By: Mike Detrow, CISSP, Senior Consultant and Manager of IT
As the recent Equifax breach illustrates, failing to remediate known vulnerabilities in a timely manner can have significant consequences. In the case with Equifax, reports indicate that a patch was issued approximately two months prior to the May 2017 breach for the vulnerability that was exploited during this breach. While financial institutions have been quick to criticize Equifax for their vulnerability management practices, they should also take some time to evaluate their own vulnerability management practices and enhance them as needed to help prevent a breach at their own institutions.
During the vulnerability assessments that we perform for community banks, it is not uncommon to see systems that are missing patches that have existed for a year or more. While these are typically internal systems, this can still present a significant risk to the bank based on the role(s) of the affected systems. It should also be noted that vulnerability management for internal systems is as critical as ever, as attackers are able to use social engineering tactics to bypass perimeter controls such as firewalls and gain direct access to the internal network by compromising an employee’s workstation. In addition, many community banks are only having vulnerability assessments performed on an annual basis, which means that a number of vulnerabilities may go undetected for nearly a year.
Community banks need to improve their vulnerability management practices to remediate vulnerabilities in a timely manner rather than allowing them to exist for months or even years. We often hear community bankers comment that they are too small to be the target of an attack, but they must also consider that an attacker may purposely go after a soft target like a community bank with poor vulnerability management practices that makes it easier to accomplish his or her mission.
Patch Management Vs. Vulnerability Management
Patch management is a significant aspect of vulnerability management, but patch management alone will not mitigate every vulnerability on the bank’s network. An example of this is an internal server that houses reports from the core system and allows anonymous access, meaning that no username and password is required to access this data using a File Transfer Protocol (FTP) client. In this example, the server may be completely up-to-date with the latest security patches, but this insecure configuration may allow unauthorized access to the data on this system. Another concern is the systems and applications that may be missing from a bank’s patch management program. We still see banks that are only performing Microsoft and limited third-party patching. Failing to patch the software on other devices such as ATMs, routers, switches, and printers will leave these devices vulnerable to attacks.
Developing a Vulnerability Management Program
The process to develop a vulnerability management program starts with a complete inventory of the devices connected to the bank’s network. Even small community banks now have a significant number of network-connected devices such as ATMs, DVRs, alarm panels, time clocks, and environmental monitors in addition to the commonly known devices such as workstations, servers, printers, and routers. During this step, it may be helpful for the bank’s staff to scan the network with a network mapping tool to help identify devices that may not be included in the current network inventory. At a minimum, the inventory should identify the location, IP address, manufacturer, and model for each device. In the case of servers, workstations, and mobile devices, the bank must understand what applications are installed on each device to ensure that each application is patched in addition to the operating system.
The second step is to ensure that a comprehensive patch management program is in place at the bank. As noted above, a bank’s patch management program may not currently include all network-connected devices. Special attention should be given to devices that are connected to the bank’s network that are vendor-managed to ensure that the vendor has appropriate patch management procedures in place. Some examples of vendor-managed systems include: routers that are managed by the core system provider, DVRs, ATMs and alarm panels.
A comprehensive patch management program will include all devices that are connected to the network, and it will prescribe:
- A method to identify the availability of new patches that apply to the devices on the bank’s network
- An evaluation and testing process for each patch
- A procedure to backup critical systems before installing a patch
- Timing for the installation of each patch based on its risk rating
The third step is to identify the vulnerabilities that currently exist on each device. This is most easily accomplished by performing a vulnerability scan on the internal network and against any internet-facing devices that are owned by the bank. The vulnerability scan can be performed by a consulting firm or the bank’s staff can perform the scan using an automated vulnerability scanner.
There are typically two basic types of vulnerability scans that can be performed, credentialed and un-credentialed. A credentialed scan uses administrative credentials to log on to each device to perform a more in-depth evaluation of the vulnerabilities that may exist. An un-credentialed scan does not use credentials and therefore only identifies vulnerabilities that can be detected without logging on to each device.
The number of vulnerabilities identified by a credentialed scan will typically be significantly higher than those identified by an un-credentialed scan. It is important to note that if the bank only performs un-credentialed scans, the vulnerabilities that would have been identified by a credentialed scan will still exist on the network; they just will not appear in the un-credentialed vulnerability scan report. In addition, a credentialed scan will typically identify many privilege escalation vulnerabilities that an un-credentialed scan is unable to detect.
The results of the vulnerability scan will be provided within a report that the bank’s staff or managed services provider can work through to install patches or make configuration changes to remediate the detected vulnerabilities. The vulnerability scan report will assign a risk rating to each vulnerability that is identified to help the bank’s staff prioritize its response to each vulnerability.
As the bank’s staff or managed services provider works through the list of vulnerabilities, a tracking process should be in place to identify the patches that are installed and configuration changes that are made to remediate each vulnerability. Once the tracking document identifies that all of the vulnerabilities are remediated, it is time to perform another vulnerability scan to verify that all of the previously identified vulnerabilities are remediated. If this is the first or most recent vulnerability scan, this process will help the bank’s staff establish a baseline to work from as they continue to identify vulnerabilities and correct them.
The fourth step is to determine the frequency with which vulnerability scans will be performed. The scan frequency will be dependent on the size and complexity of the bank; however, based on the rate at which vulnerabilities are being discovered, a minimum scan frequency of once each quarter should be strongly considered. Monthly or even weekly vulnerability scans are highly recommended for more complex environments.
Once the steps listed above are complete, the bank should have established:
- A complete network device inventory that must be maintained as changes occur within the bank’s network
- A comprehensive patch management program
- A schedule for performing automated vulnerability scans
- Procedures to review the vulnerability scan reports and remediate the identified vulnerabilities
As I mentioned in “The Changing Role of the Community Bank IT Manager” in last quarter’s 90 Day Note, community banks must adapt to the changing threat landscape and budget for additional information security resources. While some may view these additional expenses as unnecessary, they will most likely be miniscule in comparison to the costs associated with a data breach at the bank.
Young & Associates, Inc. can assist your bank with its vulnerability management program by performing quarterly or monthly vulnerability assessments to identify the vulnerabilities that exist on your network and recommend remediation procedures. Please contact Mike Detrow for more information about our vulnerability assessment services at firstname.lastname@example.org or 330.422.3447.