Tag: IT Security

29 Sep 2023
Using Conditional Access Policies and MFA to Enhance Azure AD Security

Using Conditional Access Policies and MFA to Enhance Azure AD Security

Using Conditional Access Policies and MFA to Enhance Azure AD Security

Earlier this year, we saw a large influx of successful phishing campaigns, primarily due to attackers being able to circumvent multifactor authentication (MFA). Their schemes worked because they were able to trick users into clicking on a link and giving away their security token—essentially bypassing MFA. The human-error factor highlights the need for phishing simulation training to ensure users are more aware of security threats. With phishing attacks still running rampant—and becoming more complex and harder to detect—it’s imperative that financial institutions use multiple strategies and technologies to optimize security.

The implications of MFA-resistant phishing are huge; the attacks have the potential to affect numerous organizations that depend on Microsoft Entra ID (formerly Azure AD) and Microsoft Office/M365 services to support their operations. However, institutions can minimize account compromises by combining a variety of tactics to prevent cyberattacks from happening. For instance, conditional access policies (CAPs) are a key proactive measure that banks and credit unions can implement to enhance security.

CAPs—which are quickly becoming the baseline of security—are the cornerstone of protecting identities within Microsoft Entra ID. These policies protect the very first step of the identification chain, the sign in attempt. They govern the conditions for users to access Azure services and will grant or deny access based on configured logic. At a high level, this logic can be far reaching but even so, organizations will not rely on only a single CAP. No CAP can provide complete protection. Instead, financial institutions should stack multiple CAPs together to produce better overall coverage and security. For example, requiring MFA, denying sign ins form outside of the USA, and requiring device compliance or specific join status.

Not only will organizations look to stack multiple CAPs, but they will also look to utilize telemetry from multiple Azure services for their logic. Combining services means institutions must have the appropriate licensing for each respective Azure service. For example, to obtain device compliance information, organizations will be required to implement and license for Intune.

Additionally, when designing CAP logic, it can be helpful to take as broad of an approach as possible to the scope of the CAP. The objective is to try to affect as many areas as possible with a single stroke to maximize coverage and reduce gaps in logic. Gaps, or logic bugs, are the result of incorrect scope definitions which will leave an organization vulnerable or at risk when they believe otherwise. A good example of a logic bug is when an organization implements a CAP requiring MFA but not for all users. This leaves a subset of the user base at risk.

Generally, when it comes to creating gaps in logic for CAPs, the rule of thumb is to always create compensating controls. This is how organizations can create complex webs of conditions and still allow for business continuity while simultaneously reducing risk. The trade-off is the more complex an organization’s CAPs are, the harder they will be to design, assess at a glance, and to maintain.

By blending various security tactics and technologies, financial institutions can implement a layered approach to enhance their security posture. They can also partner with a third-party expert like Safe Systems to improve their ability to proactively detect and respond to phishing attacks and other threats. Our CloudInsight™ M365 Security Basics solution offers critical reporting and alerting to help institutions better gauge their security awareness. M365 Security Basics provides visibility into security settings for Azure AD and M365, making it easier for institutions to mitigate the impact of potential cyberattacks.

For more information about how to employ CAPS and modern MFA to minimize security risks, view our recorded webinar on “Securing Azure AD with Conditional Access Policies.

01 Apr 2021
The Security Evolution Featured Blog Image

The Security Evolution: The Integration of Security and Technology in Your Bank’s Infrastructure

The Security Evolution Featured Blog Image

Financial institutions and other organizations face a head-spinning number of information security risks—and the threats are becoming more complex and difficult to detect. In 2020, the FBI’s Internet Crime Complaint Center received a record number of complaints: 791,790, with reported losses exceeding $4.1 billion. The complaints—many of which included sophisticated phishing emails, business email compromise, and ransomware—represented a 69-percent increase in total from 2019, according to the FBI 2020 Internet Crime Report. In almost every case, a financial institution was involved; either as the direct target, a payment intermediary, or the account holder (victims) source of funds.

Importance of Resilience

With IT security, one of the primary goals for financial institutions is to minimize operational risk by limiting downtime; a process also referred to as “resilience”. Formally defined as the “…ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions…”, resilience also includes the ability to withstand and recover from deliberate attacks or naturally occurring disasters.

Resilience extends beyond after-the-fact recovery capabilities to incorporate proactive measures for mitigating the risk of a reasonably anticipated disruptive event in the overall design of operations and processes, including IT infrastructure. Resilience strategies, including maintaining security standards, should extend across the entire business, including outsourced activities. Because of the constantly changing threat environment, banks and credit unions should be regularly refining their security strategies. But it can be challenging for institutions to effectively manage the resources required to create a resilient infrastructure, including the staff, hardware, software, facilities, utilities, and other resources required to support operations. This monumental task encompasses everything from technology and telecommunications infrastructure to the critical dependencies provided by third-party service providers.

With so much complexity, having integrated security controls that coordinate and communicate with each other can make it easier for institutions to detect and prevent an incident before it happens, and to respond and recover afterward. Integration involves blending separate technology and controls into a single system that simplifies the work of short-staffed, time-strapped IT departments. The integration of security technology can ensure that financial institutions have a more manageable—and sustainable—approach to addressing the increasing volume and sophistication of security threats that they encounter.

Compliance and IT Security Integration

Of course, the rationale for integrating security and technology goes beyond the practical need to safeguard an institution’s information, infrastructure, and other assets, as it’s also a matter of compliance.

Information security should be embedded within the institution’s culture, according to the Federal Financial Institution Examination Council (FFIEC), and an institution’s security culture contributes to the effectiveness of its information security program. In fact, the FFIEC IT Handbook’s Information Security booklet indicates that “an institution with a stronger security culture generally integrates information security into new initiatives from the outset and throughout the life cycles of services and applications.”

Financial institutions should have a robust and effective information security program that supports their IT risk management process, according to FFIEC guidelines. Based on the FFIEC IT Handbook’s Information Security booklet, an effective IT program should:

  • Identify threats, measure risk, define information security requirements, and implementing control
  • Integrate with lines of business and support functions in which risk decisions are made
  • Integrate third-party service provider activities with the information security program

Third-party Management

Integrating third-parties into your security program is not just accepted by the regulators, it’s expected. According to the FFIEC, “In many situations, outsourcing offers the institution a cost-effective alternative to in-house capabilities…without the various expenses involved in owning the required technology or maintaining the human capital required to deploy and operate it.” However, the FFIEC goes on to recommend that institutions who elect to outsource technology, line of business activities, and support functions, ensure the integration of these activities with their information security program through an effective third-party service provider (vendor) management program. The FFIEC IT Handbook’s Information Security booklet asserts that: “Effective integration of these programs is evident when the institution creates and enforces expectations that align with the internal information security program in such a way that the combined activities of the institution and its third-party service providers result in an acceptable level of risk.”

Security threats will always be a constant challenge, but successfully integrating security and technology within an institution’s banking infrastructure can help institutions win the fight. Safe Systems provides banks and credit unions with an array of compliance-focused IT services to help them improve their overall security posture. Our proven experience, paired with our compliance-focused technology and security solutions, enables financial institutions to significantly strengthen their resilience by seamlessly aligning compliance and security.

01 Aug 2018
Cybercriminals Do Not Go on Vacation

Cybercriminals Don’t Go on Vacation! 3 Key Steps to Maintain Security During Summer Months

Cybercriminals Do Not Go on Vacation

Summer is in full swing, and many employees are heading out of the office for their annual summer vacations. However, while employees are taking advantage of the summer months, so are cybercriminals! Cybersecurity attacks continue to increase and are becoming more sophisticated with recent attacks involving extortion, destructive malware, and compromised credentials. An attack on a financial institution resulting in the loss of data can have a devastating effect on the organization’s revenue and reputation. In addition, the amount of time and money needed to resolve these attacks can be significant.

While the Federal Deposit Insurance Corporation (FDIC) actually encourages mandatory vacation time for bank employees of all levels, this can be a challenging time for many community institutions that have a small staff and rely on key individuals to ensure their institution is adequately protected. So, what are some key steps financial institutions can take to ensure their organization is protected when key personnel take time off?

  1. Have a Solid Layered Security Program
  2. Financial institutions should employ a strategy that places many uniquely tailored layers throughout the network. By employing multiple controls, security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others. This includes scanning your network for threats on a regular basis and ensuring all patches are up to date. Implementing a layered approach to security enables institutions to catch security incidents before they become damaging. The right balance of security layers allows staff to automate security tasks and takes the pressure off one individual managing the entire security program.

  3. Create a Strong Security Culture and Adequately Train Staff
  4. An important part of combatting cyber attacks is ensuring that all bank and credit union employees are comfortable highlighting security-related issues and will follow the appropriate steps to ensure they get resolved. This means staff must be adequately trained to spot security issues; understand the importance of protecting sensitive information; and recognize the risks of mishandling this data. All employees should know how to report anomalies, mistakes, or any concerns immediately. To effectively execute this, employees must understand what to look for; where key vulnerabilities lie; what steps to take when a security issue arises; and who they should alert.

  5. Partner With an Industry-Specific IT Security Provider
  6. Complimentary White PaperManaging Risk with Truly Secure Vendor Management Program Get a Copy

    To help augment security responsibilities and combat cyber-attacks, many community financial institutions are turning to industry-specific IT and security service providers familiar with banking regulations to act as an extension of their organization. These organizations act as true partners and work alongside current staff to provide timely support, and they help the financial institution successfully design and execute a comprehensive security strategy. An IT and security service provider can help automate and control many of the administrative functions that normally fall to the IT security department, making it less daunting for personnel to take time away from the office.

Cybercrime is one of the greatest security challenges and concerns for financial institutions today, and community banks and credit unions cannot be complacent when it comes to protecting themselves and the sensitive information they hold. When the security staff is out or unavailable, outsourcing security processes helps fill the personnel gap and provide added stability for the institution and peace of mind to all.

At Safe Systems we understand the challenges that come with managing security programs and ensuring the network is safe and secure. By making the decision to partner with Safe Systems, your organization will benefit from time-saving automation, an in-depth view of your IT network environment, and additional support in co-managing your IT security operations. We want to provide you with assurance that the institution’s IT network is functioning efficiently, optimally, securely, and is in compliance with industry regulations at all times.

29 Nov 2017
Combatting Cybercrime

Combatting Cybercrime: Change Your Cybersecurity Mindset to Enhance Your Institution’s Strategy

Targeting Employees - How to Prevent Phishing

Cyber-attacks are becoming more sophisticated as cyber criminals find alternative ways to target financial institutions and their data. Most recently, there has been an increase in phishing scams that specifically target bank employees, attempting to obtain sensitive information such as usernames and passwords. The ultimate goal is to trick bank employees into clicking on links or opening attachments that redirect them to fake websites where they are encouraged to share login credentials and other personal information.

With access to your employees email accounts, cyber criminals have the ability to read your bank’s critical information, send emails on your employees’ behalf, hack into the employee’s bank and social media accounts, and gain access to internal documents and customer financial information. This can result in both financial and reputational risks for the institution and its employees.

To help protect your institution’s data, here are two key ways to prevent phishing scams and increase security for your community bank or credit union:

  1. Employee Training is the Number One Priority
  2. Without proper training, it is very easy for employees to fall victim to a variety of email phishing scams. Financial institutions must have a policy of on-going testing and training to ensure employees understand security procedures and are equipped to identify phishing emails and other security threats. It is also important to establish a security culture within your organization to ensure that all employees recognize that they have a personal responsibility to safeguard against breaches.


    Community banks and credit unions can also leverage an outside security company to conduct security training and checks to verify how employees interact with suspicious emails. This allows network administrators to look at different levels of risk based on whether an employee ignored the email, opened the email, or clicked the link and provided information. After conducting this test, the administrator can then use that opportunity to educate employees on what happened during the test, explain how the system was compromised, and provide applicable advice on how to recognize these types of attacks in the future.

  3. Stop Email Phishing Attacks with Multifactor Authentication
  4. A proven way to protect your bank’s network is to implement multifactor authentication, which requires more than one method of authentication to verify a user’s identity for a login or other transaction. This security option is designed to make it more difficult for cybercriminals to access bank accounts and other sensitive information.

    While there are different ways to implement multifactor authentication, the three basic elements that can be used in this process include:

    • Something the user knows, like a password or PIN;
    • Something the user possesses, like a smart card, token or mobile phone; and
    • Something the user is (i.e., biometrics), such as a fingerprint or retina scan.

Many of our customers rely on Safe Systems SafeSysMail O365 hosted email solution, which provides them the option to turn on dual-factor authentication to increase the layers of security. When an employee tries to login to their email account, they would first type in their username and password. Then, as a second factor, they would use a mobile authentication app, which will generate a code or PIN to enter on the screen and would then be given access to the account. Implementing multifactor authentication is a powerful step toward preventing hackers from gaining access to accounts even if a password or security answer is stolen.

To combat today’s cyber threats, financial institutions must stay up to date on the latest phishing strategies and verify that the security policies and solutions in place can reduce potential threats. It is also vitally important that employees understand the types of attacks they may face, the risks, and how to address them. Implementing a combination of employee training and multifactor authentication strengthens your institution’s security strategy and can make the difference when (not if) cybercriminals attempt to hack into your employee accounts.

White Paper Download
Read the Guide

26 Apr 2017
Why Financial Institutions Should Invest in Layered Security

Why Financial Institutions Should Invest in Layered Security

Why Financial Institutions Should Invest in Layered Security

Phishing, malware, ransomware and a host of additional fraudulent activities continue to target financial institutions. While history has shown that well-designed single-focus solutions can prove useful in stopping specific attacks, the capabilities of advanced malware are now so broad and sophisticated that such protections inevitably fail – opening the way to costly data breaches and other malicious attacks. What is perhaps most frustrating is that Verizon’s Data Breach Investigation Report indicates that 97% of attacks were easily avoidable.

To establish a secure IT network and be better protected in the digital world, banks should employ a strategy that places many uniquely tailored layers throughout their networks, from the end user to the Internet. By employing multiple controls, security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others. For example, if a malicious email message should make it past the firewall, it would then be countered by the mail server’s antivirus, and if it somehow makes it through that layer, it can be stopped by the workstation’s antivirus system.

A uniquely tailored layered security approach enables financial institutions to:

  • Monitor antivirus for servers, workstations, and off-site laptops;
  • Using services that evaluate site lookups to avoid exposure to compromised websites;
  • Monitor unusual activity on networks as well as defend against hackers and rogue employees;
  • Block access to all external ports while also monitoring the access of various machines;
  • Meet government regulations and requirements;
  • Counter extortion threats by preventing a hacker from holding your customer’s personal data for ransom with special customized software for stopping ransomware; and
  • Patch machines, encrypt laptops, and install alerts on new devices plugged into the network.

Government Regulations and Guidance Around Security Expectations

There are also regulatory requirements and expectations for banks to invest in proper security. Layered security and compliance policies have come under increased regulatory focus recently, which is evident with the release for the FFIEC Cybersecurity Assessment Tool (CAT) and the updated FFIEC Management Examination Handbook. In addition, the responsibility of securing confidential customer information is mandated by the Gramm-Leach-Bliley Act of 1999. This law established that financial institutions must protect their IT networks from attack and identify any possible breaches that manage to bypass these protections.

This guidance is always changing, and financial institutions must adapt to regulatory demands. IT auditors and examiners will look for evidence of a thorough risk assessment; make sure that written policies and procedures align with the assessment; and then verify that controls and daily practices are appropriate. 


Each financial institution will have a different security approach based on its unique risks, but all financial institutions should implement a security plan that can effectively prevent attacks, assess vulnerabilities and constantly update security measures as new technology assets are added and government regulations evolve.

For more information please download our complimentary white paper, Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program.

White Paper Download

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.
Free White Paper

12 Apr 2017
Community Banks Ransomware

Ransomware Response: 8 Ways Your Community Bank Can Prevent Malicious Attacks

Community Banks Ransomware

One of the biggest cyber threats today is ransomware, with instances of these malicious attacks increasing by 44% in the last six months alone. In fact, according to the 2017 State of Malware Report by Malwarebytes, ransomware was the favorite method of attack used against businesses in 2016. Recent FBI statistics indicate that hackers successfully extorted more than $209 million in ransomware payments from businesses and financial institutions in Q1 2016, and the business of ransomware is now on track to become a $1 billion per year crime.

(more…)

05 Apr 2017
5 Steps Community Banks Can Take

5 Steps to Building a Strong Security Culture

5 Steps Community Banks Can Take

Financial institutions face increasing pressure to provide enhanced consumer protection against phishing, sophisticated malware and fraudulent activities. Smaller organizations are the prime targets for calculated, malicious attacks, due to the sensitive financial data banks are responsible for.

Investing in technology resources is necessary to protect community banks from security breaches and attacks, but it is equally important to instill a strong security culture within the bank to help all departments and personnel adequately combat these threats. IT security is integral to running a successful institution, and banks should begin to educate and train their employees on the proper way to tackle security-related issues and safeguard customer information.

(more…)