Category: Security

Due to constant change and the growing number of threats the industry experiences, firewall security must continuously adapt to combat current threats. In response, banks and credit unions should evaluate security processes and firewall rules on a regular (quarterly) basis.

Why Should You Review

Firewalls have been a part of network security systems, monitoring both outgoing and incoming traffic, for more than 25 years. They serve as the first line of defense, helping to prevent unauthorized access and blocking certain communications based on security settings.

However, just having a firewall in place is not enough. Banks and credit unions are dynamic in nature and are constantly adding new services or changing business processes. If they are not checking the firewall configuration and rules regularly, it opens the institution up to attacks and breaches. Regular reviews help ensure a weakness in the security of the network will be found prior to exploitation and allow rules to be updated as necessary to meet technology changes or new threats.

For banks, there is an additional regulatory reason to perform quarterly reviews: the FFIEC Cybersecurity Assessment Tool (CAT). The quarterly Firewall Audit serves as a baseline standard, meaning that if you can’t answer “yes,” you will not meet the baseline requirements for the CAT in Domain 3. The quarterly audit is also part of the FFIEC Information Security Booklet.

Where to Start with Quarterly Firewall Rule Evaluations

To better understand how to assess your firewall rules, a few basic areas must be addressed.

First, you should have a solid understanding of how your firewall works and how it is setup. You should also receive firewall reports on a regular basis, and these should be reviewed carefully.

What to look for in Firewall Rules

Knowing how to review or audit firewall rules can be a challenge. Here are four basic things to start with to help guide the process.

1. Evaluate your existing firewall’s change management procedures
   This helps ensure that all rule changes that have been made in the past are adequately logged and all procedures have been done correctly.
2. Compare current firewall rules with previous firewall rules
   Comparing rules that were previously in place with those currently in place helps to easily identify any changes; track which changes have been made; and verify whether those changes are necessary. It will also help identify unused or “stale” rules.
3. Evaluate external IP addresses that are allowed by firewall rules
   Make sure the addresses the firewall allows are still safe and that they make sense for your bank or credit union to utilize. If some addresses now seem odd or out of place, it is likely that the rules should be changed.
4. Ensure there is still a true business need for open ports
   Firewall rules often contain open ports to allow for external communication. Evaluating open ports to ensure they are still needed is a basic — but important — step. If they are not, the rule can be deleted to avoid unnecessary communication.

While reviews of firewall rules can be done manually, it is time consuming and can be costly in terms operational resources and personnel. Many institutions decide to seek external assistance to simplify and enhance this task. This review task cannot be completely outsourced to a third-party, as it is still the institution’s final responsibility to validate the firewall configuration. If you decide to seek third-party assistance with this responsibility, be sure to ask for specifics and examples on how they help you meet this regulatory requirement and keep your network secure. A good third-party service provider can save your institution time while ensuring your organization has the most up-to-date and efficient firewall in place to protect against today’s constant threats and ensures all compliance and regulatory requirements are met.

Despite the significant advancements in technology and the sophistication of cyber threats, firewalls remain one of the most proven cyber deterrents. Network firewalls continue to serve as a cornerstone for a solid security strategy. However, some financial institutions have learned the hard way that a misconfigured or out-of-date firewall can leave their networks unprotected. For firewalls to be most effective, they must be able to deliver advanced security services to ensure that various threats are unable to disrupt the integrity of a network.

The Missing Link in Traditional Firewall Technology

Today, the industry standard for transmitting secure data over the internet is known as Secure Sockets Layer, or SSL. A more modern version of this SSL implementation is also known as Transport Layer Security, or TLS. For many companies and financial institutions, there has been a push to implement this technology to securely protect online traffic since it establishes an encrypted link between a web server and a browser. This ensures that all data passed between the server and browser remains private.
While SSL/TLS is effective in protecting the privacy of intercepted data that was transmitted between client and server, it also poses a problem for perimeter security. Legacy firewalls are unable to view the SSL traffic and cannot perform a proper analysis to determine if the encrypted traffic is safe or malicious. This increases the risk of a potential attack, because unsuspecting users can download malicious content and packages that bypass the institution’s perimeter defenses. This can lead to a malware infection or other nefarious activity on the network.

Importance of SSL Inspection

One key feature that all community banks and credit unions should have as a part of their firewall security strategy is SSL/TLS Inspection. Firewalls with the ability to scan encrypted SSL/TLS traffic have become increasingly important as malware and other cyber threats continue to grow and change. SSL/TLS inspection allows the firewall to decrypt traffic that is being transmitted to and from websites, email communications, and mobile applications. Once the traffic is decrypted, a proper analysis of the content can be performed. After the analysis is complete, the data is re-encrypted and transmitted to the client.

Without deploying this level of inspection, institutions run the risk of effectively introducing a “blind spot” in their traffic analysis mechanisms. This can cause major problems since, according to Cyren’s security researchers, some form of SSL is now being utilized in 37% of all malware. Researchers also substantiated that every major ransomware family since January 2016 has been distributed at some point via SSL/TLS. In addition, the average volume of encrypted internet traffic is now greater than the average volume of unencrypted internet traffic, making the need for SSL/TLS inspection in firewalls even more significant.

To adequately protect the network, financial institutions must implement a new approach to security that goes beyond traditional perimeter protection to safeguard the entire network. While firewalls are still critical to any security strategy, for them to be truly effective, they must evolve and become more sophisticated. Financial institutions must look for ways to better protect the network and identify other features to defend against attacks, and SSL/TLS inspection plays a key role in developing a stronger security ecosystem.

Over the past several years, the industry has been impacted by a marked increase in data breaches, ransomware, card fraud, cybersecurity threats, and other malicious attacks. Additionally, an increase in devices connected to networks has made it critical for financial institutions to strengthen their security strategies and policies to ensure all systems are up to date to effectively combat today’s threats.

While history has shown that well-designed single-focus solutions are useful in stopping specific attacks, the capabilities of advanced attacks are now so broad and sophisticated that a single line of defense inevitably fails—opening the way to costly data breaches and other malicious attacks.

To establish a secure IT network and be better protected in today’s digital world, banks and credit unions need to employ a strategy that places many uniquely tailored layers throughout their networks, from the end user to the internet. By employing multiple controls, security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others.

According to our third annual report, “2019 IT Outlook for Community Banking,” community banks and credit unions are taking this advice to heart and do, in fact, have various security solutions in place to help protect their networks, including:

Firewalls

The most widely used solution is the firewall. Firewalls have served as part of a network-perimeter defense for more than three decades. However, over the years, as technology and threats change, firewalls must also evolve to keep pace. To ensure they are up to date and able to combat today’s threats, many are adding key functionality to their firewalls as well. According to survey results, 52% of respondents are adding SSL inspection to enhance their solution; 48% are adding sandboxing, threat intelligence feeds, and built-in network automation.

Anti-Virus Software

Anti-Virus software has been a staple for many organizations since the launch of the internet 25 years ago. It is imperative to have up-to-date anti-virus protection on your systems at all times. Ensuring all subscriptions are current will prevent you from getting viruses such as spyware, malware, rootkits, Trojans, phishing attacks, spam attack and other online cyber-threats. Anti-virus solutions are as important as ever.

Encryption

In addition to the firewall and anti-virus software, many banks and credit unions implement a level of encryption over all data, files and transactions. Encoding sensitive data helps prevent hackers from easily accessing information. This form of protection has grown increasingly popular with 84% of survey respondents claiming to be utilizing this security measure today.

Employee Training

Increasingly, banks and credit unions are recognizing employee training as an important security mechanism with 78% of survey respondents citing it. Employees who are not adequately trained on security protocols, procedures, and current issues can quickly become a top vulnerability and security threat for financial institutions. According to survey results, 100% of respondents claim that their employees have fallen victim to a phishing attack in the last 12 months and have been affected by a malware infection. To best mitigate these threats, training for all employees—from tellers and loan officers to the President and CEO—is critical. Thorough training should now include rigorous testing to ensure employees are able to spot security issues.

Vulnerability Scanning

To quickly identify internal threats, network security solutions must now scan and monitor more than just servers. Vulnerability scanning gives community banks and credit unions greater visibility into the network and identifies potential threats on all workstations and devices connected to the network. Banks and credit unions now understand the importance of scans, and 51% of survey respondents perform these scans several times a year.

Other security solutions highlighted in the report include patch management, intelligence feeds, security event log monitoring, endpoint security management, DNS filtering, anti-ransomware, and honeypots.

While all of these solutions have proven to be effective security layers, there is no single security product that will cover all of an institution’s needs and efficiently combat the variety of breaches and attacks the industry sees today. It is essential to implement a layered security approach and select security defenses that fit closely with your institution’s long-term goals as well as support your IT and compliance strategies.
For more information, download our 2019 IT Outlook for Community Banking report.

Increasingly, consumers are sharing their mobile phone numbers to retrieve and change lost passwords, set up new accounts, verify identity, and even for something as simple as securing a dinner reservation. Mobile phone text-based verification has proven extremely convenient but imagine if someone else had access to all of those text messages delivering secret codes required to verify our identities.

While not new, cell phone porting has recently gained traction as yet another way for scammers to hack into your systems, including bank accounts. The most alarming part of this scam is that it can allow hackers to get past added security measures on personal and financial accounts and logins by intercepting the one-time password that many companies send via text message to the mobile device to perform two-factor authentication.

How Does Porting Work?

Once a scammer has your name and phone number, they will attempt to gather personal information such as address, social security number, date of birth, etc. that can be used to impersonate you. Once obtained, they then contact your mobile provider, claim to be you, report your phone as stolen or lost and then request the number be “ported” with another provider and device. Surprisingly (and unfortunately), mobile carriers often grant this request and forgo formal verification procedures.

All calls and texts are then forwarded to the new device and the original phone – your phone — is shut off. Once in control of the mobile number, thieves can request second factor authentication be sent to the newly activated device, such as a one-time code sent via text message or an automated call that reads the one-time code aloud. This enables them to access accounts that require additional security authorization such as email, financial accounts, medical records, social networks – anything you might need to access with a password!

You may not know you are a victim of porting until your phone has lost service and you no longer can access important accounts since the hackers have changed passwords. A phone might also switch to “Emergency Calls Only” status, which is what happens when a phone number has been transferred to another phone.

There are several steps you can take to protect yourself from falling victim to porting scams:

Contact your Wireless Provider About Port-out Authorization

Most major wireless providers offer an extra layer of security that customers can request, like a unique PIN or verification code, that only you have. This code or PIN must be provided before any changes can be made to your account.

Use Two Phone Numbers

Have two different phone numbers that you use in different ways. Have one number that you give out freely and another one that you never give out and use only as a backup verification tool. You can do this using a free online service, eliminating the need for an additional costly phone plan. Do not share this number with anyone – if it is shared just once it is considered public information! You can’t trust that the other person’s phone is secure or that they won’t share it.

Utilize Apps for Verification

Whenever there is the option, choose the app-based alternative for authentications. Many companies now support third-party authentication apps which can act as powerful two-factor authentication alternatives that are not nearly as easy for thieves to intercept.

In addition to these precautions, be vigilant about communications you receive and watch for alert messages from financial institutions, and texts in response to two-factor authorization requests, especially if you did not initiate the request. Also, if your phone switches to “Emergency Calls Only” mode, it is a sign the number has been compromised. If you do find yourself a victim of this type of scam, contact your mobile provider and financial institutions immediately.

The rise of porting attacks serves as a warning that we not only need to keep our emails secure, but we also need to keep our phone numbers more secure. To protect yourself, consider alternative forms of authentication other than a text message.

Financial institutions often view staff as their most valuable asset, but employees can also be a top vulnerability, especially if they are unfamiliar with security protocols. With the increasing rate of cyber-attacks in the financial industry, community banks and credit unions must instill the concept that security responsibilities belong to everyone in the organization and ensure all employees understand the role they play in security protection and awareness.

The truth is many financial institutions are not adequately training staff to be successful in spotting and mitigating security-related issues. To protect financial data, community banks and credit unions must adopt a solid security awareness training program.

Training Best Practices

A few best practices for establishing a strong security awareness program include:

• Conduct security awareness training at least once a year or as business conditions evolve. At a minimum, the training materials should also be updated annually to provide fresh content and account for changes in the security landscape.
• Document employee participation and completion of the program and provide proof for auditors and examiners. Financial institutions should also obtain confirmation of their employees’ understanding in the form of a quiz, a group discussion or some type of interactive activity.
• Use current news events or recent security incidents as examples to help employees analyze a real-life scenario. This is a great opportunity for learning as they will often show the direct results of a failure to follow policies and procedures.
• Incorporate social engineering testing into the program to evaluate how employees will actually react in a threat situation. Employees who get tricked by social engineering exercises may need supplemental training.

The training should include instructions on:

• Proper email use;
• Proper PC and Internet use;
• Password policy and best practices;
• Business continuity procedures and responsibilities;
• Incident Response procedures and responsibilities, which usually means “if you see something, then let
• the right person or group know about it ASAP”;
• Institution policies and procedures on cybersecurity; and
• Expected end-user behavior.

In addition to adequately training employees, financial institutions should have security awareness materials and information available to customers and members that enable them to spot security issues and adequately protect themselves as well.

It is not enough for an organization to rely solely on the IT or security department to safeguard sensitive information. When everyone is held accountable for the security of financial data, the financial institution is better equipped to handle the unexpected and protect the organization from harm. Establishing a solid security awareness training program for all employees — from tellers and loan officers to the president and CEO — is essential.

While cyber threats become more commonplace, sophisticated and damaging for financial institutions, one type of threat that has remained pervasive is the denial-of-service attack, or DoS. DoS is a cyber event where an attacker seeks to prevent legitimate users from accessing computer systems, devices or other online resources. The perpetrator floods the victim’s machine or network with false requests to overload the system and prevent legitimate access.

Cybercriminals have taken this form of attack to the next level with Distributed Denial of Service (DDoS) attacks which, while similar to a DoS attack, differs in that the incoming requests or traffic come from more than one source – something that makes it extremely difficult to stop.



To better understand the nature of a DDOS attack, consider the analogy of a supermarket. If you are a shopper and only have two or three items, you can usually go through the check-out line quickly. However, if the store only has one register open and there are several people in front of you with baskets full of groceries, they are essentially denying you service to that cash register due to the amount of items that must be processed. If that same store has multiple check-out lines open, and they all have long lines, you are being blocked access to the cash register from multiple sources.

How DDoS Works

To execute a DDoS attack, an attacker sends malicious software to vulnerable devices, often through infected emails, attachments, websites and even social media, creating an entire network of infected machines and devices called botnets. The attacker can then control the botnets remotely and send an influx of traffic to flood the network or target by sending huge amounts of random data or connection requests. The infected devices will show no signs of attack and will continue to function normally, but will have the occasional sluggish response due to the lack of available bandwidth.

The scale and sophistication of DDoS attacks has increased considerably over the years. In fact, according to a report from Verisign, one third of all downtime incidents have been attributed to DDoS attacks. Attackers often hold the organization’s website or device for ransom, performing a small example of the attack to show the victim what will happen if the ransom is not paid.

A recent botnet called Mirai, reared its head in 2016 and infected unsecured internet of things (IoT) devices such as DVRs, home routers, printers and IP cameras. These devices are vulnerable to attack since they are not required to have the same level of security as computers. The Mirai botnet was responsible for DDoS attacks on several high-profile websites such as Twitter, Reddit, Netflix, and Airbnb.

Impact of DDoS Attacks on Financial Institutions

Financial institutions are prime targets for DDoS attacks due to both the large amount of private data and monetary funds that they house, and as they continue to expand their use of digital channels and outsourced services, the possibility of an attack increases as well.

A well-executed DDoS attack can interrupt a host of banking services including website access, ATM networks, and online banking platforms, in addition to internal systems and functions that help the bank operate and serve customers. Beyond the operational impact is the resulting damage to the institution’s brand equity and reputation when customers are prohibited from accessing their financial information and funds.

Combating DDoS Extortion

To combat DDoS extortion, financial institutions should have a solid plan in place to identify all critical services as well as vendors and the organizations that host them; know who to contact and notify in case of an attack; and ensure that all employees are trained and ready to execute the plan. In addition, financial institutions should also contact the cyber division of the FBI, the Financial Crimes Enforcement Network (FinCen), and their local regulator to report the attack.

DDoS attacks remain unpredictable and can seriously disrupt your institution’s business operations. All financial institutions need a solid plan in place to be prepared, not if, but when a cyber event like this occurs.