Blog: Security and Compliance

Early this year the tech world was rocked with the announcement of two unprecedented vulnerabilities named Meltdown and Spectre.

These two vulnerabilities are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Understandably there was a rush from three main industries, processor companies, operating system companies, and cloud providers to provide solutions. However, as a result of the urgent response, there were unanticipated update incompatibilities which crashed systems. This created a dilemma for IT professionals. "Do we install updates which may cause our systems to crash?" or "Do we sit-tight and remain vulnerable?"

Even in the weeks of uncertainty, there were calm voices of seasoned reasoning. Their message reminded us that basic security standards remain our first line of defense. No matter how bad an exploit may be, its impact can be limited if:

• The vulnerability doesn't have access to your systems
• Operating system or application weaknesses are patched
• Security software is installed (advanced end-point protection software with artificial intelligence is a game changer)

So how do you do achieve these standards? Here are some fundamental best practices:

1. Monitor availability of operating system and application updates. Be sure you find and establish good sources to inform you about the patches and updates for your systems and applications. Then, monitor the sources or subscribe to notifications.
   
   
2. Test updates to ensure compatibility. It is best if your update and patching process includes a test environment where non-production systems are updated first in order to test functionality and compatibility. This allows you to postpone or avoid updates which might crash systems or applications.
   
   
3. Apply updates and patches on a regular schedule. As a best practice, you should implement a schedule (at least monthly) to evaluate, test and install updates for systems and critical applications. In this way, your schedule can coincide with schedules of operating system and application vendors (e.g., Microsoft has "Patch Tuesday, the second Tuesday of each month).
   
   
4. Install and maintain security software (e.g., antivirus software, endpoint security software, etc.). If possible, explore and utilize behavior based end-point protection software. This genre of software "watches" system behavior to notice and stop suspicious action.
   
   
5. Prevent malicious code execution. The goal is to keep malicious code out of your network and systems. This is best accomplished with layers of security including Internet filtering, phishing detection, and security awareness training for system users. Security awareness is essential to help prevent users from falling prey to malicious emails.

On September 9th, 2016, the Federal Financial Institutions Examination Council (FFIEC) released a revised Information Security booklet.  This booklet is one of eleven booklets that make up the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The IT Handbook is designed to provide information and reference to financial institutions and examiners.  The Information Security booklet specifically “provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems.”

To learn more about the new FFIEC Information Security Booklet, join us for a webinar on October 11th at 2:00pm CDT. Register now. 

To see other webinars offered by CoNetrix, visit our webinars page.

About the FFIEC: The FFIEC was established in 1979 per Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978.  The FFIEC is comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administrator (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).

 

Here are two links to articles discussing the NIST and their discouraging of SMS use for multi-factor authentication. The special publication by NIST actually says

“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/

 

https://www.engadget.com/2016/07/29/sms-two-factor-authentication-isn-t-being-banned/

During preparation for a meeting with a bank customer, I searched their name to investigate any new Internet presence not previously documented. I found a Facebook page (unofficial) that contained postings from May 2012 related to someone “checking in” at the bank’s location. At that time, if a Facebook page was nonexistent and someone checked-in, Facebook would create an “Unofficial Page” to act as a container for the associated comments.

Further research indicated this was a common Facebook practice at the time but is no longer being done. However, if there are pages that were dynamically created they continue to exist. When I shared this information with the bank they had no knowledge of this Facebook page.

There is a potential for reputational risk if someone makes negative comments and the institution has no way to remove the negative comments from the page since they have no administrative access.

Information on "claiming" these pages is located at https://www.facebook.com/help/community/question/?id=649876991815701

 

Today the FFIEC released a Cybersecurity Assessment Tool to help financial institutions identify their risks and assess their cybersecurity preparedness.  The assessment tool is designed to provide a repeatable and measurable process for banks and credit unions to measure their cybersecurity preparedness over time.

The FFIEC tool consists of pdf documents including an Overview for Chief Executive Officers and Boards of Directors, a User's Guide, an Inherent Risk Profile, a Cybersecurity Maturity, and some Additional Resources.

CoNetrix is working on a FREE online, interactive tool to assist banks and credit unions in completing the new FFIEC cybersecurity assessment.  This easy to use SaaS will allow financial institutions to answer questions provided in the FFIEC documents, view and analyze inherent risk and cybersecurity maturity, and run various reports.  To learn more about the new Tandem Cybersecurity tool, visit https://conetrix.com/cybersecurity.

 

Yesterday, during a webinar titled "Cybersecurity - The Basics", the NCUA provided information on a new Fraud and Cyber Security Initiative grant of up to $7,500 for low-income designated (LID) credit unions.[more] The grant, which must be applied for by June 30, 2015, is designed to help LID credit unions with building and enhancing cyber security to help protect member information.

In order to assist credit unions with their information and cyber security needs, CoNetrix has created a webpage with information about the grant, including a few bundled offerings centered on cyber security.  Additionally, CoNetrix is sponsoring several free webinars to educate about the grant and our offerings.  You can register for the webinars and learn more at www.conetrix.com/ncuagrant/  

Multiple Microsoft articles indicate there is a future update to be released for Internet Explorer 11 that will disable SSLv3 by default. This is in addition to the posted workarounds and group policy settings that recommend disabling SSLv3 across all browsers to mitigate the POODLE vulnerability.

Today the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC IT Handbook, BCP Booklet.  The update included a new appendix entitled Strengthening the Resilience of Outsourced Technology Services.  The appendix highlights and expands on the BCP Booklet in four specific areas: third-party management, third-party capacity, testing with third-party technology service providers, and cyber resilience.  To learn more, visit https://www.ffiec.gov/press/pr020615.htm  

On December 3rd, the Texas Bankers Association (TBA), Independent Bankers Association of Texas (IBAT), and SWACHA hosted a cybersecurity event for banking executives, board members, and senior management called, “Executive Leadership of Cybersecurity (ELOC)”. At the conference, the Financial Services Information Sharing and Analysis Center (FS-ISAC) announced the availability of a free threat information sharing appliance that financial institutions can use to enter, store, and share threat information. The appliance is called Soltra Edge and the website says it “takes large amounts of complex threat information across communities, people and devices and analyzes, prioritizes, and routes it to users in real-time.” [more]

Here is some initial information:

• The appliance is a free download that is distributed as a virtual machine. It runs CentOS and is accessed via a web interface. Setup appears fairly simple, especially for a customer that is already running VMware. The database stores information using Structured Threat Information eXpression (STIX) and information can be shared by setting up feeds using the Trusted Automated eXchange of Indicator Information (TAXII) protocol.
• Making use of the appliance is not as easy as the setup. It is a brand new product that is trying to gain acceptance, so it is still under development and does not have all the features that they eventually want it to have.
  • The appliance is distributed with an empty database. The financial institution can load threat information using the web interface (manual data entry), import from a CSV file, import from a STIX file, or import from a TAXII feed.
  • Initially, most of community financial institutions will likely want to receive threat information from a TAXII feed rather than enter and store/share their own threat information. Each TAXII feed must be setup individually. Here are the ones we know about so far:
    • FS-ISAC has one available with a couple of caveats – 1) the financial institution will probably need to join FS-ISAC (for pricing information, visit https://www.fsisac.com/join) and 2) the last post on the Soltra forum indicated that this feed needs to be upgraded in order to work with Edge v.2. 
    • There is a free feed at hailataxii.com, but it is not yet clear who is providing the information or how useful it is.
  • So far, reporting seems VERY basic. Queries can be manually entered into the web interface, but that was the only reporting feature shown during a Soltra webinar. The Soltra forums have some discussion about integrating the appliance with some security information and event management (SIEM) systems such as Splunk, but that is still in development. Also, many community financial institutions do not currently have a SIEM system installed.
  • There are plans to import threat data directly from firewalls, IPS/IDS, etc., but that is also under development and reporting on that information would still be an issue.