By: Mike Detrow, CISSP, Senior Consultant and Manager of IT
Even though you may only hear about a few IT vulnerabilities through mainstream news outlets each year, new vulnerabilities are being identified and reported on a daily basis. If remediation steps are not taken, a financial institution may be vulnerable to a cyber-attack if its information systems are affected by one of these vulnerabilities. A number of methods can be used to identify vulnerabilities that affect an institution’s information systems, including: network vulnerability testing, subscribing to services that provide vulnerability alerts, and monitoring vendor websites for vulnerability notifications. This article will focus on identifying vulnerabilities that currently exist within an institution’s information systems through the use of network vulnerability testing.
Network vulnerability testing is used to identify vulnerabilities such as misconfigurations, default passwords, and missing patches on network devices such as PCs, servers, routers, printers, and firewalls. This testing is typically performed using an automated tool that scans these devices for known vulnerabilities. The automated tool can perform either an un-credentialed scan or a credentialed scan. An un-credentialed scan assesses the vulnerabilities that can be detected without network credentials. A credentialed scan assesses the vulnerabilities that can be detected by a user that can log onto the network. An assessor reviews the results from the automated tool and performs tests to determine the applicability and criticality of the vulnerabilities detected before providing a report of the vulnerabilities and recommended remediation steps to the client.
We typically talk about external network vulnerability testing and internal network vulnerability testing. External network vulnerability testing focuses on the firewalls that the institution has implemented to protect its internal network. Internal network vulnerability testing focuses on the devices connected to the internal network which encompasses the institution’s operations center and any branch office networks.
In the past, it was typically deemed acceptable for smaller financial institutions to have network vulnerability tests performed on an annual basis. While this may have been acceptable for institutions with very static configurations, many institutions are actually making numerous changes to their IT environment over a one-year period that may introduce new vulnerabilities. Changes such as new software, new devices connected to the network, and firewall rule changes can create vulnerabilities that may not be identified until the next annual vulnerability test. Another common issue occurs when an institution takes steps to remediate an identified vulnerability, but the steps taken do not eliminate the vulnerability and it remains exploitable until the next annual network vulnerability test. It is also common for some institutions to focus only on external network vulnerability testing. However, it is important to test the internal network as well to identify any vulnerabilities that may be exploited by insiders or malware that makes its way onto an internal device.
With the increasing number of large-scale data breaches and the focus on cybersecurity, financial institutions should anticipate increased scrutiny from examiners during their evaluation of each institution’s selected network vulnerability testing schedule. While the network vulnerability testing frequency required for each financial institution will differ based on its size and complexity, most institutions should be increasing the frequency of external network vulnerability tests beyond once each year to help identify any potential vulnerabilities before they are exploited. Institutions should also consider increasing the frequency of internal network vulnerability testing to identify any vulnerabilities that may be exploited by insiders or malware.
For more information about this article or to learn more about the services offered by Young & Associates, Inc. to assist your financial institution with network security, please contact Mike Detrow at 1.800.525.9775 or click here to send an email.