFIEC CAT, it is difficult to imagine the CAT will be replaced by any tool in the foreseeable future.

Does CoNetrix have anything that can help with assessing cybersecurity preparedness?

Yes. The Tandem Cybersecurity module took the FFIEC CAT PDF content and streamlined it into an easy-to-use web-based application. With email reminders, charts and graphs, presentation documents, optional peer comparison, and tools for the NCUA's ACET, you can put the FFIEC CAT to work for you. Get started for free with Tandem Cybersecurity.


 

Many businesses and financial institutions have seen an increase in the number of employee-owned devices over the past few years. Employees are using these devices to access email, download files, launch a remote desktop, or use a Virtual Private Network (VPN) connection for a remote "on network" experience.

Some customers prohibit or restrict personally-owned devices from connecting to the network. However, in some cases, this is not feasible, such as employees or contractors who rarely visit the home office, or employees with very specific device requirements and preferences. The common term for the policy of allowing personal devices is Bring Your Own Device or BYOD.

Unprotected personal devices connecting to the network are a significant security risk. The most common issue with these devices is inadequate anti-virus and anti-malware software. Built-in free solutions like Windows Defender are not up to the task of protecting against the sophisticated zero-day threats which are common today. Additional strategies to manage a BYOD environment include Mobile Device Management (MDM) and Network Access Control (NAC).

CylanceProtect is widely recognized as the leader in the endpoint protection segment, winning multiple industry awards for their machine learning approach to stopping security threats. Over the past 2 years since CoNetrix has been a Cylance partner. We have installed almost 5,000 endpoints for customers across the US.

Last year Cylance released a home version of CylanceProtect called Smart Antivirus. This product is specifically designed to provide the same technology as the corporate version, with easy self-administration and the ability to protect multiple devices in a household for a low annual cost. Windows and macOS devices are currently supported, with support for iOS and Android devices coming later this year.

Smart Antivirus is a great option for an employee security awareness program or as a company-paid benefit for employees and business partners. Individual licenses can be purchased from Cylance using the link below.

https://conetrix.com/cylance-smart-antivirus

Smart Antivirus licenses of 50 or more are available through CoNetrix for a discounted price. Contact CoNetrix Technology sales at techsales@conetrix.com for more information about licensing for CylanceProtect and Smart Antivirus.


 

Microsoft has been emphasizing Office 365 subscription services since the public introduction in 2011. As a result, the popularity of these services has grown to over 155 million active users as of October 2018, and is gaining new users at over 3 million seats per month. With this growth, on-going marketing, and the increasing acceptance of public cloud services, many businesses and financial institutions are starting to look at Office 365.

In this article, we will highlight several pros and cons of Office 365 you should consider to determine if it's right for your business.

Office 365 encompasses several different products and services, but in this article, we will address these services in two primary areas: user applications and back-end services.

Office 365 User Applications

As the name implies, most Office 365 subscription plans include Microsoft Office applications like Word and Excel running on Windows, macOS, and portable devices running iOS and Android. Applications are also available through a web browser but most customers are interested in Office 365 applications as a possible replacement for traditional Office licensing.

What are the primary differences between Office 365 and traditional on-premise Office applications?
  • Office 365 is an annual subscription per user or seat. Each user is entitled to run the Office 365 applications on up to 5 devices for the term of the subscription. As long as you continue to pay the annual subscription you are covered for the Office applications included in your plan.
  • Office applications through Office 365 are designed to be downloaded from the O365 portal. There is no license key to determine if you have a valid license. After installation the applications routinely "check in" to the O365 portal to ensure there is an active account. Because of this check-in process IT administrations must use a specific procedure for mass deployment of O365 applications. Additionally, installation on multi-user servers like Remote Desktop Services and Citrix requires a new approach.
  • Office 365 applications are designed to install features and security updates directly from Microsoft when they are released. Legacy patch management solutions like Windows Server Update Services (WSUS) and 3rd party solutions will not work with O365. This can create a challenge for regulated customers who are required to report on patch status. Scanning tools used by auditors to determine patch levels will need the ability to recognize the differences between O365 and traditional Office applications. The O365 update process could also create an issue for Office-integrated applications if a hotfix is released that affects the compatibility of those applications, as there will be no option to block that update from being installed.
  • Office 365 applications utilize a feature called Click to Run. This feature, which was originally introduced with Office 2016, provides a streaming method for installing features and patches for Office 365 and Office 2019 applications. Our experience is that Click to Run can use a significant amount of bandwidth if you are installing Office applications or large updates on multiple systems simultaneously.
Is licensing through Office 365 less expensive than traditional licensing?

For most customers the biggest question is: "Is licensing through Office 365 less expensive than traditional licensing?" The answer is "It depends!" Office 365 licensing could be financially attractive if:

  • Your business always updates to the latest release of Office.
  • You want the flexibility of per user licensing.
  • You want to take advantage of the licensing of up to 5 devices for multiple systems, mobile devices, home use, etc.
  • You need a simplified update process that works anywhere the PC has Internet connectivity.
  • You need to use the browser-based applications for a specific function or employee role.
  • You plan to implement one of the Office 365 back-end services.

Office 365 Back-End Services

Microsoft provides several cloud server applications through Office 365 including Exchange Online (email), Skype for Business Online (voice and messaging), SharePoint Online (web collaboration), and OneDrive (file storage and sharing). These back-end services can be implemented individually, or as part of a bundle with or without the Office applications depending on the plan. However Exchange Online vs. Exchange on-premise is receiving the most attention from our customers.

What should I look for when performing due diligence?

The security and compliance of back-end Office 365 services is not significantly different than any other cloud-based application or service. The areas that should be researched include:

  • External audit attestation – SSAE 18 or similar
  • Data location residency – production and failover scenarios
  • Data privacy policies - including encryption in transit and at rest
  • Contracts and licensing agreements
  • Intellectual property rights
  • Service Level Agreements – service availability, capacity monitoring, response time, and monetary remediation
  • Disaster recovery and data backup
  • Termination of service
  • Technical support – support hours, support ticket process, response time, location of support personnel
A few more things you should consider.

As a public cloud service Office 365 has several challenges that need specific attention:

  • The business plans listed on the primary pricing pages may include applications or services that you don't need. All of the various features can be confusing and it's easy to pick the plan that is close enough without realizing exactly what's included and paying for services you will never use.
  • Most of the back-end O365 services can integrate with an on-premise Active Directory environment to simplify the management of user accounts and passwords. This provides a "single sign-on" experience for the user with one username and password for both local and O365 logins. Microsoft has several options for this integration but there are significant security implications for each option that should be reviewed very carefully.
  • Microsoft has published several technical architecture documents on how to have the best experience with Office 365. This is especially important for larger deployments of 100+ employees, or customers with multiple physical locations. One of the notable recommendations is to have an Internet connection at each location with a next-generation firewall (NGFW) that can optimize Internet traffic for O365 applications. Redundant Internet connections are also strongly recommended to ensure consistent connectivity.
  • The default capabilities for email filtering, encryption, and compliance journaling in Exchange Online may not provide the same level of functionality as other add-on products you may be currently using. Many vendors now provide O365-integrated versions of these solutions, but there will be additional costs that should be included in the total.
  • Microsoft OneDrive is enabled by default on most Office 365 plans. Similar to other public file sharing solutions like Dropbox, Box, and Google Drive, the use of OneDrive should be evaluated very carefully to ensure that customer confidential data is not at risk.
  • Several other vendors provide Office 365 add-on products that provide additional functionality which may be useful for some businesses. Netwrix Auditor for Office 365 can provide logging and reporting for security events in your O365 environment. Veeam Backup for Office 365 can create an independent backup of your data to ensure it will always be available. Cloud Access Security Brokers (CASB) such as Fortinet FortiCASB and Cisco Cloudlock can provide an additional layer of security between your users and cloud services such as O365.

It is certainly a challenge to research and evaluate cloud solutions like Office 365. Financial institutions and other regulated businesses with high-security requirements have to take a thorough look at the pros and cons of any cloud solution to determine if it's the best fit for them.

CoNetrix Aspire has been providing private cloud solutions for businesses and financial institutions since 2007. Many of the potential security and compliance issues with the public cloud are more easily addressed in a private cloud environment when the solution can be customized for each business.

However, the combination of Office application licensing with back-end services like Exchange Online can be a good solution for some businesses. The key is to understand all of the issues related to Office 365 so you can make an informed decision.

Contact CoNetrix Technology at techsales@conetrix.com if you want more information about the differences between Aspire private cloud hosting and Office 365.


 

By: (CISA, CISSP)

Early this year the tech world was rocked with the announcement of two unprecedented vulnerabilities named Meltdown and Spectre.

These two vulnerabilities are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Understandably there was a rush from three main industries, processor companies, operating system companies, and cloud providers to provide solutions. However, as a result of the urgent response, there were unanticipated update incompatibilities which crashed systems. This created a dilemma for IT professionals. "Do we install updates which may cause our systems to crash?" or "Do we sit-tight and remain vulnerable?"

Even in the weeks of uncertainty, there were calm voices of seasoned reasoning. Their message reminded us that basic security standards remain our first line of defense. No matter how bad an exploit may be, its impact can be limited if:

  • The vulnerability doesn't have access to your systems
  • Operating system or application weaknesses are patched
  • Security software is installed (advanced end-point protection software with artificial intelligence is a game changer)

So how do you do achieve these standards? Here are some fundamental best practices:

  1. Monitor availability of operating system and application updates. Be sure you find and establish good sources to inform you about the patches and updates for your systems and applications. Then, monitor the sources or subscribe to notifications.

  2. Test updates to ensure compatibility. It is best if your update and patching process includes a test environment where non-production systems are updated first in order to test functionality and compatibility. This allows you to postpone or avoid updates which might crash systems or applications.

  3. Apply updates and patches on a regular schedule. As a best practice, you should implement a schedule (at least monthly) to evaluate, test and install updates for systems and critical applications. In this way, your schedule can coincide with schedules of operating system and application vendors (e.g., Microsoft has "Patch Tuesday, the second Tuesday of each month).

  4. Install and maintain security software (e.g., antivirus software, endpoint security software, etc.). If possible, explore and utilize behavior based end-point protection software. This genre of software "watches" system behavior to notice and stop suspicious action.

  5. Prevent malicious code execution. The goal is to keep malicious code out of your network and systems. This is best accomplished with layers of security including Internet filtering, phishing detection, and security awareness training for system users. Security awareness is essential to help prevent users from falling prey to malicious emails.

 

On September 9th, 2016, the Federal Financial Institutions Examination Council (FFIEC) released a revised Information Security booklet.  This booklet is one of eleven booklets that make up the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The IT Handbook is designed to provide information and reference to financial institutions and examiners.  The Information Security booklet specifically “provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems.”

To learn more about the new FFIEC Information Security Booklet, join us for a webinar on October 11th at 2:00pm CDT. Register now

To see other webinars offered by CoNetrix, visit our webinars page.

About the FFIEC: The FFIEC was established in 1979 per Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978.  The FFIEC is comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administrator (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).

 


 

Here are two links to articles discussing the NIST and their discouraging of SMS use for multi-factor authentication. The special publication by NIST actually says

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/

 

https://www.engadget.com/2016/07/29/sms-two-factor-authentication-isn-t-being-banned/


 

During preparation for a meeting with a bank customer, I searched their name to investigate any new Internet presence not previously documented. I found a Facebook page (unofficial) that contained postings from May 2012 related to someone “checking in” at the bank’s location. At that time, if a Facebook page was nonexistent and someone checked-in, Facebook would create an “Unofficial Page” to act as a container for the associated comments.

Further research indicated this was a common Facebook practice at the time but is no longer being done. However, if there are pages that were dynamically created they continue to exist. When I shared this information with the bank they had no knowledge of this Facebook page.

There is a potential for reputational risk if someone makes negative comments and the institution has no way to remove the negative comments from the page since they have no administrative access.

Information on "claiming" these pages is located at https://www.facebook.com/help/community/question/?id=649876991815701

 


 

Today the FFIEC released a Cybersecurity Assessment Tool to help financial institutions identify their risks and assess their cybersecurity preparedness.  The assessment tool is designed to provide a repeatable and measurable process for banks and credit unions to measure their cybersecurity preparedness over time.

The FFIEC tool consists of pdf documents including an Overview for Chief Executive Officers and Boards of Directors, a User's Guide, an Inherent Risk Profile, a Cybersecurity Maturity, and some Additional Resources.

CoNetrix is working on a FREE online, interactive tool to assist banks and credit unions in completing the new FFIEC cybersecurity assessment.  This easy to use SaaS will allow financial institutions to answer questions provided in the FFIEC documents, view and analyze inherent risk and cybersecurity maturity, and run various reports.  To learn more about the new Tandem Cybersecurity tool, visit https://conetrix.com/cybersecurity.

 


 

Yesterday, during a webinar titled "Cybersecurity - The Basics", the NCUA provided information on a new Fraud and Cyber Security Initiative grant of up to $7,500 for low-income designated (LID) credit unions.[more] The grant, which must be applied for by June 30, 2015, is designed to help LID credit unions with building and enhancing cyber security to help protect member information.

In order to assist credit unions with their information and cyber security needs, CoNetrix has created a webpage with information about the grant, including a few bundled offerings centered on cyber security.  Additionally, CoNetrix is sponsoring several free webinars to educate about the grant and our offerings.  You can register for the webinars and learn more at www.conetrix.com/ncuagrant/