It’s critical for financial institutions to stay ahead of the potential vulnerabilities and risks that can jeopardize their information technology assets. But to adequately manage risks and vulnerabilities, institutions must be able to understand what they are, identify where they are, and remedy the situation.

Risk is a multifaceted concept that encompasses threat and vulnerability. The National Institute of Standards and Technology (NIST) describes risk as the probability that a particular security threat will exploit a system vulnerability. More specifically, it is a “measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of the adverse impacts that would arise if the circumstance or event occurs and the likelihood of occurrence.”

These circumstances can involve various sources and impacts. Generally, information system-related security risks arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential negative effects on organizational operations—including mission, functions, image, or reputation—organizational assets, individuals, and other organizations.

Managing Risks and Vulnerabilities

A vulnerability is a weakness in a system, an information system, system security, or even controls. Therefore, to manage their risks, financial institutions must also manage their vulnerabilities. To do this, institutions must know about their vulnerabilities and understand the context in which they exist.

Fortunately, financial institutions can use scanning technology to help with the daunting process of managing risks and vulnerabilities. Our V-Scan product, for example, is a comprehensive solution that analyzes IT assets, identifies vulnerabilities, and provides an extensive overview of the risks within the network environment. What’s more, V-Scan provides risk-prioritized data on all scanned IT assets.

V-Scan is designed to help institutions meet regulatory compliance. It performs weekly vulnerability scanning, which complies with the Cybersecurity Assessment Tool (CAT), developed by the Federal Financial Institutions Examination Council (FFIEC). Along with each weekly scan, the platform provides detailed reporting and a user-friendly dashboard that makes it easier to create an actionable plan to mitigate asset vulnerabilities. In addition, many cybersecurity insurance providers are requiring financial institutions to prove that they are managing known vulnerabilities. With V-Scan, institutions can provide reports that substantiate their weekly scans, assessments, and remediations.

Discovering Exploitable Vulnerabilities

Not only does V-Scan find current vulnerabilities in the environment, but it also uses numerous data points to measure the risk posed by those vulnerabilities. This information gives IT staff and oversight personnel timely details and the necessary context to maintain an effective vulnerability management program. One of the key ways institutions can use V-Scan is to discover assets that are at risk and weaknesses that should be resolved—particularly exploitable vulnerabilities. Being able to identify weaknesses that are known to have been taken advantage of allows institutions to prioritize their workload when securing their network.

For example, if the platform indicates that a Microsoft Windows security patch needs to be installed, V-Scan provides information needed to solve the problem, including which machines, devices, or assets are affected by the vulnerability. The product also allows filtered searches to be conducted based on the assets involved, such as domain controllers or printers. Having this enhanced capability further empowers IT staff to effectively manage vulnerability.

Contact us to learn more about how community banks and credit unions can leverage V-Scan to manage possible vulnerabilities and risks associated with their IT assets.

In today’s world of escalating cyber-attacks, the importance of security layers can never be overemphasized. This is especially true for financial institutions, which are obligated to safeguard customer information, prevent identity theft, and protect their operations. No entity, computer network, or individual is unaffected by cyber threats, but a layered approach to security can significantly minimize cybercrimes.

While the IT department and security officers typically determine and recommend security measures, it is ultimately the CEO who is responsible for the overall health and well-being of the bank or credit union. Therefore, CEOs of financial institutions should be thinking about and asking the following questions in this area:

Is there a security layer that most networks are missing?

Monitoring the internal network, outside of the endpoints, is important and an area that many banks and credit unions don’t focus on. While most organizations have perimeter defense technologies, such as firewalls and intrusion prevention systems and endpoint technologies like anti-malware software, many don’t pay close enough attention to the internal network itself. Having stronger internal network security is vital to prevent breaches and internal attacks and makes for a stronger overall network.

What is the single most effective layer?

User training is hands down the most effective layer. Users are considered to be the first line of defense, and sadly are often seen as the weakest link in the security chain. To strengthen this link and prevent attacks, user education and training is important.

What are some security layers all banks and credit unions should have?

Security layers represent multiple levels of defense against potential bad actors and cyber-attacks. As such, a layered security program should involve a variety of components, depending on the assets protected, vulnerabilities, and the institution’s operations. A layered security program entails using different controls at different points in a transaction process. The underlying strategy is that a weakness in one control is generally compensated for by the strength of another control.

According to the Federal Financial Institutions Examination Council (FFIEC), some effective controls that can support layered security are:

• fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
• using dual customer authorization through different access devices;
• using out-of-band verification for transaction;
• a thorough and up-to-date patch management system;
• vulnerability scanning and penetration testing; and
• end-point security and resilience controls.

What are the three main types of controls?

Security controls generally fall into three types: protective, detective, and reactive (or corrective). Protective controls are tactics a bank or credit union can implement to prepare for and prevent a cyberattack. They encompass things like dual controls, segregation of duties, system password policies, access control lists, training, and physical access controls. Detective controls indicate that a cyberattack is taking place. Even the audit process can be detective because it uncovers control weaknesses by looking for failures after they have happened. Reactive controls are implemented to respond to an attack in progress. Essentially, they’re intended to mitigate exposure after something happens.

New types of cyber-threats and incidents are constantly emerging, and CEOs need to be prepared to protect their institutions and the data they house. With the proper controls, layered security can be an effective way for financial institutions to defend network perimeters and endpoints against potential cyber threats. There are many other areas related to security layers that CEOs and senior management should be considering. To gain more insight into those areas, as well as other key topics for CEOs to be aware of, download our white paper, Top IT Areas Where CEOs of Financial Institutions Should Focus: Important Questions and Answers.

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.

We have all seen the digital advertisements on web pages we visit. Many of them contain pop-up ads offering to install software or force a redirect to a different website. These appear on all varieties of sites from Facebook, online email accounts, and even online news sites. Most of these ads are not coming from the page you’re actually visiting but from an advertising agency that has bought the space on the site. The actual site you are visiting really has nothing to do with the advertisements. In fact, they often don’t even monitor them to ensure they are not malicious or harmful for users. This has led many banks and credit unions, as well as individuals, to be leery of online ads and begin proactively blocking them from appearing.

Hundreds of billions of ad impressions occur each month, and digital ad revenue for online advertising was estimated to top $237 billion in 2018. Many of the publishers and website owners argue that ads are important to their success and ad blocking is wrong and furthers budgetary constraints. However, the risks associated with online tracking and advertising are substantial and users should be proactively blocking malicious advertisements to ensure network security.

How many malicious ads are there really?

While it is no secret that there are malicious ads out there, many don’t truly understand the severity. In 2017, Google took down more than 3.2 billion ads that violated their advertising policies. That’s more than 100 bad ads per second, 365 days a year! Google blocked 79 million ads in their network for attempting to send people to malware-laden sites, and removed 400,000 of these unsafe sites the previous year. Google also removed 66 million “trick-to-click” ads as well as 48 million ads that were attempting to get users to install unwanted software. That’s a lot of bad ads and malicious activity!

How do malicious ads work?

Malware can affect even the most careful user due to the nature of how advertisements are designed to automatically run code when they are loaded. Attackers often attach hidden code to otherwise innocent looking ads for well-known products or services. While many of the large ad networks perform due diligence and scan for such malicious content, there are dozens, if not hundreds that don’t. Once these ads are clicked on or even hovered over, hackers are able to do things like access a computer’s webcam, open the microphone or access files on the computer – general computer takeover.

How can you protect yourself?

To protect against malicious ads, make sure all browser and operating system updates are current. These patches often contain updates that can stop the malware that is hidden in ads. Also, make sure all antivirus and antimalware software is up to date. This is important because this software can find the malware before it does damage. Ad blocking solutions provide a vital security layer that severs as a way to block malicious ads. It also blocks privacy-invading tracking plugins from collecting and harvesting personal information.

These malicious ads and content are ruining the online experience for users. Blocking them wards against hackers, ensures your network and devices are safe, and enhances the user experience.

Due to constant change and the growing number of threats the industry experiences, firewall security must continuously adapt to combat current threats. In response, banks and credit unions should evaluate security processes and firewall rules on a regular (quarterly) basis.

Why Should You Review

Firewalls have been a part of network security systems, monitoring both outgoing and incoming traffic, for more than 25 years. They serve as the first line of defense, helping to prevent unauthorized access and blocking certain communications based on security settings.

However, just having a firewall in place is not enough. Banks and credit unions are dynamic in nature and are constantly adding new services or changing business processes. If they are not checking the firewall configuration and rules regularly, it opens the institution up to attacks and breaches. Regular reviews help ensure a weakness in the security of the network will be found prior to exploitation and allow rules to be updated as necessary to meet technology changes or new threats.

For banks, there is an additional regulatory reason to perform quarterly reviews: the FFIEC Cybersecurity Assessment Tool (CAT). The quarterly Firewall Audit serves as a baseline standard, meaning that if you can’t answer “yes,” you will not meet the baseline requirements for the CAT in Domain 3. The quarterly audit is also part of the FFIEC Information Security Booklet.

Where to Start with Quarterly Firewall Rule Evaluations

To better understand how to assess your firewall rules, a few basic areas must be addressed.

First, you should have a solid understanding of how your firewall works and how it is setup. You should also receive firewall reports on a regular basis, and these should be reviewed carefully.

What to look for in Firewall Rules

Knowing how to review or audit firewall rules can be a challenge. Here are four basic things to start with to help guide the process.

1. Evaluate your existing firewall’s change management procedures
   This helps ensure that all rule changes that have been made in the past are adequately logged and all procedures have been done correctly.
2. Compare current firewall rules with previous firewall rules
   Comparing rules that were previously in place with those currently in place helps to easily identify any changes; track which changes have been made; and verify whether those changes are necessary. It will also help identify unused or “stale” rules.
3. Evaluate external IP addresses that are allowed by firewall rules
   Make sure the addresses the firewall allows are still safe and that they make sense for your bank or credit union to utilize. If some addresses now seem odd or out of place, it is likely that the rules should be changed.
4. Ensure there is still a true business need for open ports
   Firewall rules often contain open ports to allow for external communication. Evaluating open ports to ensure they are still needed is a basic — but important — step. If they are not, the rule can be deleted to avoid unnecessary communication.

While reviews of firewall rules can be done manually, it is time consuming and can be costly in terms operational resources and personnel. Many institutions decide to seek external assistance to simplify and enhance this task. This review task cannot be completely outsourced to a third-party, as it is still the institution’s final responsibility to validate the firewall configuration. If you decide to seek third-party assistance with this responsibility, be sure to ask for specifics and examples on how they help you meet this regulatory requirement and keep your network secure. A good third-party service provider can save your institution time while ensuring your organization has the most up-to-date and efficient firewall in place to protect against today’s constant threats and ensures all compliance and regulatory requirements are met.

Despite the significant advancements in technology and the sophistication of cyber threats, firewalls remain one of the most proven cyber deterrents. Network firewalls continue to serve as a cornerstone for a solid security strategy. However, some financial institutions have learned the hard way that a misconfigured or out-of-date firewall can leave their networks unprotected. For firewalls to be most effective, they must be able to deliver advanced security services to ensure that various threats are unable to disrupt the integrity of a network.

The Missing Link in Traditional Firewall Technology

Today, the industry standard for transmitting secure data over the internet is known as Secure Sockets Layer, or SSL. A more modern version of this SSL implementation is also known as Transport Layer Security, or TLS. For many companies and financial institutions, there has been a push to implement this technology to securely protect online traffic since it establishes an encrypted link between a web server and a browser. This ensures that all data passed between the server and browser remains private.
While SSL/TLS is effective in protecting the privacy of intercepted data that was transmitted between client and server, it also poses a problem for perimeter security. Legacy firewalls are unable to view the SSL traffic and cannot perform a proper analysis to determine if the encrypted traffic is safe or malicious. This increases the risk of a potential attack, because unsuspecting users can download malicious content and packages that bypass the institution’s perimeter defenses. This can lead to a malware infection or other nefarious activity on the network.

Importance of SSL Inspection

One key feature that all community banks and credit unions should have as a part of their firewall security strategy is SSL/TLS Inspection. Firewalls with the ability to scan encrypted SSL/TLS traffic have become increasingly important as malware and other cyber threats continue to grow and change. SSL/TLS inspection allows the firewall to decrypt traffic that is being transmitted to and from websites, email communications, and mobile applications. Once the traffic is decrypted, a proper analysis of the content can be performed. After the analysis is complete, the data is re-encrypted and transmitted to the client.

Without deploying this level of inspection, institutions run the risk of effectively introducing a “blind spot” in their traffic analysis mechanisms. This can cause major problems since, according to Cyren’s security researchers, some form of SSL is now being utilized in 37% of all malware. Researchers also substantiated that every major ransomware family since January 2016 has been distributed at some point via SSL/TLS. In addition, the average volume of encrypted internet traffic is now greater than the average volume of unencrypted internet traffic, making the need for SSL/TLS inspection in firewalls even more significant.

To adequately protect the network, financial institutions must implement a new approach to security that goes beyond traditional perimeter protection to safeguard the entire network. While firewalls are still critical to any security strategy, for them to be truly effective, they must evolve and become more sophisticated. Financial institutions must look for ways to better protect the network and identify other features to defend against attacks, and SSL/TLS inspection plays a key role in developing a stronger security ecosystem.

Over the past several years, the industry has been impacted by a marked increase in data breaches, ransomware, card fraud, cybersecurity threats, and other malicious attacks. Additionally, an increase in devices connected to networks has made it critical for financial institutions to strengthen their security strategies and policies to ensure all systems are up to date to effectively combat today’s threats.

While history has shown that well-designed single-focus solutions are useful in stopping specific attacks, the capabilities of advanced attacks are now so broad and sophisticated that a single line of defense inevitably fails—opening the way to costly data breaches and other malicious attacks.

To establish a secure IT network and be better protected in today’s digital world, banks and credit unions need to employ a strategy that places many uniquely tailored layers throughout their networks, from the end user to the internet. By employing multiple controls, security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others.

According to our third annual report, “2019 IT Outlook for Community Banking,” community banks and credit unions are taking this advice to heart and do, in fact, have various security solutions in place to help protect their networks, including:

Firewalls

The most widely used solution is the firewall. Firewalls have served as part of a network-perimeter defense for more than three decades. However, over the years, as technology and threats change, firewalls must also evolve to keep pace. To ensure they are up to date and able to combat today’s threats, many are adding key functionality to their firewalls as well. According to survey results, 52% of respondents are adding SSL inspection to enhance their solution; 48% are adding sandboxing, threat intelligence feeds, and built-in network automation.

Anti-Virus Software

Anti-Virus software has been a staple for many organizations since the launch of the internet 25 years ago. It is imperative to have up-to-date anti-virus protection on your systems at all times. Ensuring all subscriptions are current will prevent you from getting viruses such as spyware, malware, rootkits, Trojans, phishing attacks, spam attack and other online cyber-threats. Anti-virus solutions are as important as ever.

Encryption

In addition to the firewall and anti-virus software, many banks and credit unions implement a level of encryption over all data, files and transactions. Encoding sensitive data helps prevent hackers from easily accessing information. This form of protection has grown increasingly popular with 84% of survey respondents claiming to be utilizing this security measure today.

Employee Training

Increasingly, banks and credit unions are recognizing employee training as an important security mechanism with 78% of survey respondents citing it. Employees who are not adequately trained on security protocols, procedures, and current issues can quickly become a top vulnerability and security threat for financial institutions. According to survey results, 100% of respondents claim that their employees have fallen victim to a phishing attack in the last 12 months and have been affected by a malware infection. To best mitigate these threats, training for all employees—from tellers and loan officers to the President and CEO—is critical. Thorough training should now include rigorous testing to ensure employees are able to spot security issues.

Vulnerability Scanning

To quickly identify internal threats, network security solutions must now scan and monitor more than just servers. Vulnerability scanning gives community banks and credit unions greater visibility into the network and identifies potential threats on all workstations and devices connected to the network. Banks and credit unions now understand the importance of scans, and 51% of survey respondents perform these scans several times a year.

Other security solutions highlighted in the report include patch management, intelligence feeds, security event log monitoring, endpoint security management, DNS filtering, anti-ransomware, and honeypots.

While all of these solutions have proven to be effective security layers, there is no single security product that will cover all of an institution’s needs and efficiently combat the variety of breaches and attacks the industry sees today. It is essential to implement a layered security approach and select security defenses that fit closely with your institution’s long-term goals as well as support your IT and compliance strategies.
For more information, download our 2019 IT Outlook for Community Banking report.

Increasingly, consumers are sharing their mobile phone numbers to retrieve and change lost passwords, set up new accounts, verify identity, and even for something as simple as securing a dinner reservation. Mobile phone text-based verification has proven extremely convenient but imagine if someone else had access to all of those text messages delivering secret codes required to verify our identities.

While not new, cell phone porting has recently gained traction as yet another way for scammers to hack into your systems, including bank accounts. The most alarming part of this scam is that it can allow hackers to get past added security measures on personal and financial accounts and logins by intercepting the one-time password that many companies send via text message to the mobile device to perform two-factor authentication.

How Does Porting Work?

Once a scammer has your name and phone number, they will attempt to gather personal information such as address, social security number, date of birth, etc. that can be used to impersonate you. Once obtained, they then contact your mobile provider, claim to be you, report your phone as stolen or lost and then request the number be “ported” with another provider and device. Surprisingly (and unfortunately), mobile carriers often grant this request and forgo formal verification procedures.

All calls and texts are then forwarded to the new device and the original phone – your phone — is shut off. Once in control of the mobile number, thieves can request second factor authentication be sent to the newly activated device, such as a one-time code sent via text message or an automated call that reads the one-time code aloud. This enables them to access accounts that require additional security authorization such as email, financial accounts, medical records, social networks – anything you might need to access with a password!

You may not know you are a victim of porting until your phone has lost service and you no longer can access important accounts since the hackers have changed passwords. A phone might also switch to “Emergency Calls Only” status, which is what happens when a phone number has been transferred to another phone.

There are several steps you can take to protect yourself from falling victim to porting scams:

Contact your Wireless Provider About Port-out Authorization

Most major wireless providers offer an extra layer of security that customers can request, like a unique PIN or verification code, that only you have. This code or PIN must be provided before any changes can be made to your account.

Use Two Phone Numbers

Have two different phone numbers that you use in different ways. Have one number that you give out freely and another one that you never give out and use only as a backup verification tool. You can do this using a free online service, eliminating the need for an additional costly phone plan. Do not share this number with anyone – if it is shared just once it is considered public information! You can’t trust that the other person’s phone is secure or that they won’t share it.

Utilize Apps for Verification

Whenever there is the option, choose the app-based alternative for authentications. Many companies now support third-party authentication apps which can act as powerful two-factor authentication alternatives that are not nearly as easy for thieves to intercept.

In addition to these precautions, be vigilant about communications you receive and watch for alert messages from financial institutions, and texts in response to two-factor authorization requests, especially if you did not initiate the request. Also, if your phone switches to “Emergency Calls Only” mode, it is a sign the number has been compromised. If you do find yourself a victim of this type of scam, contact your mobile provider and financial institutions immediately.

The rise of porting attacks serves as a warning that we not only need to keep our emails secure, but we also need to keep our phone numbers more secure. To protect yourself, consider alternative forms of authentication other than a text message.