The Changing Role of the Community Bank IT Manager

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

At small community banks, the IT Manager role was once, and in some cases still is, one of many hats worn by the President or CFO. However, this role is quickly evolving into a nearly full-time position even at smaller community banks. There are a number of factors that are contributing to this change, including increased use and sophistication of technology, increased regulatory scrutiny for cybersecurity, and the rapidly changing threat landscape.

It was not long ago that the IT Manager only needed to support a few internal servers and workstations. Over time, technology and customer expectations have evolved, leading to increased network complexity through the requirement for additional internal servers to support new services, the use of server virtualization, and connectivity to additional outside networks. In addition, the use of mobile technology has expanded dramatically leading to employees using mobile devices to access internal network resources, and banking services being provided to customers through their mobile devices.

The amount of time required to properly manage and monitor a bank’s information systems has increased dramatically. However, in many cases, community banks have not significantly increased the human resources assigned to the management of their IT environment. We have had numerous discussions with bank IT personnel indicating that they do not believe that they have enough time and resources to properly address the changing IT regulatory requirements and new cyber risks. While some community banks have outsourced the management of their network and other systems to a service provider, this does not relieve the bank of its role in the oversight of these systems. Additionally, outsourcing increases the time that the bank must spend to manage these vendor relationships.

Here are some of the areas where we have seen community banks spending additional time to perform IT and information security functions:

  • Vendor Management. As the bank implements new services or engages service providers to manage existing services, additional time is required to monitor these vendors. Significant time is needed to obtain the required documentation from each vendor and to review and analyze this documentation.
  • Threat Intelligence. Threat intelligence sources are monitored to identify threat sources and their current activities to identify and implement mitigating controls that will limit the potential impact of these activities on the bank. Significant time can be spent analyzing the data from threat intelligence sources to determine its applicability to the bank and to then implement or modify mitigating controls.
  • Risk Assessment and Policy Maintenance. As the bank adds or changes technologies or services, risk assessments and policies must be created or updated to address their risks. In addition, risk assessments need to be updated periodically to ensure that the risks associated with new or changing threats are evaluated and mitigated. A cybersecurity assessment must be completed and reviewed periodically based on changes within the bank’s IT environment.
  • Ongoing Employee Information Security Awareness Training. With most banks providing external email access and internet access to all of their employees, each employee has become a critical link in the security chain where the result of one employee clicking on a malicious link in an email can be an organization-wide catastrophe. Annual training is no longer adequate to keep employees apprised of current threats such as ransomware and phishing scenarios. A significant amount of time can be spent developing training materials and distributing them to employees on an ongoing basis.
  • Event Management and Monitoring. Network devices, operating systems, and applications must be monitored to identify malicious activity. In the past, many banks were only monitoring perimeter devices such as firewalls and believing that the perimeter devices would stop any threats. However, many current attacks start with the installation of malicious code on an employee’s workstation to bypass the controls imposed by the firewall and then the attacker moves around, potentially undetected on the internal network. Monitoring for malicious activity on all of the bank’s internal network devices can require significant resources. ƒ ƒ Patch Management. Patch management is more than just patching Microsoft operating systems and applications such as Adobe Acrobat and Java. Patch management includes updating the software running on network devices such as firewalls, routers, switches, DVRs, and printers to address any known vulnerabilities. Additional time must be spent to identify the release of new patches, and in many cases the patches must be installed manually on each network device.
  • Disaster Recovery / Business Continuity Planning and Testing. A bank’s increased dependence on technology requires formal documentation for maintaining business continuity and testing the selected plans to ensure that the bank can recover from a disaster within a reasonable time frame to allow for the continued performance of its daily functions. Additional time is required to initially document recovery strategies and then modify the strategies based on system or vendor changes. Time is also required to prepare testing strategies, coordinate testing schedules with vendors, and analyze the test results. ƒ ƒ Incident Response Planning and Testing. Many experts say that it is not a question of if a business will be hit by some form of breach, but a question of when it will happen. Banks must have a well-documented plan in place to detect and respond to an information security incident. In addition, the plan needs to be tested periodically to ensure that all employees are aware of their roles to effectively and efficiently respond to an incident.

Potential Costs of a Breach
Why should changes to the technology used by the bank, changes to regulatory requirements, and the evolving threat landscape be a significant concern for the board of directors? The board of directors is ultimately responsible for the management of the information security program, and failing to provide the appropriate resources to manage the IT and information security functions at the bank can lead to regulatory enforcement actions, harm to the bank’s reputation, and significant costs associated with a data breach.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study: United States, performed June 2017, the average cost for each lost or stolen record containing sensitive and confidential information is $225. This study also indicated that breaches involving businesses within the financial services industry had a per capita cost of $336.

Insurance Coverage
Another consideration for the board of directors is insurance coverage. While a bank may have a cyber insurance policy, management needs to thoroughly understand the requirements for this policy and ensure that it is meeting all of the minimum security requirements of the policy. Insurance companies may reject a claim or even seek repayment of a settlement if defined controls were not in place at the bank at the time of a breach.

Using the example of a community bank with assets of 100 million and 12,000 customer records, a breach of those 12,000 records could cost the bank 4 million dollars. This would be a substantial loss for the bank if insurance coverage is not appropriate, and even more significant if an insurance claim is denied due to the bank’s failure to maintain the minimum security requirements defined within the policy.

Continuing Education
With the rapid changes in technology and the changing threat landscape, continuing education for the bank’s IT staff is also a critical consideration. A bank’s IT Manager must learn how to change the bank’s mitigation strategies to address evolving cyber threats rather than relying solely on the strategies that have been used in the past. There are numerous options for continuing education such as cybersecurity conferences sponsored by state banking associations and webinars.

Cybersecurity Assessment Tool Staffing Requirements
With the regulatory focus on cybersecurity, another illustration of the need to evaluate the human resources required to effectively manage the bank’s information systems can be found in the declarative statements within the staffing section of the FFIEC’s Cybersecurity Assessment Tool as shown below. Attainment of the baseline cybersecurity maturity level is required for all banks as this level identifies the minimum expectations required by law, regulations, or supervisory guidance. The declarative statements within the evolving cybersecurity maturity level will also need to be attained by small community banks as they increase their maturity level over time.

     Baseline ƒƒ

  • Information security roles and responsibilities have been identified.
  • Processes are in place to identify additional expertise needed to improve information security defenses.

     Evolving ƒƒ

  • A formal process is used to identify cybersecurity tools and expertise that may be needed.
  • Management with appropriate knowledge and experience leads the institution’s cybersecurity efforts.
  • Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position.
  • Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk.

Conclusion
In summary, the board of directors and senior management must carefully consider the resources required to appropriately manage its information systems based on the rapid technological, regulatory, and threat landscape changes. Strategic plans should consider the additional workload that will be created to support changes within the bank’s IT environment to achieve management’s strategic goals, and ensure that appropriate human resources are included within its plans.

For more information on this article or how Young & Associates, Inc. can assist you, contact me at 330.422.3447 or mdetrow@younginc.com.

 

FFIEC Cybersecurity Assessment Tool Update – New Version of the Cybersecurity Assessment Workbook Released

On May 31, 2017, the FFIEC announced an update to the Cybersecurity Assessment Tool which includes a change within the cybersecurity maturity section of the tool and an updated mapping of the baseline statements to the FFIEC IT Examination Handbooks.

The update to the cybersecurity maturity section of the tool allows institutions to select “Yes with Compensating Controls”, meaning that an institution has implemented a control or controls that protect an information system in a manner that is comparable or equivalent to a recommended security control within a declarative statement. Appendix A was revised to incorporate the updates to the Information Security and Management booklets.
Version 2.0 of the Cybersecurity Assessment Workbook (see below) incorporates the changes within the cybersecurity maturity section of the tool, as well as the content of Appendix A.

Cybersecurity Assessment Workbook
(#310) – $299

This electronic workbook allows a financial institution to easily complete the FFIEC Cybersecurity Assessment Tool and generate the needed summaries for analysis and board reporting. The workbook is setup with two main sections: 1) Inherent Risk Profile and 2) Cybersecurity Maturity.

Inherent Risk Profile. Includes five worksheets for the five categories of inherent risk identified in the Cybersecurity Assessment Tool. This section also contains a summary worksheet to assist the reviewer with the identification of an Overall Inherent Risk Profile.

Cybersecurity Maturity. Includes five worksheets for the five domains identified by the Cybersecurity Assessment Tool. A summary worksheet for each of the five domains allows the reviewer to identify the maturity level for each domain.

Easy to Use and Understand
All of the required data entry is completed through the use of drop down boxes and provisions are included to allow the reviewer to enter notes and comments as needed throughout the workbook. Colorful summaries are included to simplify analysis and include in a report to the Board.

The Cybersecurity Assessment Workbook is available for $299.

To Order: Click Here.

The Director’s Role in Information Security

By: Mike Detrow, Senior Consultant and Manager of IT

Technology has changed significantly at community banks over the past 15 years. For many years, banks only had to manage a core processing system, a standalone Fedline PC, and a few workstations that were used for word processing and maintaining spreadsheets. These systems were relatively easy to secure as data was maintained in-house and connectivity to external networks was limited. Fast forward to 2017 and community banks now have connections to numerous outside networks including the internet and those of core processing vendors. Services are being offered to customers through cell phones and tablets, customer data is processed through websites, and data is stored in many locations that are not controlled by the bank.

Whether making a loan, depositing a check, or checking a customer’s account balance, nearly every function within the bank now relies on some form of technology. To remain competitive, the implementation of new technology is necessary to meet the needs of customers and to reduce a bank’s operating expenses. However, information security has often been an afterthought rather than being incorporated during the implementation process.

Regulators are emphasizing the need for a change to the security culture within community banks to make information security a higher priority, and this change must begin with the board of directors. The board must take a more active role in the oversight of the bank’s information security program. All too often, information security is treated as something that only the “IT person” can understand, and directors do not properly scrutinize the decisions made by the IT Manager or an outsourced technology support provider. The board of directors is ultimately responsible for the security of the customer information maintained by the bank and the third parties that the bank uses. As such, directors must have a clear understanding of the regulatory requirements for protecting customer information, as well as defining and monitoring the bank’s information security program. While directors may not fully understand all of the technical aspects, I have provided some general recommendations for overseeing the information security program within this article.

Recommended Documents
The following documents should be reviewed and approved by the board of directors on an annual basis, or more frequently depending on the changes that occur within the bank. While much of the information in these documents will not change, there will typically be some changes each year due to employee turnover, technological changes, or new regulatory guidance. These changes should be clearly documented to allow directors to evaluate the changes before approving the updated documents. If there are no recommended changes to these documents over a period of several years, directors should request an explanation from management.

  • IT Strategic Plan. An IT Strategic Plan should be in place to align IT initiatives with the bank’s overall strategic plan. This may include the implementation of additional products and services to compete with other financial institutions or the implementation of technologies to create internal efficiencies. The IT Strategic Plan may also identify systems that are approaching the end of their manufacturer’s support lifecycle and identify upgrade/replacement strategies.
  • IT Budget. The budgeting process should include information technology and information security expenses such as hardware and software maintenance, technology service provider expenses, contract renewals, recently approved project expenses, training expenses, and risk mitigation expenses.
  • Information Security Program. The Information Security Program identifies the technical, physical, and administrative safeguards that must be implemented to maintain the confidentiality, integrity, and availability of the bank’s information systems.
  • Information Security Risk Assessment. The Information Security Risk Assessment should identify the information systems that are in use, classify the data that the information systems store or process, identify the threats and vulnerabilities associated with each information system, identify the likelihood and impact of the risks, identify the mitigating controls that have been implemented, and evaluate the effectiveness of the mitigating controls. The risk assessment should be updated before implementing new information systems and as new threats are discovered.
  • Incident Response Plan. The Incident Response Plan should identify the procedures to be performed in response to an incident involving loss of data availability, confidentiality, and/or integrity, such as a breach. The steps of this plan should include containing the incident, recovering from the incident, the investigation process, and the notification process. This plan should be tested on a regular basis to evaluate the effectiveness of the response procedures for various types of incidents.
  • Business Continuity/Disaster Recovery Plans. The Business Continuity and Disaster Recovery Plans identify procedures for performing the bank’s business processes during or following various types of operational interruptions. These procedures must be tested on a regular basis to ensure the continuity of these business processes during a variety of disruptive events, such as natural disasters, service provider interruptions, and cyber-attacks.
  • Cybersecurity Assessment. A formal Cybersecurity Assessment should be performed to evaluate the bank’s inherent cyber risk and the effectiveness of its cybersecurity controls. If the bank is utilizing the FFIEC’s Cybersecurity Assessment Tool, an understanding of the relationship between the Inherent Risk Profile and the Cybersecurity Maturity Level is required. Plans for attaining the recommended Cybersecurity Maturity Level should be developed and the status of this process should be monitored. The Cybersecurity Assessment should be reviewed annually and updated when changes occur that affect the bank’s Inherent Risk Profile.

Recommended Reports
The Information Security Officer should provide information security program status reports to the board of directors on at least an annual basis. These reports should identify the risk assessment process, risk management and control decisions, service provider arrangements, results of independent testing of the information security program, security breaches, and recommendations for updates to the program. While some of the content within these reports will not change, these reports should reflect the actual activity since the last report and should not just be the same report with a new date at the top.

While many community banks have implemented a steering committee to manage their information security programs, directors still need to ensure that the program is effectively managed. If a steering committee is used, a formal charter should be in place to define the committee’s purpose and responsibilities. The board of directors should receive copies of the steering committee’s meeting minutes to monitor committee activities and to ensure that it is fulfilling its requirements.

Information system reports and service provider reports should be regularly monitored to identify any events that require further investigation. Some examples of the reports that should be reviewed by the steering committee or the board of directors include: ƒƒ

  • Patch management
  • Firewall
  • Intrusion detection system
  • Intrusion prevention system
  • Anomalous operating system events
  • Malware/virus protection
  • Managed services provider tickets
  • Vendor management

If the reports that are provided never indicate any anomalous activity that requires further investigation, directors should question the validity of the reports and request a review of the reporting parameters for the system(s).

Independent Audits
To assist the board of directors with its evaluation of the effectiveness of the bank’s information security program, periodic independent audits should be performed. These audits are typically performed on an annual basis depending on the size and complexity of the bank and its risk assessment. The board of directors or the audit committee should be involved in the external auditor selection process and the audit scoping process. At least one director should participate in the auditor’s exit meeting to ensure an understanding of any recommendations made by the auditor.

Conclusion
The use of a top-down approach to manage information security and holding employees accountable for complying with the bank’s information security program will greatly strengthen the security culture within the bank. A strong security culture will help to enhance the bank’s reputation among its customers, community, and the financial industry.
For more information on this article or on how Young & Associates, Inc. can assist you in this process, contact me at 330.422.3447 or mdetrow@younginc.com.

Phishing: Understanding the Risks and Implementing an Effective Employee Training Program

By: Mike Detrow, CISSP, Senior Consultant and Manager of I.T.
Assessments show that the human element is always the weakest link in the security chain. It is not uncommon for a community bank to fare well during external network vulnerability scans due to appropriately configured firewall rules controlling inbound traffic and/or limited internally hosted services. While controls may be implemented to mitigate technical vulnerabilities, humans are still susceptible to social engineering attacks such as phishing. This vulnerability may be compounded by community banking values, such as customer service and employee accessibility. One example of employee accessibility is placing employee email addresses on the bank’s website. While it is not a bad practice to provide employee contact information on the bank’s website, placing email addresses directly within a webpage, rather than utilizing a contact form to hide the email address from automated tools and website visitors, simplifies the email address harvesting process.

One of the activities that we perform during the majority of our vulnerability assessments is a social engineering test, where we send a phishing email to the client’s employees to evaluate the effectiveness of the bank’s information
security training program. Through our assessments, we frequently demonstrate the ease with which an attacker can convince multiple employees to visit a malicious link or provide information system login credentials.

Many community banks utilize technology service providers for services such as email hosting, loan documentation, document imaging, and online mortgage applications. These services are often accessed through a web browser. As a result of the phishing emails that we send during our assessments, we are typically able to obtain email login credentials. If the bank is using a hosted email service with webmail capabilities, we can then use the provided login credentials to access an employee’s email account and view any non-public data that the employee has sent or received. You may be thinking, “No worries here, we have a policy that instructs employees not to send customer information through unencrypted email so they are surely following this policy.” Even so, it is very common to see customer information sent through unencrypted email between bank employees and in some cases between bank employees and customers.

Even if no customer information is sent through email, there is still plenty of other useful information within an employee’s email box. Some examples of this useful information include bank policies, employee schedules, and welcome emails with temporary login credentials for accessing web-based services. By obtaining a list of the web-based services available to the compromised email account’s owner, we can now access the websites for these services and use the password reset function which sends a link to the compromised email account to allow a new password to be set. We now have access to this web-based service which will provide access to a significant amount of customer information depending on the type of service provided. In addition, systems that rely on the user’s email address for the purpose of one-time passwords or password recovery would be compromised.

The compromised email account scenario above is just one example of the result of a phishing email. Some other examples of phishing emails include links to malicious websites for the purpose of installing malicious code onto the visitor’s workstation, and emails that instruct the recipient to perform a task such as sending a wire transfer to the attacker.

Phishing Training
While many community banks provide some form of phishing training to employees on an annual basis, this training usually consists of a policy review or a few examples of phishing emails during a presentation. This type of training is not as effective as exposing employees to actual phishing emails throughout the year.

To assist community banks with their employee training program, Young & Associates, Inc. offers a quarterly Phishing Training service. The intent of this service is to simulate real-world phishing scenarios during the normal business day and require each employee to respond individually to the email. Employees that respond negatively can receive additional training from a supervisor or materials can be provided after a link is clicked or after credentials are provided. Unlike do-it-yourself services that require someone at your institution to develop their own phishing scenarios, send emails and monitor the results, our consultants do all of the work. Our consultants will send the phishing emails, monitor the results, and provide a report of the results to your institution’s management team.
Our consultants will work with your institution to develop a customized phishing training program for your employees which will establish:

  • Expectations for the training program
  • A baseline of the effectiveness of the current employee training program based on the first quarterly email
  • A schedule for sending the remaining quarterly emails
  • Increases to the complexity of each remaining email
  • Development of ongoing training materials

For information about our Phishing Training service, please contact Mike
Detrow at 1.800.525.9775 or click here to send an email.

Implementing a Threat Intelligence Program

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

As part of its continued focus on cybersecurity, the Federal Financial Institutions
Examination Council’s (FFIEC) September 2016 Information Security
Handbook emphasizes the need for institutions to implement procedures for
obtaining, monitoring, assessing, and responding to evolving threat and vulnerability
information.

Institutions have typically implemented a number of preventative controls such as firewalls, intrusion prevention systems, and antivirus applications to protect their information systems. However, these systems are not always effectively managed and monitored. Even in cases where perimeter devices are well managed and monitored, it is not uncommon to see security weaknesses within the internal network such as missing patches, system misconfigurations, and default passwords. Advanced attacks may not be prevented by perimeter network controls alone and may only be identified through information obtained from external intelligence sources and by monitoring internal detection systems.

An advanced attack typically follows these general steps to achieve the attacker’s goal:

1. Active and passive reconnaissance is performed to learn about the target organization and to identify weaknesses.
2. Based on the identified weaknesses, the attacker obtains or develops malicious code and attempts to deliver this code to the organization through social engineering techniques, exploitation of vulnerable services or applications, or other means.
3. If the attacker is successful, malware and/or backdoors are then installed on the organization’s systems for the attacker to establish control.
4. If needed, privilege escalation is performed through exploiting vulnerable systems or misconfigurations.
5. The attacker performs the intended activities, such as data exfiltration from the organization’s information systems.

To comply with the FFIEC’s guidance, financial institutions must implement a Threat Intelligence Program that documents the following:ƒƒ

  • Employee Responsibilities. Employee responsibilities for monitoring, analysis, response, and reporting should be clearly defined to ensure accountability and appropriate approval for any recommended changes. In addition, the responsibilities for monitoring accounts with administrative capabilities should be documented to ensure independence.
  • Monitoring Threat Intelligence Sources. External threat intelligence sources may include the Financial Services Information Sharing and Analysis Center (FS-ISAC), hardware vendors, or software vendors. Internal sources may include intrusion prevention systems, intrusion detection systems, firewall logs, server event logs, antivirus alerts, or a Security Information and Event Management (SIEM) system. The process for monitoring internal systems begins with the development of a network activity baseline, or in other words, an understanding of the normal daily activity within the institution’s IT environment. Once the institution understands the baseline, monitoring systems can be implemented and tuned to provide alerts to activity that is outside of the baseline and requires additional analysis. A list of the intelligence sources that are monitored and the procedures for monitoring these sources should be documented. Monitoring procedures may indicate that emails are sent to specific employees when an alert is issued or they may indicate that an employee reviews a system management console on a daily basis. Monitoring procedures may also indicate the process for determining the applicability of an alert to the institution’s environment.
  • Analysis and Response. Analysis and response procedures should identify the steps to be taken to assess the risk of a specific threat, determine a mitigation strategy, and implement the mitigation strategy.
  • Reporting. Reporting procedures should identify the type and frequency of reports that will be provided to the board of directors to evaluate the effectiveness of the threat intelligence program. Reports may include a list of the threat notifications received, applicability to the financial institution, and management’s responses to the applicable threats.

Conclusion
By implementing a Threat Intelligence Program and actively monitoring evolving threats, institutions can prevent or limit a threat’s impact on the institution and its customers.

Young & Associates, Inc., has developed Threat Intelligence Program templates to assist with the implementation of a Threat Intelligence Program. For more information, click here.

Observations from Our Review of Completed Cybersecurity Assessments

By: Mike Detrow, Senior Consultant and Manager of IT

Financial institutions have begun the process of completing the Cybersecurity Assessment Tool provided by the FFIEC and some are struggling to complete it accurately. In this article, I will discuss the process for using the tool, as well as some of our observations from the review of these completed assessments.

Using the Tool
The Cybersecurity Assessment Tool was designed to help financial institutions identify their Inherent Risk Profile and evaluate their level of Cybersecurity Maturity. The end result is for financial institutions to understand the relationship between the risks associated with the activities, services, and products offered and the adequacy of the controls used to mitigate these risks. During the completion of the tool, management must collaborate with personnel from all internal departments and include third parties that are providing risk management services, such as IT service providers.

Determine the Inherent Risk Profile
The assessment process begins with the identification of the institution’s Overall Inherent Risk Profile. The tool identifies five categories for the activities, services, and products in place at the institution. For each activity, service, or product, management must select the most appropriate inherent risk level based upon the options listed within the tool. Once this process is complete, management must determine the Overall Inherent Risk Profile based on the number of applicable statements in each risk level. As an example, if the majority of activities, products, or services fall within the Minimal risk level, management may determine that the institution has a Minimal Overall Inherent Risk Profile. As each category may pose a different level of inherent risk, management should consider evaluating whether a specific category poses additional risk in addition to evaluating the number of instances selected for a specific risk level.

Determine Cybersecurity Maturity Level
The second part of the assessment is to evaluate the institution’s Cybersecurity Maturity Level for each of the five domains identified within the tool by indicating whether or not the institution has attained each of the Declarative Statements within a specific maturity level for that domain. To attain a specific Cybersecurity Maturity Level for a domain, 100% of the Declarative Statements within that maturity level must be attained.

Determine Relationship Between the Two Parts
The tool includes an illustration showing the relationship between the Inherent Risk Level and the Cybersecurity Maturity Level. As an example, if an institution has determined that it has a Minimal Overall Inherent Risk Profile, the recommended Cybersecurity Maturity Level range for each domain is Baseline to Intermediate. As an institution completes the assessment, the first goal should be to ensure that the Baseline Cybersecurity Maturity Level is attained for each of the five domains identified by the tool as the Baseline level identifies the minimum expectations required by law, regulations, or supervisory guidance. If an institution has not yet reached the Baseline level at the time of the Cybersecurity Assessment completion, an action plan should be developed to implement the requirements to attain the Baseline level. Once the institution has attained the Baseline level, management can determine the target Cybersecurity Maturity Level and develop an action plan to attain that level. In the example above, for an institution with an Overall Inherent Risk Profile of Minimal, management may determine that their target Cybersecurity Maturity Level is Evolving. It is important for financial institutions to understand the relationship between the Overall Inherent Risk Profile and the recommended Cybersecurity Maturity Level identified in this tool to recognize that regulators will not expect an institution with a Least or Minimal Overall Inherent Risk Profile to attain a Cybersecurity Maturity Level of Advanced or Innovative.

Observations
The primary issue that we have identified through our review of completed Cybersecurity Assessments is the misinterpretation of the Declarative Statements. Each of the Declarative Statements within the Baseline level has a reference to the associated FFIEC Information Security Booklet, which allows institutions to locate additional information about the requirements to attain the statement. Management should review the references to the FFIEC Information Security Booklets to fully understand the meaning of each Declarative Statement. Interpretation of the Declarative Statements for Cybersecurity Maturity Levels above Baseline may require assistance from a third party or additional research.

We have found that a number of institutions with Inherent Risk Profiles of Least or Minimal have selected Yes for many Declarative Statements that the institution has not yet attained. If management is unsure of the meaning of a Declarative Statement, appropriate expertise should be sought before selecting Yes. Incorrectly indicating that the institution has attained a Declarative Statement will eventually lead to audit and examination findings.
Small community financial institutions should thoroughly evaluate a number of the Baseline level Declarative Statements before indicating that they have been attained. To view a list of these Declarative Statements, click here.

Conclusion
Completion of the FFIEC’s Cybersecurity Assessment Tool is a new process for financial institutions that will require feedback from the institutions that use the tool, as well as additional clarification from regulatory agencies. Institutions that spend time with examiners and risk management providers to understand and complete the tool accurately should gain a better understanding of their current cybersecurity risk level and be able to identify additional mitigating controls that can be implemented to prevent or reduce the impact of a cyberattack.

For more information on this article and/or how Young & Associates can assist your bank, contact Mike Detrow at 1.800.525.9775 or click here to send an email.

Do You Know Where Your Data Went Last Night?

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Maybe your data went to a football game on an employee’s smart phone. Or, perhaps your data met some international friends at an offsite backup location used by one of your service providers. In either case, if you do not know how your data moves and where your data is stored, you cannot protect it.

During our IT Audit engagements, it is not uncommon to see bank employees storing or transferring non-public information (NPI) using services such as Google Drive or Dropbox. This creates a very dangerous situation if one of these services suffers a data breach or the data is synchronized to personal devices infected with malware. In most of these cases, senior management does not understand how employees are handling NPI.

The importance of understanding and controlling NPI data flow and data storage is emphasized in the newly released version of the FFIEC’s Information Technology Management Handbook, as well as in the declarative statements to meet the Baseline maturity level within the Cybersecurity Assessment Tool. This article will discuss a process that can be used to document the data flow and data storage locations used within your institution and those used by your third-party service providers.

The table shown above will be used to illustrate the way that an institution can document data flow and data storage. You will first identify each Service or Application that uses NPI. Some examples of these services and applications include: core processing, lending platform, internet banking, and online loan applications. Next, you will identify the Vendor(s) associated with each service or application. The Process Type is used to identify the various processes that are performed using the specific service or application that may use different methods for accessing the data or result in data being transmitted through different connectivity types. An example of different process types can be illustrated with internet banking where data may flow between the core processing system and the internet banking system through a dedicated circuit, but customers access the internet banking system through a home internet connection. The Type of Data will most often be customer NPI, but may also include proprietary institution data. Data can be accessed in numerous ways including: institution workstations, institution servers, employee mobile devices, customer PCs, and customer mobile devices. The Connectivity Type may include: dedicated circuits, virtual private networks (VPN), local area networks (LAN), wide area networks (WAN), wireless networks, or the internet. Controls in Transit may include: encryption, firewall rules, patch management, and intrusion prevention systems (IPS). The Primary Storage Location(s) should include known locations where the data is stored such as: application or database servers, data backup devices, service provider datacenters, and service provider backup locations. The Optional Storage Location(s) should consider other places where data can be stored such as: removable media, an employee’s workstation, mobile devices, Dropbox, and Google Drive. Identifying the Optional Storage Location(s) may take a significant amount of time, as this step will involve discussions with application administrators to understand the options for exporting data and discussions with employees to understand their processes for transferring and storing data. A review of this information may lead to the implementation of additional controls to block the use of unapproved sharing and storage services.

Controls at Rest may include: encryption, physical security, and environmental controls. The Access Rights column should identify who can access the data at any point in time, which may include institution employees, service provider employees, and subcontractors used by a service provider.

This may seem like a daunting task to complete, and it may take a significant amount of time depending on the size and complexity of your institution. One option for implementing this process is to start with your annual vendor review process rather than trying to complete the process for all of your services and applications at one time. When you are gathering and reviewing documentation from each service provider, complete the table shown above for the service or application provided by that service provider. Documentation for internally managed systems and applications can also be completed over a period of time.

Upon completion of this process, you should have a full understanding of how your data moves between devices and where the data is stored. This information will allow you to justify the risk ratings within your information security risk assessment and identify additional controls that need to be implemented to properly protect your data.

For more information on this article, contact Mike Detrow at 1.800.525.9775 or click here to send an email.

Network Vulnerability Testing and the Case for Increasing Test Frequency

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Even though you may only hear about a few IT vulnerabilities through mainstream news outlets each year, new vulnerabilities are being identified and reported on a daily basis. If remediation steps are not taken, a financial institution may be vulnerable to a cyber-attack if its information systems are affected by one of these vulnerabilities. A number of methods can be used to identify vulnerabilities that affect an institution’s information systems, including: network vulnerability testing, subscribing to services that provide vulnerability alerts, and monitoring vendor websites for vulnerability notifications. This article will focus on identifying vulnerabilities that currently exist within an institution’s information systems through the use of network vulnerability testing.

Network vulnerability testing is used to identify vulnerabilities such as misconfigurations, default passwords, and missing patches on network devices such as PCs, servers, routers, printers, and firewalls. This testing is typically performed using an automated tool that scans these devices for known vulnerabilities. The automated tool can perform either an un-credentialed scan or a credentialed scan. An un-credentialed scan assesses the vulnerabilities that can be detected without network credentials. A credentialed scan assesses the vulnerabilities that can be detected by a user that can log onto the network. An assessor reviews the results from the automated tool and performs tests to determine the applicability and criticality of the vulnerabilities detected before providing a report of the vulnerabilities and recommended remediation steps to the client.

We typically talk about external network vulnerability testing and internal network vulnerability testing. External network vulnerability testing focuses on the firewalls that the institution has implemented to protect its internal network. Internal network vulnerability testing focuses on the devices connected to the internal network which encompasses the institution’s operations center and any branch office networks.

In the past, it was typically deemed acceptable for smaller financial institutions to have network vulnerability tests performed on an annual basis. While this may have been acceptable for institutions with very static configurations, many institutions are actually making numerous changes to their IT environment over a one-year period that may introduce new vulnerabilities. Changes such as new software, new devices connected to the network, and firewall rule changes can create vulnerabilities that may not be identified until the next annual vulnerability test. Another common issue occurs when an institution takes steps to remediate an identified vulnerability, but the steps taken do not eliminate the vulnerability and it remains exploitable until the next annual network vulnerability test. It is also common for some institutions to focus only on external network vulnerability testing. However, it is important to test the internal network as well to identify any vulnerabilities that may be exploited by insiders or malware that makes its way onto an internal device.

With the increasing number of large-scale data breaches and the focus on cybersecurity, financial institutions should anticipate increased scrutiny from examiners during their evaluation of each institution’s selected network vulnerability testing schedule. While the network vulnerability testing frequency required for each financial institution will differ based on its size and complexity, most institutions should be increasing the frequency of external network vulnerability tests beyond once each year to help identify any potential vulnerabilities before they are exploited. Institutions should also consider increasing the frequency of internal network vulnerability testing to identify any vulnerabilities that may be exploited by insiders or malware.

For more information about this article or to learn more about the services offered by Young & Associates, Inc. to assist your financial institution with network security, please contact Mike Detrow at 1.800.525.9775 or click here to send an email.

 

The Importance of User Access Reviews

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

The FFIEC has emphasized the importance of reviewing user access granted within all of the IT systems in use at a financial institution, including but not limited to: the network operating system (Active Directory®), core processing system, new account and lending platforms, document imaging system, internet banking system, and wire transfer system through its recent statement about compromised credentials. The frequency of these reviews will depend on the size and complexity of the financial institution; however, it is a good practice to perform an annual review at a minimum. User access reviews will help to identify accounts that have been assigned excessive privileges, accounts with access that have not been updated to reflect job position changes, accounts that do not require password changes in accordance with the institution’s policies, and dormant accounts. Failing to perform user access reviews on a regular basis will place the institution at a higher risk for:

  • A terminated employee gaining remote access to the network or email system
  • Segregation of duties issues if an employee moves to a new department, but retains system privileges from the previous department
  • Misuse of dormant administrative accounts that are still active
  • System compromise through the use of vendor passwords that never expire

The user access review process should include an employee that is independent of the system administration role for each IT system to verify that an administrator is not assigning excessive privileges to users or creating hidden accounts to use for illicit activities.

For some systems, the process to obtain all of the security details in an easy-to-understand report can be difficult. This is the case with Active Directory unless additional tools are used to compile the information into a simple report. To simplify the process of reviewing Active Directory accounts, Young & Associates, Inc. has developed the Account Auditor for Active Directory. This tool makes it easy for financial institutions to generate the following security reports:

  • A listing of all of the user accounts within Active Directory
  • Group memberships for each account
  • Dormant accounts
  • Disabled accounts
  • Accounts with passwords that do not expire
  • Accounts with passwords that have not been changed within the past year

The Account Auditor for Active Directory will simplify your network operating system user account review process, reduce IT Audit findings, and is designed to work with your Windows® server operating system to generate your information quickly and easily. There’s no new software to install! It available for just $100.  Click here for more details.

The Overlooked Risks of VOIP

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

We are seeing financial institutions continue to expand their use of VOIP (Voice Over Internet Protocol) to reduce expenses and increase efficiencies for voice communications. VOIP is a technology that refers to transmitting voice communications over the internet, LAN (Local Area Network), or WAN (Wide Area Network), rather than through the PSTN (Public Switched Telephone Network). We have found that the risks associated with a VOIP system are not always properly evaluated prior to implementation.

Some of the risks associated with the use of VOIP include:

  • Denial of service attacks
  • Emergency services inability to use automatic location services (depending on configuration)
  • Customer service issues during power or network outages
  • Interception of telephone conversations
  • Unauthorized or fraudulent use of the telephone system

We have seen situations where public safety personnel were not able to respond to an emergency in a timely manner due to the misconfiguration of E911 physical address information. In addition, we have seen multiple VOIP system outages due to problems at vendor data-centers or the lack of backup plans for data line failures.

During the process of evaluating and implementing a VOIP system, financial institutions should consider the following steps:

  • Perform a risk assessment to identify the risks associated with the VOIP system and the mitigating controls that will be used.
  • Perform due diligence steps for any vendors involved with the VOIP system and include these vendors in the ongoing vendor review process.
  • Develop contingency plans for communications during power or network outages.
  • Develop processes to test the contingency plans and to test E911 physical address assignments.
  • Verify that VOIP communications that pass over public networks or the internet are encrypted.
  • Develop system hardening processes for the VOIP system equipment.
  • Develop patch management processes for the VOIP system equipment.
  • Develop security procedures for the VOIP system to prevent denial of service attacks and unauthorized use of the system.
  • Include the VOIP system in ongoing vulnerability assessments.

With the appropriate planning and ongoing risk management procedures, a financial institution can develop and maintain a secure VOIP system that will reduce expenses and improve customer service.

For more information on this topic or on how Young & Associates, Inc. can assist your bank with its IT needs, contact Mike Detrow at 1.800.525.9775 or click here to send an email.