Blog

The First Problem
After I installed Cisco Webex Teams, Skype began to crash each time I launched it.  I found some articles stating you can only have one application use Outlook for status updates and if you have both Webex Teams and Skype, it can cause Skype to crash (see https://collaborationhelp.cisco.com/article/en-us/gk4yog and https://collaborationhelp.cisco.com/article/en-us/yf1gc7).  My guess is this is what was causing Skype to crash.  However, it sounds like this issue didn't occur with others in our company so what was different with my install?  Well, my install was a little unique as I apparently already had a "personal" Webex account from when we used Webex years ago for webinars within our company.  With a personal account, you have options to integrate with Microsoft Outlook – my guess is one of these settings was enabled prior to "converting" to an enterprise account (with enterprise, these settings are not available).
 
The Solution to the First Problem
  1. First, I uninstalled Cisco Webex Teams.  After uninstalling Webex Teams, Skype would work fine, but if I reinstalled Webex Teams, Skype would crash again.
  2. Second, I tried installing Webex Teams and then running a "repair" on Outlook.  This seemed to fix the issue with Webex Teams and Skype (I could have both installed and Skype would not crash); however, this created my second problem – Outlook no longer showed "online status" or "presence" for company users (see internal staff status when I send emails in the "To" field).
The Second Problem
After running the repair on Outlook to fix the problem with Skype crashing when Webex Teams was installed, Outlook no longer display the "online status" or "presence" – while this doesn't seem like a critical issues, it has helped me ensure I don't send internal emails to customers with similar names in the past, so I wanted to get it fixed.
 
The Solution to the Second Problem
  1. First, I found the setting where you can enable online status (https://support.office.com/en-us/article/use-skype-with-outlook-to-display-a-contact-s-presence-information-b1509222-2c5d-4cd4-bff7-508d2b6f410d) but it was checked.
  2. Second, I researched the Registry settings for Skype and Cisco Webex Teams and found the following two settings I needed to change in order for Outlook to show "online status"
    1. Computer\HKEY_CURRENT_USER\Software\IM Provider
      1. Had to change the DefaultIMApp from "Cisco Spark" to "Lync"
    2. Computer\HKEY_CURRENT_USER\Software\IM Providers\Cisco Spark
      1. Had to change "UpAndRunning" from 2 to 0

 

Every time I would lock my Surface Pro running Windows 10 it would disconnect from the network after about a minute or two.  This would cause certain applications to disconnect and quit working.  After some research I found the culprit was an Advanced Power Setting called "Console lock display off timeout" which by default is disabled from view and set to 60 seconds.  To enable this setting, simply:
 
  1. To enable the "Console lock display off timeout" setting follow these steps:
    1. Open the Registry Editor (Press Windows key + R on your keyboard to open the Run command and type regedit and click ok)
    2. Browse to KEYLOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\7516b95f-f776-4464-8c53-06167f40cc99\8EC4B3A5-6868-48c2-BE75-4F3044BE88A7
    3. Double click on Attributes to open Edit DWORD Value and set the Value data to 2 and click ok
  1. Now that the "Console lock display off timeout" setting is enabled, you can set the value by following these steps:
    1. Open the Control Panel
    2. Click on Power Options
    3. Select Change plan settings
    4. Select Change advanced power settings
    5. Navigate to Display > Console lock display off timeout and set the timeout to whatever you want (in minutes)
    6. Note, you can also use the PowerCfg.exe utility to set the display timeout using the following commands:
      1. powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_VIDEO VIDEOIDLE <time in seconds>
      2. powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK <time in seconds>
      3. powercfg.exe /setactive SCHEME_CURRENT
  1. After going through this process, I also understand it may be possible to bypass the default screen timeout of 60 seconds following a locked system by setting the basic "Turn off the display" power setting to "Never"; however, this may not be ideal in many situations.
 It appears my surface docking station considered my surface asleep when the display was disabled after 60 seconds from when I would lock my system; therefore, the docking station disconnected causing my network connection to be lost.

 

When trying to use open WiFi such as in a hotel or airplane and you have to go through an authorization page, you can have trouble getting started if your default page is something like https://google.com that is using HSTS headers and doesn't offer an HTTP option. Many times, the intermediate authorization page doesn't show up because the browser won't redirect from your HTTPS home page.
 
If this causes problems, you can always try to go first to http://neverssl.com which is HTTP only and will usually allow the intermediate authorization page to come up and get you started. Then, once online, you can proceed to setup a VPN connection, etc.

 

For our audits, we run VMware Health Analyzer (VMHA) on any vCenters to collect information on ESXi build numbers, snapshots, dormant VMs, etc. Recently, a customer we were scanning had two vCenters, and while VMHA worked fine on one of them, we were getting errors on the other. Standard troubleshooting didn't work, and the customer didn't know why we weren't able to collect the information this year. After running nmap on the vCenter, we determined the customer had redefined the port used for this vCenter instance and simply defining the port in our scan credentials solved the issue.


 

I was working with a user who uses Windows Fax and Scan to scan documents. One day it stopped scanning and threw an error that read, "A problem prevented the document from being scanned. Please try again or see Help and Support or the information that came with the scanner."
 
All research pointed to running the application as an administrator. Tested running as admin and we were able to scan. We then tried running normally again and the error occurred. Running as an admin was not a viable solution, but as a temporary fix, I created an alternate local admin account and a runas shortcut to run the application with while I searched for a true solution.
 
I found one article that caught my eye, because it referred to issues saving scans as .tiff format, which this user was trying to do. Turns out that when Windows Fax and Scan saves as .tiff, it creates a temporary version of the file and saves it in C:\users\%username%\app data\local\Temp. Once the magic number of 10,000 files is reached, it will no longer accept new temp files. When you run it as an admin since that is technically saving to the admin's temp directory it appears to work magically. I checked the user's temp files and sure enough there were 10,001 .tiff files. Deleted them all, tested scanning again and it scanned without issues.

 

By: (CISA, CISSP, CRISC)

If you are a credit union, you should expect to see the ACET during your next IT examination. The NCUA began piloting this new examination tool in 2018 with larger credit unions, but we anticipate it will be used in most credit union examinations in 2019. As you prepare for the ACET, here is a list of frequently asked questions for you to review.

What is the difference between the CAT and the ACET?

While the ACET mirrors the CAT (the FFIEC's Cybersecurity Assessment Tool) in content, ACET provides additional content, features, and details to help credit unions and the NCUA examine and benchmark the industry's cybersecurity preparedness. To learn more about specific differences, read our in-depth post on the differences between the NCUA ACET and the FFIEC CAT.

Does the ACET replace the risk assessment requirement per GLBA?

No. While ACET should be considered complementary to information security risk assessment(s) as outlined in the Interagency Guidelines Establishing Information Security Standards per GLBA, it does not replace this requirement. 

Will NCUA IT Examinations be limited to ACET?

No. The NCUA indicates they will use the ACET during upcoming IT exams, and it will be in addition to risk-focused IT examinations.

Where do I get a copy of the ACET spreadsheet?

At the time of this post, the ACET is not available from the NCUA website. Per Supervisory Letter 17-CU-09, the NCUA stated they will "continue to test and refine the ACET through 2018," but you can download version 032618 of the ACET here. In addition, credit unions should receive the current version of the ACET prior to an IT examination. When the ACET is completed as part of the examination process, examiners will leave the completed ACET with the credit union, and discuss the results and any discrepancies with management.

Are credit unions required to complete the ACET?

No, the ACET is not required, but it is recommended. When the NCUA does an examination using the ACET, they will ask if the credit union has completed the ACET. If the credit union has not, the examiner will complete the ACET using the provided material from the exam request list. While this will not be considered a negative for the credit union, credit unions should complete the ACET ahead of time so they can have more meaningful discussions during the exam.

How can Tandem help my credit union with ACET?

Tandem offers an online tool to help financial institutions complete the FFIEC Cybersecurity Assessment Tool and the NCUA Automated Cybersecurity Examination Tool. The features allow credit unions to complete the assessment through Tandem and download the results in the ACET spreadsheet format. The Tandem online software comes in both a free and paid version. Join more than 1,000 other financial institutions and sign up for the free Tandem Cybersecurity Assessment Tool today by visiting https://conetrix.com/tandem/cybersecurity-assessment-tool-ffiec. 

 


 

 

CoNetrix developed the online software tool highlighted in the video help financial institutions such as banks, credit unions, mortgage companies and trust companies complete and report on the FFIEC Cybersecurity Assessment Tool. The Tandem Cybersecurity module is available in three versions: Free, Pro, and Pro+. 

Additionally, CoNetrix has updated the tool to include the additional ACET features and to allow Credit Unions to complete the assessment through Tandem and download the results in the ACET spreadsheet format.

Join more than 1,000 other financial institutions and sign up for the free Tandem Cybersecurity Assessment Tool today by visiting conetrix.com/tandem/cybersecurity-assessment-tool-ffiec.


 

In 2018, the NCUA began piloting the use of the Automated Cybersecurity Examination Tool (ACET) based on the FFIEC's Cybersecurity Assessment Tool (CAT) to review credit unions.  While the ACET mirrors the CAT in content, ACET provides additional features and details to help credit unions and the NCUA examine and benchmark the industry's cybersecurity preparedness. 

What are the additional features of the ACET as compared to CAT?  Let's take a look…

ACET is a spreadsheet

While the FFIEC Cybersecurity Assessment Tool (CAT) was called a tool, it was released in the form of a PDF download.  This forced financial institutions to complete the tool manually on paper, to develop their own mechanism to electronically complete the assessment, or to use third-party software such as Tandem to complete the assessment.  The ACET was released by the NCUA as a spreadsheet, partly, to provide credit unions a functional option for completing the CAT.

ACET includes a dashboard

The first sheet in the ACET spreadsheet is a dashboard.  The dashboard provides summary information of the credit union, a completion status for the inherent risk profile and cybersecurity maturity, and inherent risk levels.  The dashboard is helpful to let the credit union and their examiner see the completion status of the assessment. 

ACET has an Admin sheet for NCUA examination use

ACET was primarily designed to be used during NCUA examinations; therefore, the NCUA included an Admin sheet to be used by NCUA examiners.  This sheet is primarily used to calculate and track review hours used during the examination process.

ACET contains a document request list

Since ACET is used as an examination tool, or work program, a document request list was added.  The current version (v032618) of the ACET does not have a hyperlink from each document request to any inherent risk questions or maturity statements. However, validation text added to these statements, in many cases, does reference back to the requested items.

ACET adds validation text to inherent risk statements

Answers to the inherent risk profile statements help institutions determine their overall cybersecurity inherent risk.  ACET expanded these statements to include "Validation Approaches" for each inherent risk statement.  The validation approaches language describes what an institution or examiner should review to answer, or validate the answer to, an inherent risk statement.  In many cases, these validation approaches reference back to documents you can review from the document request list.

ACET summarizes maturity in a Maturity Details sheet

The ACET includes a sheet called "Mat. Details." This table provides a summary of the institution's maturity.  Percentages of "Yes" answers are displayed by Component for each maturity level.  This view provides a snapshot of the intuition's cybersecurity maturity across all of the Components.

ACET provides additional reporting fields for declarative statements

The ACET includes additional columns to help institutions document evidence or additional information related to each cybersecurity maturity declarative statement in the "Domain" sheets.  The first additional column, Comment [Required for Yes(c)], was added for credit unions to have a place to explain the "Yes with compensating controls" answer. Two additional columns, Reviewed and Suggested Edits, were added to help examiners when reviewing the ACET.

ACET incorporates a guide with additional commentary and mappings

The ACET includes a sheet named "Guide" with additional commentary and mappings to help an institution or examiner understand and answer the cybersecurity maturity declarative statements.  The additional columns include:

  • Comment: commentary with additional details describing what is expected from the declarative statement and what value the control has on cybersecurity.
  • Examination Approaches: describes what an institution or examiner should review to answer or validate the answer to a declarative statement.
  • Baseline Mapping: mapping declarative statements to the FFIEC IT Examination Handbooks. These are the same mappings in the CAT Appendix A.
  • NIST Mapping: mapping declarative statements to NIST.

ACET and Tandem

When the FFIEC Cybersecurity Assessment Tool (CAT) was first released, Tandem developed an application to aid in its use. Now Tandem has updated the tool to include the additional ACET features and to allow Credit Unions to complete the assessment through Tandem and download the results in the ACET spreadsheet format.  The Tandem SaaS comes in both a free and paid version.  Join more than 1,000 other financial institutions and sign up for the free Tandem Cybersecurity Assessment Tool today by visiting conetrix.com/tandem/cybersecurity-assessment-tool-ffiec.


 

I have been working with a customer on a file server and domain migration project. The original plan was to move the files to our Aspire datacenter on a server that was in a different domain. Since we were moving domains, we were going to have to recreate the file permissions on the new domain. I typically run Robocopy using the /COPYALL (which is equivalent to /COPY:DATSOU) parameter, but since we did not want to copy the security, owner, or auditing information, I used /COPY:DAT.
 
After the initial seeding, the customer prioritized some other moves and postponed the file server migration. During that time, the old datacenter suffered a three day Internet outage. After the outage, the customer decided to move the files while client machines remained on the old domain to prevent another outage. This caused us to need to copy the existing permissions instead of the original plan to translate the permissions at the time of migration.
 
I changed my Robocopy scripts to use /COPYALL instead of /COPY:DAT. Robocopy copied the permissions for the files that had changed or been added since the seeding, but it did not fix the security permissions for the files that had not changed. This is by design as Robocopy only copies permissions when it copies a file. In order to reevaluate the permissions, the /SECFIX parameter must be added. I changed my script to include /COPYALL /SECFIX and it sync the files AND the permissions. This Robocopy takes longer because it has to evaluate security instead of just the files.
 
To keep files and permissions in sync, you need to use the /COPYALL and /SECFIX. You can add /v for verbose logging. The Robocopy command I used to keep the files and permissions in sync was: "robocopy source destination /COPYALL /SECFIX /MIR  /S /E /DCOPY:T /R:0 /W:0 /LOG+:log.log".

 

We had a banking customer with a FiServ application consistently crashing under Windows 10. The crash would always display a .Net framework error. All users of this application were having issues with it, but the severity changed from user to user. One user would crash once every couple of hours, while the other would crash once every other day. No user was doing the exact same thing, and no other errors were showing before the crash. It seemed to be a completely random occurrence.
 
FiServ support could not recreate the issue and advised we update to Windows 10 1803. While updating a PC to test this solution I checked the event logs and noticed a printer kept trying to map every 60 minutes and fail. It just so happened that whenever this printer failed to map, the .Net error would also show up on event logs. Group Policies were refreshing and triggering the printer mapping error. I launched the application and ran a "gpupdate" and sure enough, the application crashed. I looked into the GPO's and found the drive that was mapping the location of the program was set to "replace" instead of "update" or "create". This was causing the file path to be lost every time there was a group policy update. I changed this drive map to "create" and it resolved the issue.