jamieJamie Davis, VP, Education, Product Management, and Quality Control | Safe Systems

Safe Systems reviews hundreds of vulnerability assessments every year.  Across that large sample size, we’re able to see several common themes in the security positions of those many financial institutions. While the majority of banks and credit unions are doing a good job to minimize vulerabilities, there are always opportunities to improve security.

Believe it or not, we often see the same vulnerability findings pop up year after year — though not necessarily with repeat offenders. To help minimize those threats before they become findings with an IT auditor or regulatory examiner, it’s a good practice to continually work to address potential security vulnerabilities.

Here are five easy fixes that will be beneficial to implement before your next assessment.

1) Monitor the applications installed on your network for unapproved software:  If an institution hasn’t done this in a while, the list of findings is almost always lengthy (and somewhat entertaining).  Look for applications that are obviously not work related or have suspicious names.  Searching an unfamiliar application in Google is a quick and easy way to identify software’s purpose.  

2) Review out of date software on the network:  This has become a common finding in recent years.  Products that are typically installed on every machine, like Adobe Reader, Adobe Acrobat, Java or Flash, have become infamous for the massive quantities of security vulnerabilities they contain.  There are three major issues with these applications:

  1. Many early versions of the applications don’t support updates.  They actually require the application to be uninstalled, regardless of the presence of more recent versions of the applications.  This is important to note because institutions will often install the latest version of an application without removing the older, more vulnerable version the application they intend to replace.
  2. Updates often depend on the machine’s individual user to take action. There aren’t many universal management products with the ability to manage the update process for all of these various and often unrelated applications.
  3. Many required applications, including some core vendor applications, depend on these third-party apps in order to function.  It’s not uncommon for core applications to be dependent on older versions of these third-party applications – the very same applications which are more likely to have security flaws.

3) Be sure the institution’s Windows patch management product is working and machines are up to date:  One of the findings we see on so many vulnerability assessments is at least one machine – and sometimes several machines – have not been updated in a year or more. Sometimes it’s a configuration issue. Sometimes it’s because a previous update caused some sort of error, resulting in a blockage for future patches. Without proper oversight, it could be months before you recognize the issue in an individual machine. Regular checks of patch reports are vital.

4) Review the antivirus status of all machines:  Surprise! Problems tend to arise when you don’t regularly monitor your antivirus software. Among the common issues are new machines that don’t have antivirus installed or older machines that stop scanning or updating. Reviewing a simple antivirus report on a weekly or monthly basis, and responding to the exceptions will ensure that your antivirus software is installed and working appropriately on all devices. Nothing looks worse on an audit than a listing of machines that have no antivirus protection. It raises the question of what else is missing.

5) Non-supported software: With Windows XP support set to expire on April 8, 2014, non-supported software review is bound to be a popular finding for years to come.  Heck, Safe Systems still runs across the occasional Windows 2000 machine, even though Microsoft dropped its support for that operating system three years ago.  If non-supported operating systems are still in use, there’s a good chance it will be highlighted in an audit or assessment.  At minimum, have a replacement plan in place before an audit or exam takes place.  If the device can’t be replaced due to a business need, then look into other compensating controls to limit the security exposure of the device.  This may include blocking this device from internet access or limiting it to a specific site or IP address.

Unfortunately, operating systems are not the only software applications that expire.  Every piece of software on every machine has the potential to be out of date and, therefore, a vulnerability.  In recent years Java, Acrobat, Adobe Reader, and Flash have received a lot of attention due to their update practices and security issues.  As noted in the update section, be sure these applications are up to date.  But just as importantly, make sure all the applications are still supported. You can typically update Java, Adobe Reader, and Flash by downloading and installing the latest version without purchasing a license.  Adobe Acrobat, on the other hand, often requires the purchase of a license for the latest version.  When considering a replacement, the first and easiest step is to determine which employees actually need Acrobat instead of simply Adobe Reader.  As a general rule the majority of employees do not need Adobe Acrobat even though it may have come with a bundle of software preinstalled when the computer was originally purchased.  If the software is unneeded, then simply uninstall it.  If the application is used by the user, then you may need to purchase the latest version of the application in order to update the machine.

Either way be sure to review your operating systems and key applications to ensure they’re still supported.  A simple inventory report will list the operating systems for you.

Even with these five fixes in place, you can still expect to have some findings on your assessment. But these steps will help prepare your institution going into the process.  Assessments are essentially just a snapshot in time, and since you can’t control to the exact day when an assessment is run, it’s nearly impossible to have a 100 percent clean bill of health.  A solid foundation of network management will minimize any audit findings, but little can be done if an assessor opts to flag you for specific product updates released just hours before the assessment began.

Further Reading: 8 Steps to a Successful IT Exam

Write a Comment