Blog: Financial Institution

By:

Early this year the tech world was rocked with the announcement of two unprecedented vulnerabilities named Meltdown and Spectre.

These two vulnerabilities are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.

Understandably there was a rush from three main industries, processor companies, operating system companies, and cloud providers to provide solutions. However, as a result of the urgent response, there were unanticipated update incompatibilities which crashed systems. This created a dilemma for IT professionals. "Do we install updates which may cause our systems to crash?" or "Do we sit-tight and remain vulnerable?"

Even in the weeks of uncertainty, there were calm voices of seasoned reasoning. Their message reminded us that basic security standards remain our first line of defense. No matter how bad an exploit may be, its impact can be limited if:

  • The vulnerability doesn't have access to your systems
  • Operating system or application weaknesses are patched
  • Security software is installed (advanced end-point protection software with artificial intelligence is a game changer)

So how do you do achieve these standards? Here are some fundamental best practices:

  1. Monitor availability of operating system and application updates. Be sure you find and establish good sources to inform you about the patches and updates for your systems and applications. Then, monitor the sources or subscribe to notifications.

  2. Test updates to ensure compatibility. It is best if your update and patching process includes a test environment where non-production systems are updated first in order to test functionality and compatibility. This allows you to postpone or avoid updates which might crash systems or applications.

  3. Apply updates and patches on a regular schedule. As a best practice, you should implement a schedule (at least monthly) to evaluate, test and install updates for systems and critical applications. In this way, your schedule can coincide with schedules of operating system and application vendors (e.g., Microsoft has "Patch Tuesday, the second Tuesday of each month).

  4. Install and maintain security software (e.g., antivirus software, endpoint security software, etc.). If possible, explore and utilize behavior based end-point protection software. This genre of software "watches" system behavior to notice and stop suspicious action.

  5. Prevent malicious code execution. The goal is to keep malicious code out of your network and systems. This is best accomplished with layers of security including Internet filtering, phishing detection, and security awareness training for system users. Security awareness is essential to help prevent users from falling prey to malicious emails.

 

The FBI, the U.S. Postal Inspection Service, and state and local authorities are investigating more than 60 threatening letters that have been received by Financial Institutions in Araizona, Caliofornia, Colorado, Georgia, Illinois, New Jersey, New York, Ohio, Oklahoma, Texas, Virginia, and Washington, D.C.  The letters began to be received on Monday, Oct. 20, 2008, and appear to all be originating from Texas - all have been postmarked in Amarillo, TX.  Most of these letters contain a powder substance with a threatening communication.  At this point, field and laboratory tests on the powder have been negative; however, additional testing is taking place.

To see a copy of one of the letters, visit http://www.fbi.gov/page2/oct08/threatletters_102308.html

 


 

We came across www.bankwide.com several weeks ago.  It appeared to be a growing site designed to provide a platform to share knowledge and resources with the banking community.  I began corresponding with Aiden Michaels (the founder and lead developer for bankwide.com) to find out a little more about Bankwide - below is a response I received from Aiden: [more]

"Bankwide.com is designed to help facilitate discussion between bankers, vendors, consultants and regulators.  Its primary goal is to provide an unbiased solution base for common banking problems through ”community intelligence".  It allows for organic growth and collaboration for anyone involved in the 'ever-changing' financial services industry.  Companies such as CoNetrix can benefit by reaching out and helping bankers and credit union personnel, and conversely bankers are exposed to services and solutions that they might not find otherwise.  We see it as a win-win situation.

With the explosion of social networking on today's internet, Bankwide felt that this type of collaboration was not only possible; it was needed in today's market.  I have always considered the fact that banks share strategic information as an anomaly.  HP doesn't share information with IBM!  Non competing banks however, will gladly open their door to another bank, talk about problems, strategies and more.

Bankwide aims to create this same atmosphere virtually.  Imagine thousands of bankers sharing thousands of ideas, documents, solutions and more.  With our soon to be released - "Bankwide Solutions" we will be able to focus efforts onto specific needs such as penetration testing, remote capture, equity building...the list is virtually unlimited. 

We have also decided to keep our membership free.  Our advertisers make all of this possible, they agree to burden the cost rather than pass it to bankers who are just looking for help.  We are also currently offering a "grandfathering" period for people that sign up for the site before June 1st.  Anyone who signs up, will be a permanent member of our community.  Membership after June 1st may require that you annually have to update your information.

Finally - we are extremely proud of our new "Bankwide Experts".  Bankwide has invited several people, including your own Russ Horn, to become community experts.  These people have not only demonstrated advanced knowledge in their areas of expertise such as bank technology or compliance, but an outgoing nature and a willingness to share their knowledge.  The days of soloing expertise has been replaced with the ability to share knowledge for the greater good."

We wish Aiden and Bankwide.com the best of luck!  If you would like to find out more about what Bankwide.com has to offer you, visit their website at www.bankwide.com