By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Even though you may only hear about a few IT vulnerabilities through mainstream news outlets each year, new vulnerabilities are being identified and reported on a daily basis. If remediation steps are not taken, a financial institution may be vulnerable to a cyber-attack if its information systems are affected by one of these vulnerabilities. A number of methods can be used to identify vulnerabilities that affect an institution’s information systems, including: network vulnerability testing, subscribing to services that provide vulnerability alerts, and monitoring vendor websites for vulnerability notifications. This article will focus on identifying vulnerabilities that currently exist within an institution’s information systems through the use of network vulnerability testing.

Network vulnerability testing is used to identify vulnerabilities such as misconfigurations, default passwords, and missing patches on network devices such as PCs, servers, routers, printers, and firewalls. This testing is typically performed using an automated tool that scans these devices for known vulnerabilities. The automated tool can perform either an un-credentialed scan or a credentialed scan. An un-credentialed scan assesses the vulnerabilities that can be detected without network credentials. A credentialed scan assesses the vulnerabilities that can be detected by a user that can log onto the network. An assessor reviews the results from the automated tool and performs tests to determine the applicability and criticality of the vulnerabilities detected before providing a report of the vulnerabilities and recommended remediation steps to the client.

We typically talk about external network vulnerability testing and internal network vulnerability testing. External network vulnerability testing focuses on the firewalls that the institution has implemented to protect its internal network. Internal network vulnerability testing focuses on the devices connected to the internal network which encompasses the institution’s operations center and any branch office networks.

In the past, it was typically deemed acceptable for smaller financial institutions to have network vulnerability tests performed on an annual basis. While this may have been acceptable for institutions with very static configurations, many institutions are actually making numerous changes to their IT environment over a one-year period that may introduce new vulnerabilities. Changes such as new software, new devices connected to the network, and firewall rule changes can create vulnerabilities that may not be identified until the next annual vulnerability test. Another common issue occurs when an institution takes steps to remediate an identified vulnerability, but the steps taken do not eliminate the vulnerability and it remains exploitable until the next annual network vulnerability test. It is also common for some institutions to focus only on external network vulnerability testing. However, it is important to test the internal network as well to identify any vulnerabilities that may be exploited by insiders or malware that makes its way onto an internal device.

With the increasing number of large-scale data breaches and the focus on cybersecurity, financial institutions should anticipate increased scrutiny from examiners during their evaluation of each institution’s selected network vulnerability testing schedule. While the network vulnerability testing frequency required for each financial institution will differ based on its size and complexity, most institutions should be increasing the frequency of external network vulnerability tests beyond once each year to help identify any potential vulnerabilities before they are exploited. Institutions should also consider increasing the frequency of internal network vulnerability testing to identify any vulnerabilities that may be exploited by insiders or malware.

For more information about this article or to learn more about the services offered by Young & Associates, Inc. to assist your financial institution with network security, please contact Mike Detrow at 1.800.525.9775 or click here to send an email.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

The FFIEC has emphasized the importance of reviewing user access granted within all of the IT systems in use at a financial institution, including but not limited to: the network operating system (Active Directory®), core processing system, new account and lending platforms, document imaging system, internet banking system, and wire transfer system through its recent statement about compromised credentials. The frequency of these reviews will depend on the size and complexity of the financial institution; however, it is a good practice to perform an annual review at a minimum. User access reviews will help to identify accounts that have been assigned excessive privileges, accounts with access that have not been updated to reflect job position changes, accounts that do not require password changes in accordance with the institution’s policies, and dormant accounts. Failing to perform user access reviews on a regular basis will place the institution at a higher risk for:

• A terminated employee gaining remote access to the network or email system
• Segregation of duties issues if an employee moves to a new department, but retains system privileges from the previous department
• Misuse of dormant administrative accounts that are still active
• System compromise through the use of vendor passwords that never expire

The user access review process should include an employee that is independent of the system administration role for each IT system to verify that an administrator is not assigning excessive privileges to users or creating hidden accounts to use for illicit activities.

For some systems, the process to obtain all of the security details in an easy-to-understand report can be difficult. This is the case with Active Directory unless additional tools are used to compile the information into a simple report. To simplify the process of reviewing Active Directory accounts, Young & Associates, Inc. has developed the Account Auditor for Active Directory. This tool makes it easy for financial institutions to generate the following security reports:

• A listing of all of the user accounts within Active Directory
• Group memberships for each account
• Dormant accounts
• Disabled accounts
• Accounts with passwords that do not expire
• Accounts with passwords that have not been changed within the past year

The Account Auditor for Active Directory will simplify your network operating system user account review process, reduce IT Audit findings, and is designed to work with your Windows® server operating system to generate your information quickly and easily. There’s no new software to install! It available for just $100.  Click here for more details.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

We are seeing financial institutions continue to expand their use of VOIP (Voice Over Internet Protocol) to reduce expenses and increase efficiencies for voice communications. VOIP is a technology that refers to transmitting voice communications over the internet, LAN (Local Area Network), or WAN (Wide Area Network), rather than through the PSTN (Public Switched Telephone Network). We have found that the risks associated with a VOIP system are not always properly evaluated prior to implementation.

Some of the risks associated with the use of VOIP include:

• Denial of service attacks
• Emergency services inability to use automatic location services (depending on configuration)
• Customer service issues during power or network outages
• Interception of telephone conversations
• Unauthorized or fraudulent use of the telephone system

We have seen situations where public safety personnel were not able to respond to an emergency in a timely manner due to the misconfiguration of E911 physical address information. In addition, we have seen multiple VOIP system outages due to problems at vendor data-centers or the lack of backup plans for data line failures.

During the process of evaluating and implementing a VOIP system, financial institutions should consider the following steps:

• Perform a risk assessment to identify the risks associated with the VOIP system and the mitigating controls that will be used.
• Perform due diligence steps for any vendors involved with the VOIP system and include these vendors in the ongoing vendor review process.
• Develop contingency plans for communications during power or network outages.
• Develop processes to test the contingency plans and to test E911 physical address assignments.
• Verify that VOIP communications that pass over public networks or the internet are encrypted.
• Develop system hardening processes for the VOIP system equipment.
• Develop patch management processes for the VOIP system equipment.
• Develop security procedures for the VOIP system to prevent denial of service attacks and unauthorized use of the system.
• Include the VOIP system in ongoing vulnerability assessments.

With the appropriate planning and ongoing risk management procedures, a financial institution can develop and maintain a secure VOIP system that will reduce expenses and improve customer service.

For more information on this topic or on how Young & Associates, Inc. can assist your bank with its IT needs, contact Mike Detrow at 1.800.525.9775 or click here to send an email.