MFA Archives - Safe Systems

26 Dec 2024

Banks, Credit Unions, Security, Technology Jamie Davis 0 comment

Navigating M365 Security: Insights from Our 4-Part Immersion Training

The highly anticipated and well-attended M365 Security Immersion Training event explored the nuances of Microsoft 365 (M365) security. Led by seasoned experts and M365-certified security administrator associates, this series offered critical insights into Conditional Access Policies, Azure/Entra ID tenant configurations, and the transformative role of Artificial Intelligence (AI) in community banking. For those bankers eager to strengthen their security strategies and mitigate unauthorized access threats, each webinar session was recorded and is now available to watch. Below is a summary of the valuable lessons, hands-on guidance, and actionable takeaways from each session:

Part 1: Understanding and Avoiding Misconfigurations in Conditional Access Policies

Conditional Access Policies (CAPs) are critical to safeguarding your financial institution’s sensitive data. However, when misconfigured, they pose a substantial risk. The opening session inspected the typical errors within CAP setups and explained in detail how to rectify them. Participants learned about the essential terminology—like Entra ID and Named Locations—and got acquainted with common pitfalls, which include the exclusion of Break Glass Accounts, the improper definition of Named Locations, and overlooking Multi-factor Authentication (MFA) requirements. The training emphasized the importance of ongoing CAP management and shared best practices for future-proofing these security measures against potential threats.

Part 2: Elevate Your M365 Security Game

The second session delved into Microsoft 365’s robust security infrastructure, differentiating it from Office 365 by focusing on security, identity, and compliance. Our experts unraveled M365’s key security features—like Security Defaults, Global Auditing, and the reformation of mailbox protocols—and stressed best practices for managing these components. It highlighted the significance of applications, stopping user unauthorized trials or purchases, managing administrative roles, and ensuring secure email communications. It also provided a handy infographic to explore overlooked M365 security features to help you implement everything needed under your license type. Overall, this hands-on training demonstrated why keeping pace with such security measures is vital to preventing evolving cyber threats.

Part 3: Mastering Azure Tenant Configuration: CAPs and Intune Deployment

Azure, known for its expansive capabilities, demands meticulous configuration to leverage its potential fully. This session provided guidance on managing Azure/Entra ID tenants effectively, implementing CAPs, and deploying Intune. It covered essential aspects such as user-based exceptions for CAPs, Intune objectives, and tips for device and network maintenance. Attendees gained insights into crafting and enforcing policies that address unauthorized device access and ensure compliance with application usage, alongside strategies for regular device and policy maintenance to bolster their security.

Part 4: AI Governance and Accountability in Azure

Exploring the growing role of Artificial Intelligence (AI) in banking, this concluding session emphasized understanding governance and responsibility in deploying AI tools like Microsoft Copilot. It explained Copilot’s features and architecture, the importance of access control, and the implications of global data handling. With comprehensive insights, participants were shown how to balance innovation with security and compliance, maximizing data utility while safeguarding organizational integrity.

Watch All Four Sessions

These sessions provide security best practices and strategic insights into managing M365 environments effectively. Packed with practical demonstrations, expert advice, and interactive segments, the M365 Security Immersion Training is invaluable for financial institutions seeking to strengthen their security posture. Now you can access all recordings and tap into the wealth of knowledge this series offers.

07 Nov 2024

Banks, Credit Unions Jamie Davis 0 comment

Unmanaged Azure Tenants: A Hidden Security Risk

If your institution uses Exchange Online or Microsoft 365 for email, you have a Microsoft Azure tenant. However, many institutions are unaware that this tenant requires management and continuous monitoring to ensure security and efficiency. Certain settings should be locked down by default, others require adjustments, while some require ongoing monitoring. In serving hundreds of community banks and credit unions across the US, we have identified numerous tenants that are either unmanaged or improperly managed. This exposes vulnerabilities that bad actors can exploit, potentially leading to compromised accounts and data exfiltration.

Outlined below are some common issues we have encountered. The numbers referenced are based on the average annual count of activities per 100 institutions.

Compromised User Accounts

Each year, we observe approximately 1,000 successful logins from outside the United States. While some of these logins occur when employees are traveling, many do not. Often these logins indicate a compromised account.

Institutions should block or limit logins from outside the US based on business requirements and employee work patterns, while also monitoring and alerting for these occurrences.

Unknown Users

While exact numbers are unavailable, we often encounter this issue when conducting reviews with customers. We frequently discover accounts that the institution cannot identify and are not associated with current employees. Some of these may be old accounts that were not deactivated upon an employee’s departure. However, there is a risk that some of these accounts were created by bad actors with malicious intent. In some cases, we discovered that the accounts were created with administrator privileges, allowing cybercriminals full access.

Forwarding of Emails to Outside Accounts

Email forwarding or redirection is added to email accounts approximately 700 times a year. Discussions with multiple institutions revealed that, in many cases, these settings were not configured by authorized personnel. Bad actors are using this method to monitor the emails of specific accounts long after they have lost direct access.

Permissions to Access Someone’s Email Account (e.g., “Send as,” “On behalf of”)

Much like the previous example, email account settings are frequently being altered. However, instead of merely redirecting emails, they allow unauthorized individuals to send emails on behalf of someone else. We observe this occurring approximately 2,600 times annually. These changes are often unknown to the institution, indicating that a bad actor potentially gained control of an email account.

Unauthorized Use of Sharing Tools to Share Files with External Users (e.g., OneDrive)

Many institutions say their employees are prohibited from sharing files outside the organization. However, we encounter numerous instances where this is not actually enforced. Safe Systems, for example, observes approximately 2,000 files shared externally through OneDrive each year. This discrepancy highlights a common issue: having expectations without the technical knowledge to enforce them effectively.

Insecure Protocols Enabled

We do not have specific instances of exploits from insecure protocols as we address these during our initial customer setups. However, it is important to note that establishing the correct protocols is critical to ensuring your Azure tenant remains safe and secure.

Attempts to Log in as a User

While some end users may find multifactor authentication (MFA) burdensome, it is essential in today’s cybersecurity landscape. We observe around 50 instances annually where logins from outside the US had the correct passwords but failed the MFA requirement. These are almost certainly bad actors that were not able fully compromise the account simply because of MFA. We have also observed over 6,000 instances of “a large number” of failed login attempts (as defined by Microsoft) annually. Both statistics underscore the vital role MFA plays in restricting unauthorized access.

Configuring your tenant securely and implementing Conditional Access Policies (CAPs) with appropriate compensating controls are crucial steps in mitigating these types of risks. Regular monitoring and alerting on suspicious activities are equally important. This is why we developed M365 Security Basics to enhance visibility, reporting, and alerting for security settings within Entra ID (formerly Azure Active Directory). This tool is designed to help community banks and credit unions, like yours, identify and mitigate common security risks more effectively.

10 Oct 2024

Banks, Credit Unions, Security Eric Delgado 0 comment

Elevate Your M365 Security Game: Tips from Our Certified Pros!

In a recent webinar, our M365-certified security administrators provided an in-depth look at various Microsoft 365 building blocks such as security configurations, features, and policies. The session also covered the significance of secure email protocols, data protection, and the continuous evolution of cloud security technologies.

This blog highlights several key security features and best practices to help you protect your institution’s data and ensure that only authorized users gain access to critical systems.

Understanding Key Terminology

M365 vs. Office 365

Office 365 features familiar tools such as Exchange Online, SharePoint, OneDrive, and Teams. Microsoft 365 (M365) enhances this suite by incorporating additional technologies focused on security, identity, and compliance, offering a more comprehensive package.

Entra ID

Essential for identity management, Entra ID covers users, devices, endpoints, and service principals, forming the backbone of various security configurations.

Security, Identity, and Compliance (SIC)

These conceptual buckets guide the technological frameworks and policies that ensure data security, identity assurance, and regulatory compliance.

M365 Security Features Breakdown

Security Defaults

Security Defaults are designed to provide a pre-configured baseline level of security by enforcing numerous non-customizable policies and settings. Among the policy sets is one requiring multifactor authentication (MFA) device registration for all new Azure accounts with at least one sign-in. However, registration does not equal enforcement. Security Defaults will only enforce MFA conditionally based on Microsoft’s analysis.

Consider implementing per-user MFA policies to ensure comprehensive enforcement, closing gaps that might be exploited if only Security Defaults are relied upon.

Applications

Registered Applications and Enterprise Applications can pose significant risks if not properly managed. By default, Microsoft allows users to register applications, which could potentially introduce security vulnerabilities without an administrator’s knowledge.

Consider disabling this default feature and actively managing which applications receive permissions to ensure there is no unauthorized access.

Global Auditing

Microsoft’s Purview compliance technology includes a crucial feature—global auditing—that logs all actions within the organization. If compromised, these logs are vital for forensic investigations to determine the breach’s extent and enact proper remediation steps.

Consider enabling this setting, which is disabled by default.

Office Store and Trial Accounts

Allowing users to purchase licenses and trials with their work identities, including AI tools like Copilot, may expose sensitive data inadvertently.

Consider disabling the ability for users to make these purchases on their own, as restricting user capabilities ensures organizational oversight and protects against data breaches stemming from unauthorized applications.

Administrative Roles, Partners, and GDAP

Regular reviews of administrative roles and partner access, such as those granted through Granular Delegated Admin Privileges (GDAP) are crucial. Microsoft recommends a maximum of five global administrators and stresses the principle of least privilege even for partners.

Consider conducting these reviews regularly to ensure security and compliance.

Exchange Online and Communication Protocols

Mailbox Protocols

Various mailbox protocols (IMAP, POP3, EAS) carry different risks, such as allowance for or reliance on basic authentication.

Consider disabling unused protocols to minimize these vulnerabilities.

Receive Connectors

Email architectures that utilize Exchange Online with edge services provided by a third party have a vulnerability in the form of a public-facing, organization-specific SMTP relay that delivers mail to Exchange Online. This relay allows for direct connectivity and enables anonymous identities to deliver emails inbound to an organization, thereby allowing attackers to bypass the organization’s edge services entirely.

Consider implementing Receive Connectors to limit delivery authorization on the relay to the trusted edge service provider.

Sharing in SharePoint and OneDrive

Sharing capabilities in SharePoint and OneDrive can expose organizations to external threats if not properly managed. External users leveraging shared links can gain unauthorized access to sensitive information, posing significant security risks.

Consider restricting sharing capabilities to internal users to prevent external threats from exploiting shared links..

Teams External Communication

By default, Teams allows global communication, which can serve as a potential risk vector. Unrestricted external communication can lead to interactions with unknown and potentially malicious entities.

Consider locking down these settings to ensure interactions are limited to known, secure identities.

Advanced Levels of Security

Conditional Access Policies (CAPs)

These advanced security rules specify who can access resources and under what conditions, enhancing the security posture when combined with telemetry from services like Entra ID and Intune. CAPs help ensure that only authorized users under specific conditions can access sensitive resources.

Consider implementing Conditional Access Policies to enhance security by defining access conditions based on user and device attributes.

Hybrid Computer Identity

Synchronizing on-premises Active Directory computers with Entra ID allows CAPs to limit access to trusted devices only, offering a substantial security improvement over generic Windows access.

Consider synchronizing your on-premises Active Directory computers with Entra ID to allow CAPs to restrict access to trusted devices and improve security.

Intune for Mobile Device Management (MDM)

Organizations should use Intune to enroll and manage mobile devices, ensuring compliance with security policies. By integrating Intune’s compliance telemetry with Conditional Access Policies (CAPs), only compliant devices can sign in and access corporate resources, enhancing overall security.

Consider using Intune for device enrollment and compliance, and integrate its telemetry with Conditional Access Policies to secure sign-ins.

Modern MFA and Azure Information Protection

Emerging MFA technologies like push notifications and phishing-resistant methods (FIDO2) are encouraged over legacy MFA practices. Meanwhile, Azure Information Protection manages data encryption and user access, ensuring sensitive information is secure even when it leaves the organization.

Consider adopting modern MFA technologies to protect your users and Azure Information Protection to protect sensitive data.

Conclusion

By understanding and implementing Microsoft security measures, you can significantly enhance the security and efficiency of your institution’s digital environment. In addition, leveraging advanced MFA technologies and synchronizing on-premises Active Directory with Entra ID is a proactive way to fortify access control. It is also important to regularly review and update your security protocols to ensure they remain effective against evolving threats.

Don’t forget to download this handy infographic to explore overlooked M365 security features. This knowledge can help you implement everything needed under your license type to enhance your cybersecurity posture.

08 Oct 2024

Banks, Credit Unions, Security Jamie Davis 0 comment

Secure Our World: Join Us in Celebrating Cybersecurity Awareness Month

Cybersecurity Awareness Month, held annually in October, is a vital international initiative designed to raise awareness about the importance of being safe and secure online. This year’s theme, “Secure Our World,” continues from 2023 and highlights simple yet effective ways for individuals, families, and businesses to protect themselves from cyber threats.

The Cybersecurity and Infrastructure Security Agency (CISA) leads the federal efforts for this campaign. They work closely with the National Cybersecurity Alliance (NCA), known for their @staysafeonline initiative, to develop and disseminate resources that educate the public on key cybersecurity practices.

Cybersecurity Tips

Here are some essential tips provided from this year’s Cybersecurity Awareness Month campaign:

Recognize and Report Phishing: Learn to identify phishing attempts by familiarizing yourself with their common indicators, such as suspicious links or unexpected attachments. Resist the urge to click on these and ensure you delete phishing messages promptly.
Use Strong Passwords: Enhance your account security by choosing passwords that are long, random, and unique. This trifecta helps protect against unauthorized access.
Turn On Multi-Factor Authentication (MFA): Activate MFA on all your accounts, including email, social media, and financial services. This adds an extra layer of security, making it significantly harder for cybercriminals to gain access.
Update Software: Keeping your devices updated with the latest security patches is crucial. If automatic updates are not available, regularly check for updates to ensure your software is secure.

Throughout October, stay engaged and increase your cybersecurity awareness by visiting the National Initiative for Cybersecurity Careers and Studies (NICCS) Cybersecurity Awareness Month page for resources and tools. You can also follow updates using the #CybersecurityAwarenessMonth on social media.

Cybersecurity Resources

Safe Systems is also providing resources to help raise cybersecurity awareness, knowledge, and understanding for our community banks and credit unions.

Please explore some of our latest offerings:

M365 Immersion Training – Register for this complimentary, four-part series on Microsoft 365 (M365) security. Led by certified engineers, it covers essential topics including Conditional Access Policies (CAPs), Intune management, Azure AI governance, and more. Each session delivers practical insights and actionable knowledge, ensuring robust security practices for institutions using M365 core technologies. Reserve your spot.
MFA Quiz – When implemented correctly, MFA can be the single most effective tool to protect against remote attacks. Test your knowledge of how MFA works and why it is so important.
Cybersecurity Outlook Survey – We surveyed community banks and credit unions to gain more insight into their cybersecurity challenges, priorities, best practices, and how they manage cybersecurity preparedness. Discover their responses.

For more resources, visit our Resource Center, blog site, or our interactive Compliance Guru platform which provides reliable answers to your IT, cybersecurity, and information security questions. You can also follow us on our social media channels – Facebook and LinkedIn for timely news and helpful articles throughout the year.

When it comes to investing in security, Safe Systems understands that protecting your community bank or credit union can be complex and confusing. That’s why we offer multi-layered security solutions to protect vulnerability points both inside and outside your network and we have certified engineers who specialize in Microsoft cloud security.

Please join us this month in raising awareness and taking advantage of the many available resources to help your institution secure its digital environment and prevent cyber threats.

18 Jan 2024

Banks, Compliance, Credit Unions, Security, Technology Safe Systems 0 comment

Top Blogs of 2023

Our Top Blog Posts of 2023

As we begin the new year, it’s a great time to revisit some of the most popular blogs we published in 2023. Our top blogs from last year covered a range of topics, including a cybersecurity outlook, updated third-party risk management guidelines, using conditional access policies (CAPs) and multifactor authentication (MFA) to enhance security within Microsoft Azure Active Directory (AD), and NetConnect 2023. If you didn’t have a chance to read these posts—or simply want to review them—here is a recap of each of them. They offer unique perspectives, best practices, and a wealth of insights that can help your financial institution prepare for greater success in the year ahead.

2023 Cybersecurity Outlook for Community Banks and Credit Unions

Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions revealed valuable peer-to-peer insights that can help financial institutions enhance their security posture. The survey highlights cyber preparedness and budget restraints as top security challenges of more than 50% of the 160 participating financial institutions. It also shared participants’ feedback on other important areas, including prevention and detection security layers; employee security awareness training and testing; and advanced firewall features. For instance, respondents use multiple layers of security, but less than 50% of them combine every security layer listed in the survey. Survey respondents also use a variety of security training—including resource-intensive individual instruction. In addition, most of the survey participants are taking advantage of advanced firewall features, although only 24% of 135 respondents leverage sandboxing technology to detect threats. Read more.

Updated Regulatory Guidelines on Third-Party Risk Management

In June, federal bank regulatory agencies issued updated guidelines to make it easier for financial institutions to manage third-party risks. This new guidance from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) impacts all banking institutions that use third parties. The majority of statements in the new guidance focus on the planning, due diligence, and contract phases with an emphasis on pre-engagement. Since auditors and examiners will be looking more closely at what happens during the pre-engagement stage, institutions need to place more emphasis on scrutinizing potential third parties. Not all statements in the guidance will apply to all institutions or relationships, so we have developed an interactive checklist designed to walk you through key regulatory requirements of the third-party relationship life cycle. Read more.

Using CAPs and MFA to Enhance Security within Microsoft Azure AD

There was a surge in successful phishing campaigns last year, including sophisticated schemes that were able to bypass MFA. MFA-resistant phishing is a significant threat since this type of attack could impact a vast segment of organizations that rely on Microsoft Azure AD (now known as Microsoft Entra ID) and Microsoft M365 services to support their operations. However, financial institutions can use a variety of measures to prevent cyberattacks, including Conditional Access Policies (CAPs). CAPs, which are foundational to safeguarding identities within Microsoft Entra ID, protect the initial step of the identification chain—the sign-in attempt. To maximize protection, institutions should stack multiple CAPs, such as requiring MFA, denying sign-ins from outside of the USA, and requiring device compliance. When designing CAP logic, they should take a broad approach to the scope of the CAP to impact as many areas as possible. Institutions can take a multi-layered approach to optimizing security by leveraging multiple security tactics, technologies, and resources. Read more.

NetConnect 2023—A Glimpse into the Future of Technology and Compliance

The 2023 NetConnect Customer User Conference brought Safe Systems’ customers, employees, and partners together in Alpharetta, Ga. to discuss banking industry trends, challenges, and innovations. NetConnect 2023 provided valuable insights into banking and technology’s vital role in shaping the industry’s future. With multiple informative sessions, the conference covered the significance of hope in business, changes relating to regulatory compliance, vulnerability management, and Microsoft Azure fundamentals. Read more.

Get the latest industry developments, insights, and trends delivered directly to your inbox. Subscribe now to the Safe Systems blog.

30 Nov 2023

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

Important Industry Insights on the Use of Anti-Malware and Advanced Features for Ransomware Protection

According to the IC3 2022 Internet Crime Report, the FBI received 2,385 complaints identified as ransomware with adjusted losses of more than $34.3 million. Moreover, 870 of these complaints indicated that organizations belonging to a critical infrastructure sector, such as financial services, were victims of a ransomware attack. This makes it imperative for banks and credit unions to employ a variety of measures to protect themselves against the growing threat of ransomware attacks. Yet many financial institutions that are leveraging anti-malware solutions are not using advanced features that can help protect against ransomware threats. According to Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions, advanced features for anti-malware/anti-ransomware solutions such as root cause analysis, advanced machine learning algorithms, and sandbox analysis only received 12% or less of the answers among the survey participants.

With advanced features, financial institutions can more effectively monitor security threats on endpoints and ascertain the source and extent of an attack. Institutions that want to enhance their ability to detect and respond to threats might consider expanding their cybersecurity budget to increase spending on advanced anti-malware and endpoint protection features.

Recovery Strategies

As part of their recovery strategies, more than one-third of 144 survey respondents say they have implemented notification measures, including notifications to customers, regulators, and applicable insurance carriers. This is critical given the recently finalized interagency Computer-Security Incident Notification Rule. It requires banking organizations to notify their primary federal regulator about any significant “computer-security incident” as soon as possible after a cyber incident happens. (A computer-security incident, as defined by the rule, is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.) Nearly 30% also leverage other important recovery strategies such as monitoring for the early detection of potential incidents and eliminating intruder access points.

Other Key Security Issues

In addition to shedding light on how institutions use advanced features for anti-malware/anti-ransomware solutions, our comprehensive survey highlights several other security issues, including Microsoft 365 services, email infrastructure, advanced firewall features, vulnerability and patch management, and more. Banks and credit unions must effectively address all of these areas to stay ahead of the constantly evolving cybersecurity landscape.

Download a copy of our latest white paper to read the complete survey findings, which can provide a deeper understanding of current cybersecurity concerns and best practices to enhance your institution’s security posture.

16 Nov 2023

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What You Need to Know from the 2023 Cybersecurity Outlook for Community Banks and Credit Unions

As cyber threats become more complex, aggressive, and prevalent, implementing cybersecurity mitigation strategies is becoming more critical in the financial services sector. Not surprisingly, cyber preparedness and budget restraints are the top security challenges for more than half of the financial institutions that responded to the Safe Systems survey, 2023 Cybersecurity Outlook for Community Banks and Credit Unions.

Our analysis presents input from approximately 160 participants who responded to 55 questions (including multiple-choice) based on how relevant each query was to their organization.* In addition to focusing on the top security challenges, the survey highlights respondents’ input on several other critical areas, including:

Prevention and Detection Security Layers: Modern operating environments require a more robust security strategy that goes beyond implementing a basic firewall or anti-malware solution to protect their information and infrastructure from the growing number of cyber threats. Survey respondents are implementing multiple security layers, including firewall, patch management, anti-malware, email encryption, employee training and testing, vulnerability monitoring, and security log monitoring. However, less than 50% of all respondents use every security layer listed in the survey, which indicates they can do more to protect themselves against cyberattacks.
Employee Security Awareness Training and Testing: 95% of all cybersecurity issues can be linked to mistakes made by individuals, with 43% of breaches attributed to insider threats, according to the 2022 Global Risk Report by the World Economic Forum, making employee security awareness training and testing critical for financial institutions. Accordingly, survey respondents are deploying multiple types of security training, including simulated phishing attacks, self-service online training and exercises, interactive classroom training, and more. Of the 144 participants responding to this question, 60% indicate they conduct individual training based on need, which is notable because this method of instruction normally requires more time and resources.
Advanced Firewall Features: A majority of the participants responding to this question indicate that they are using one or more advanced firewall (or next-gen firewall) features, such as intrusion prevention or detection systems (IPS/IDS), transport layer security (TLS)/secure socket layers (SSL), and Geo-IT filtering. Whether managed in-house or through an outside provider, these expanded capabilities can help institutions protect their network and institution against a broad array of threats. Sandboxing, for example, provides a safe, isolated environment to execute and observe potentially malicious code from unverified programs, files, suppliers, users, or websites. Out of 135 respondents, only 24% indicate they have sandboxing despite its ability to identify threats.
Cybersecurity Preparedness: Examiners recognize the increasing volume and sophistication of cyber threats and have an increased focus on cybersecurity preparedness in assessing the effectiveness of an institution’s overall information security program. Out of 128 respondents, 52% confirm that the focus on information security, including cybersecurity, has increased during their IT audits and exams. IT examiners and auditors are also reviewing whether institutions have completed any of the common cybersecurity assessments (e.g., CAT, ACET, or CRI/NIST), and they are using them to evaluate institutions’ security posture during an exam. According to the same respondents, 43% say they had their cybersecurity assessment reviewed and used as part of their latest IT exam, and 39% indicate that they received recommendations based on it.

To access the complete survey and gain valuable peer-to-peer insights that can help your institution enhance its cybersecurity decision-making process, read “2023 Cybersecurity Outlook for Community Banks and Credit Unions“.

* The number of respondents varies per question. For multiple-choice questions, the Percent (Respondents) is calculated by dividing each answer count by the total unique respondents, and the Percent (Answers) is calculated by dividing each answer count by the total counts collected.

26 Oct 2023

Banks, Credit Unions, Security, Technology Jamie Davis 0 comment

The New Rules and Best Practices of Password Security

Passwords have always been a reliable option for digital security. In the early days, you simply provided something that only you knew to authenticate yourself, and voila, your identity would be confirmed. But the world of passwords has changed. Initially, they were easy―you had fewer of them; you often needed physical access to use them; and people were just nicer back then. At least, that’s the way I remember it.

But did people really change… or did the world just get smaller with the growth of the internet—giving bad actors greater access to our digital domains? One thing is clear, password security requires new rules and strategies to keep up with the fast-changing cyber landscape. In addition to following best practices for creating strong passwords, you also need to consider employing multifactor authentication (MFA) or adopting a password management solution.

Embracing MFA

Whenever possible, you should avoid relying solely on passwords. The better option is to implement MFA, which adds another layer of security. While there are MFA-resistant phishing attacks, enabling MFA significantly minimizes the risk of compromise. In recent years, MFA has evolved to become more robust and secure, and there are different levels of quality in MFA. For instance, Microsoft Modern MFA doesn’t merely require you to click “accept” on a device; you have to input a numerical code to confirm the login attempt. (Always use the most advanced and newest version that aligns with your user base’s tolerance.)

Using a Password Manager

There are situations where MFA is not available or does not make sense to use. In these cases, passwords may be your best or only option. This indicates the importance of using some type of password management solution. A password management tool can be an effective way to keep track of the plethora of passwords that most people have. The average person has more than 100 passwords, according to a study by Nord Pass. That’s too many passwords for anyone to remember.

As a low-tech solution, some people write their passwords down in a notebook. If the book is securely locked away, this method may be acceptable, but it’s not ideal. However, I recommend using a software-based password management system that allows the user to create one login to access all their passwords. Only use a digital password manager that offers MFA to access passwords. If you’re not sure which solution to choose, there are numerous resources to guide you like this article from CNET. However, the best option for you will depend on your specific needs and goals.

Best Practices for Creating Strong Passwords

Password best practices have changed over the years. But as a general rule, you should never—ever—recycle a password. An existing password may be easier to remember and more convenient to reuse. But it’s not worth the risk; if your password is stolen, every place you have used it could be compromised.

You should also avoid including personal details in passwords. For example, don’t create a password using your child’s initials and birth year—no matter how cleverly you format it. (I know, you’re thinking: “But I used lower and upper case and separated them with a comma.” Trust me, so did the database that is being run against your accounts.)

It’s also important to ensure that every site, application, etc. has a strong password. Here are a few techniques for crafting strong passwords:

Make them long. Aim for at least 14 characters—or even longer—since you can easily copy and paste them into your password management tool. Some sites and applications often have character restrictions for passwords. In these cases, focus more on creating a random password that will be more difficult for someone to guess.
In situations where you frequently use a password and copying it from a management program is not an option, consider using passphrases. Instead of choosing a simple password like “BillyJoe1998,” use “BillyJoeGraduatedIn1998.”
“i” and “l’s” became “1’s”
“a” became “@”
“e” became “3,” which looks similar to a backward capital “E”
Still, another option is to insert punctuation between words. If you added “!” to the previous password, it would read B111y!J03!Gr@du@+3d!1n!1998.

Using a combination of these approaches is the best way to make passwords more complex and secure. Ultimately, the key to protecting your passwords is to constantly adapt and remain vigilant in the ever-evolving world of digital security.

06 Mar 2023

Banks, Credit Unions, Security, Technology Eric Delgado 0 comment

MFA—Why You Can’t Set It and Forget It

MFA - Why You Can’t Set It and Forget It

Multifactor authentication (MFA) is not a static, set-it-and-forget-it process. Financial institutions must constantly monitor—and make necessary adjustments—to ensure effectiveness so that only authorized users are accessing their network, data, and services.

MFA Methods and Risk

Some of the most common MFA methods, particularly with Microsoft Azure are:

FIDO2 security key
Microsoft Authenticator app
Windows Hello for Business
OATH hardware/software tokens
Short messaging service (SMS)
Voice calls

FIDO2—the latest and greatest MFA—enables easy and secure authentication. It takes passwords out of the equation and instead uses public key cryptography for authentication to enhance security. The Microsoft Authenticator app is also capable of passwordless authentication in Azure, which is making it an increasingly popular option. This modern multi-factor authentication method can act as a FIDO2 key, send push notifications, and support user awareness by providing location and client data within the app.

Windows Hello for Business is another form of advanced authentication that is also capable of passwordless authentication. However, institutions should be careful when implementing this approach to MFA because it can entail unique stipulations.

Two of the riskiest types of authentication are MFA facilitated by either SMS or voice calls. SMS-enabled MFA, which combines the use of a text message and code, is one of the most frequently used methods of authentication. However, since text messages are not encrypted, they are vulnerable to telecom tower relaying interference. Because of this vulnerability and its wide adoption, SMS is a major target of attackers. Voice calling, which uses telecom services to call with the code, is another risky form of MFA because it is possible that someone else could intercept the phone call.

For any TOTP-based method of MFA, there is an inherent risk of users giving away the codes. This can be accomplished via clever phishing techniques or malicious applications on mobile devices.

Combining MFA with Other Defensive Layers

Today’s sophisticated cyberattacks often attempt to exploit weaknesses that are present in the MFA workflow. Unlike traditional attacks that sought to bypass basic authentication protocols, newer schemes tend to follow normal MFA workflows to exploit human behavior. Attackers are also using other creative strategies to effectively circumvent MFA requirements. For example, they may hijack an already MFA-authenticated session to gain unauthorized access.

To evade cyberattacks, institutions must go beyond taking a relaxed, set-it-and-forget-it stance for MFA. They must enhance MFA by adopting newer more modern methods for their users. They must also be cognizant of attacks that can effectively bypass MFA, as we have seen with MFA-resistant phishing scams. To compensate for these newer styles of attacks, institutions should seek to implement multiple layers of security. In Azure, this will mean the adoption of Conditional Access Policies (CAPs). Stacking multiple CAPs targeting various combinations of MFA, apps, clients, locations, compliance status, and device types is the best way to improve an organization’s security posture. For more information about this important topic, watch our webinar on “MFA–Why You Can’t Set It and Forget It.”

23 Feb 2023

Banks, Credit Unions, Security Jamie Davis 0 comment

Mitigating Sophisticated, MFA-Resistant Phishing Scams

Phishing attacks are becoming more complex—and successful—making them more problematic for companies to combat. As a prime example, a recent phishing scam has been circumventing multifactor authentication (MFA) to successfully breach multiple companies. The attacks, which seem to be targeting banks and credit unions, are a stark reminder of the constant cyber threats that financial institutions face and the importance of following effective risk mitigation tactics.

The recent email scam is a sophisticated scheme; it exploits weaknesses in MFA and essentially bypasses them to launch an attack. The attackers deploy deceptive emails to obtain employees’ Microsoft 365 (M365) usernames, passwords, and MFA codes, and then they use this information to try to wire money outside the institution. Not only are these assaults breaching the initial targets, but they are also using the victims to infiltrate other companies.

The phishing scheme can be particularly detrimental to institutions that are not employing Azure Active Directory (Azure AD) Conditional Access Policies to bolster their security in Azure. Since Azure AD manages login credentials for users allowing them to access multiple M365 services and internal accounts from anywhere online, it is critical to apply access controls that provide another layer of protection beyond MFA.

Addressing Phishing Threats

There are various steps banks and credit unions can take to address MFA-resistant phishing attacks. Since humans are the weakest link in cybersecurity, institutions should ensure their employees are immediately informed about this particular phishing attack. They should also train employees regularly to recognize phishing emails so they can avoid being deceived. The key: Make sure employees know not to input their username and password in any link they receive by email.

Although this specific threat has the potential to exploit weaknesses in MFA, financial institutions should still implement this authentication method as it remains one of the most effective at blocking account compromises. As previously mentioned, it is also important to increase protection against attacks by adding Azure Conditional Access Policies to the Azure environment. Another preemptive step is to employ a monitoring and reporting solution for the Azure tenant. Often once a system is breached, attackers go into the tenant and create new rules to cover their tracks. Visibility into security settings through proactive reporting and alerts can make it easier for institutions to detect any suspicious activity or changes with logins and email rules, helping them stay on top of potential threats.

How Safe Systems Can Help

It can be challenging for many institutions to effectively manage their access and security settings in Azure AD and M365. However, Safe Systems offers CloudInsight™ M365 Security Basics to make the task easier. The CloudInsight™ collection of products offers a variety of reports and alerts that are specially designed to help institutions enhance their awareness of the Cloud. M365 Security Basics provides visibility into security settings for Azure AD and M365 tenants to help institutions detect targeted phishing or SPAM attacks. It can also expose other common risks like compromised user accounts, unknown users and forwarders; unapproved email access; and the unknown use of sharing tools. With M365 Security Basics, community banks, and credit unions can receive the expert insights they need to minimize, limit, or stop sophisticated phishing attacks.

07 Feb 2023

Banks, Compliance, Credit Unions Safe Systems 0 comment

Highlights from our Annual Look Back at Regulatory Updates

As 2023 continues to unfold, there are some important regulatory compliance tips, tricks, and trends that financial institutions should review from last year and consider in the future.

Looking Back

Two key issues to revisit from 2022 are the new Computer-Incident Notification Rule and updates to the 2018 Cybersecurity Resource Guide for Financial Institutions. The incident notification rule—approved in 2021 by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve System, and Office of the Comptroller of the Currency (OCC), went into full effect in April 2022. Under the rule, banking organizations must promptly notify their primary federal regulator of certain computer security incidents that rise to the level of a notification incident within 36 hours. Anything that could materially disrupt or degrade your critical operations could be classified as a notification incident. Most institutions should have already adjusted the policies and procedures of their incident response plan to comply with the new notification requirements. If they haven’t, they should do so immediately because this will undoubtedly be an issue in the next examination cycle.

The rule also obligates third parties to report certain events that occur, so financial institutions should cover this issue with new vendors and those renewing contracts. Institutions should ensure that all contracts specify under what conditions third parties must inform them of any incident. Contracts should also identify at least one contact person to notify within the institution if an event occurs.

Late last year, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Resource Guide, which is designed to help financial institutions meet their security control objectives and prepare to respond to cyber incidents. The revised guide features updated references and a list of ransomware-specific resources, which is well warranted given the increasing frequency and complexity of ransomware incidents. The guide now includes eight different cybersecurity assessment tools that institutions may use, along with the “gold-standard” Cybersecurity Assessment Tool (CAT) to combat the evolving threat of ransomware.

Looking Ahead

This year, ransomware will continue to be one of the key areas of focus for financial institutions—as well as auditors and examiners. Institutions should also start thinking of using the term “third-party risk management” instead of “vendor management” to match an impending shift in interagency guidance. The new terminology is more than just semantic, it represents a shift in how the agencies define anyone with whom you interact; including those with or without a contract, and with or without the exchange of compensation. Regulators will be releasing new guidance relating to the issue of third-party relationships and risk management. The stronger emphasis on third-party risk management is significant because it implies a broader and deeper scope of responsibility for institutions in terms of their engagement and oversight processes.

In addition, the guidance will likely propose a six-part, third-party risk management process. The process, for instance, will cover key areas like early planning, selection due diligence, and contract negotiation. It would be wise for institutions to begin contemplating these new expectations and how they will navigate the different aspects of third-party risk management in the future.

Anticipated Trends

There are also some potential trends that financial institutions should be aware of going forward. Based on their actual recommendations or observations, auditors and examiners expect institutions to:

Identify tolerances for processing and data recovery times for ransomware events—separately from the standard recovery times (RTOs) established in the business impact analysis.
Have a list of forensic experts available to call if they require assistance with cyber events. (Your cyber insurance provider may require you to utilize their associates, so it’s best to check.)
Formalize vendor information and ensure their management team is periodically updated about third-party risk management practices.
Have project management policies that address steps to request and approve new applications, including licensing, contracts, business justification, integration, and risk assessments.
Make provisions for succession planning for IT, which is a key component in the risk management program. (If necessary, smaller institutions might consider outsourcing the IT role to ensure an appropriate succession plan is in place.)

Read more about this topic by accessing our webinar on “Regulatory Tips, Tricks, and Trends—Looking Back and Ahead.” Or contact us for more information about how our compliance services are specially designed to help community banks and credit unions meet their regulatory requirements.

09 Mar 2022

Banks, Credit Unions, Technology Eric Delgado 0 comment

Microsoft Azure and 365 Security Basics Continued

When your institution acquired Microsoft 365 (also known as M365 and formerly called Office 365), it automatically created a Microsoft tenant with Azure AD. Since that tenant belongs to your organization, you are responsible for managing Azure AD and its security settings. Microsoft Azure services enable various default features that could be incompatible with the security, identity, and compliance requirements of your institution. it’s essential to customize the settings in Azure AD, M365, and Exchange Online (or Azure AD Premium P1, Intune, and Azure Information Protection) to fit your organization’s needs.

Customizing Azure AD Defaults

Security Defaults — Turn on security defaults to make it easier for your institution to thwart cyberattacks by using preconfigured security settings. (If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.)
Password Policy — Configure the password policy applied to every user account that is created and managed directly in Azure AD. (Institutions with on-premises AD password policies governing password expirations should expect to manually synchronize their Azure AD password policy and their on-premises AD password policy.)
Azure AD Device Registration — Prevent users from joining devices on their own and require multi-factor authentication (MFA) to register or join devices with Azure AD.
Enterprise and Registered Apps — Keep non-administrator users from arbitrarily adding enterprise or registered applications, which can significantly increase risk. Afterwards, make sure to review every enterprise and registered application.
External Collaboration — Restrict regular users from inviting guests for collaboration and keep guest users from signing into your apps and services with their own work, school, or social identities.
Hybrid Identity with Password Hash Synchronization — Employ a hybrid identity architecture to synchronize users from on-premises Active Directory to Azure AD to minimize the number of identities users have across various platforms.
Azure AD Administration Portal — Limit regular users’ ability to read data in the Azure AD Administration Portal.
Administrator Review — Grant administrators only the specific permission they need to do their job and limit the number of static Global Administrator role assignments to fewer than five people.
Partners – When working with Microsoft-certified solution providers (partners) to purchase and manage solutions for your institution, they could be granted Global/Helpdesk admin roles giving them delegated administrative capabilities to your Azure instance. Make sure to review all partners and their delegated rights regularly.

Altering M365 and Exchange Online Settings

In M365, you can customize a variety of settings. In OneDrive, SharePoint Online, and Teams, look at configuring external collaboration capabilities of users. For Exchange Online, there are many settings to review but one to start with is the current forwarding capabilities and settings for users both globally and per-user. Modifying or reviewing these settings is highly advisable since they are inherently designed to facilitate interaction and external collaboration. In addition, you can use the Protection Center to secure mobile devices that are connected to your Microsoft 365 organization; the Security Center to refine email management; the Compliance Center to implement an effective data retention policy; and the M365 Admin Center to enhance security with modern authentication, which encompasses MFA. (According to Microsoft, 99.9 percent of account compromises can be blocked with MFA.)

And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

M365 Security Basics Solution

Once your institution has sufficient settings in place to support your policies, it is essential to monitor for exceptions with reporting and alerting features such as those provided with Safe Systems CloudInsight™ M365 Security Basics solution. Financial institutions that partner with Safe Systems can gain critical visibility into their security settings helping them successfully navigate the complexities of optimizing M365’s features..

For more information about how your institution can optimize Azure AD and O365/M365 settings to improve cloud security, download our white paper on “Azure and M365 Security Basics.”

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

01 Mar 2022

Banks, Credit Unions, Technology Eric Delgado 0 comment

Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

It can be challenging for financial institutions to manage security, identity, and compliance within Microsoft Azure Active Directory (Azure AD) and Microsoft 365 (also known as M365 and formerly branded as O365). Understanding the services and settings of the Azure AD and M365 ecosystem can make the process easier for IT administrators.

Some of the basic security settings that apply to most organizations fall under the free license level for Azure AD. These are also some of the low-hanging fruit that institutions can easily implement to make a dramatic difference in their security.

Security Defaults

One of the settings that can have the biggest impact is security defaults, which can be enabled to enforce a set of non-configurable conditional access policies. The policy set in Azure includes the ability to require multifactor authentication (MFA) and MFA registration for all users. It also offers the capability to block legacy authentication, which should be a high-priority goal for any organization.

Hackers can exploit basic authentication to effectively bypass MFA, which is a fundamental security service we recommend that every institution implement. If your institution has gone through the effort of enforcing MFA for users—but you’re not blocking basic authentication explicitly—there’s a major security gap. That gap should be addressed immediately, especially given Microsoft’s plans to decommission basic authentication protocols in Exchange Online in October 2022.

Identity Considerations

It’s also crucial to review the identity architecture for your financial institution. Any user, device, or app connecting to Azure should have an identity, whether it’s a guest user, mobile device, Mac OS device, or a Windows computer, so it can be assigned data access rights or even take on administrative capabilities. Every identity outside of Active Directory—which is the primary identity for users in many institutions—is another attack vector in a different system. An effective way to manage different identities is to consolidate them by sourcing them at the AD level and then synchronizing users and their password hashes to Azure AD. You should also review the level of access for all administrators as well as partners as they represent a huge risk downstream. Reviewing the level of access for partners goes beyond security; it’s also a matter of regulatory compliance.

Additional Considerations

Depending on your institution’s license level, there are additional Azure and M365 settings you can adjust in the areas of protection, compliance, and administration. For example, global auditing is an essential setting that should be enabled to augment security and facilitate troubleshooting after attacks. You should also block settings allowing for open collaboration and outbound email forwarding to avoid data loss and minimize cyberattacks.

If your institution is at the M365 level, it also needs the mobile device management (MDM) platform that offers sufficient protection. Exchange Online has built-in MDM capabilities but these capabilities do not extend to all M365/O365 apps.

Conditional access policies govern sign-ins and attempts. They can enable the enforcement of MFA and are the highest control layer for determining who has access to the data within Azure’s security ecosystem.

Since data lives outside of Exchange Online in the M365 world, if your institution has specific compliance requirements for retention, your retention policies will generally need to extend to all data.

M365 Security Basics

Adjusting all the security settings of Azure AD and M365 can be a daunting task, especially since Microsoft is constantly updating the features of its technology services. Our CloudInsight™ M365 Security Basics solution provides insights into security settings for Azure AD and M365 tenants. It helps IT administrators navigate the complexities of customizing their institution’s security settings through three services: reporting, alerting, and quarterly reviews.

The reporting service provides ongoing Microsoft data and packages it into a readable format that shows security settings at a glance, allowing institutions to easily see irregularities, such as when users sign in from Outside of the USA. Alerting sends a notification when an activity indicates that a potential compromise has occurred. With the quarterly reviews, trained experts analyze the settings, reports, and alerts and review them with administrators so they can speak with confidence to their board, steering committees, and auditors about their institution’s technology services and cloud security.

If you need help understanding how M365 Security Basics can support your financial institution’s risk mitigation or strategic planning efforts, contact us. You can learn more about this topic with our “How to Manage Security Identity and Compliance within the Microsoft Azure and M365 Ecosystem” webinar.

Important Disclaimer

28 Dec 2021

Banks, Credit Unions, Security Jamie Davis 0 comment

Cybersecurity Insurance and Multi-Factor Authentication

Financial institutions are increasingly embracing cybersecurity insurance as an important aspect of their information security program. Cyber insurance can offer vital coverage to protect businesses from various technology-related risks. Data breach insurance, for example, helps companies respond if personally identifiable information gets lost or stolen from their computers—whether intentionally by a hacker or accidentally by an employee. Cyber liability insurance offers expanded protection to help businesses prepare for, respond to, and recover from cyberattacks.

As cybercrimes continue to intensify, more cybersecurity insurance companies are calling for organizations to employ multi-factor authentication (MFA). Some carriers are even refusing to provide insurance quotes to companies that are not using this authentication method. From their perspective, MFA adoption makes perfect sense; it keeps unauthorized individuals from accessing sensitive information, reducing ransomware, data breaches, and other cyberattacks. This, in turn, minimizes insurance claims and saves carriers money.

For insurance providers, MFA is appealing because it lowers cyber risk by requiring users to verify who they are. The individual must furnish valid identification data followed by at least one other credential: a password, one-time passcode, or physical characteristics like their fingerprint or face. This strict authentication system allows organizations to certify people’s identity—before granting them access to sensitive information, an account, or other assets—and this can significantly strengthen their security.

While MFA is heavily promoted by many cyber insurance companies, an institution’s regulators may not require financial institutions to use multi-factor authentication. However, implementing MFA for a whole internal network may not be a simple task. Depending on the solution, it may require installing agent software to all the endpoints requiring MFA and configuring appropriate “break-glass” accounts for emergency use, which creates more infrastructure to be monitored and managed.

MFA Implementation Tips

To simplify MFA implementation, Banks and credit unions can apply a sequenced strategy instead of jumping straight to the internal network. As a first step, institutions can ensure MFA is turned on for all remote-access users, including creating endpoint control policies for their devices. The next logical step would be to lock down MFA for cloud applications. This includes Microsoft Online services like M365 (formerly Office 365) and Azure Active Directory (Azure AD). These solutions come with a variety of free security features that organizations can customize to their business requirements. Even at low licensing levels, these products allow MFA to be turned on for all users—which can be highly effective for averting business email compromise and ransomware attacks. But institutions will need higher-level licensing if they want to make conditional access policies based on the specific location, identity, or device of users. Azure AD Premium P1 and M365 Enterprise E3, for example, have a variety of advanced features that allow conditional access policies to be established to enhance security.

MFA is just one layer of security for banks and credit unions to consider. We hope this post provided some insight into applying MFA for both security and insurance purposes. To learn more about this topic and other security layers, listen to our recent “Ransomware, Cybersecurity, and MFA” webinar, hosted by our Chief Technology Officer, Brendan McGowan.

06 Dec 2021

Banks, Credit Unions, Security Jamie Davis 0 comment

How Layered Security Can Address Growing Cyberthreats

With the increasing complexity of cyberattacks, financial institutions need to implement more effective—and comprehensive—security measures. They need a variety of elements to create a layered approach to secure their data, infrastructure, and other resources from potential cyberthreats.

Many organizations rely on a castle-and-moat network security model where everyone inside the network is trusted by default. (Think of the network as the castle and the network perimeter as the moat.) No one outside the network is able to access data on the inside, but everyone inside the network can. However, security gaps may still exist in this model and others. The best approach to compensate for gaps is to surround the network with layers of security.

The basic “table stakes” for a layered security approach include a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process. Banks and credit unions could also invest in additional and more sophisticated layers but each one will have associated acquisition and management costs, along with ongoing maintenance. So, it’s prudent for institutions to invest only in the number of layers/solutions they can competently manage.

Key Concerns

Today the top IT security concern for many organizations is ransomware. Due to the proactive measures many financial institutions have taken, the banking industry has fewer security breaches than health care and some other industries thus far. However, when a breach does happen to a financial institution, the impact is more costly than breaches occurring in other industries.

Four-Layer Security Formula

With these concerns in mind, here’s a four-layer “recipe” organizations can employ to improve their security posture:

Training and Testing: Using email phishing tests can serve as a good foundation for minimizing BEC and other social engineering threats.
Network Design: Institutions should refresh older networks to segment their components into different zones. It’s no longer sufficient to have servers, workstations, and printers sitting in one IP space together.
Domain Name System (DNS) filtering: DNS filtering prevents potentially damaging traffic from ever reaching the network. Because it proactively blocks threats, this makes it one of the most effective and affordable security layers institutions can apply.
Endpoint Protection: Institutions should have this type of protection on each of their endpoints, and the best endpoint protection tools have built-in ransomware solutions.

Other Important Considerations

It’s important to back up data regularly and ensure that those backups are well beyond the reach of ransomware and other threats. (Backups done to a local server that’s on-site and are still on the network may be susceptible to ransomware.) One way to address this issue is to have immutable backups, which are backup files that can’t be altered in any way and can deploy to production servers immediately in case of ransomware attacks or other data loss. Another option is to send backups to a cloud solution like Microsoft Azure Storage, which is affordable and easy to integrate because there are no servers to manage.

Another crucial element in security is Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption protocol, which can be somewhat of a double-edged sword. About 80 percent of website traffic is encrypted to protect it from unauthorized users during transmission. Traditional firewalls don’t have the ability to scrutinize traffic against a content filtering engine, which means savvy hackers can hide ransomware and other dangerous content inside. But firewalls with advanced features are capable of TLS/SSL inspection; they can decrypt content, analyze it for threats, and then re-encrypt the traffic before entering or leaving the network.

There’s an array of security solutions that institutions can implement to establish layered protection against cyber threats. For more insights about this topic, listen to our webinar on “Cyber Threats, Why You Need a Layered Approach.”

21 Sep 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

Multi-Factor Authentication Offers Secure, Reliable Access Control

In our increasingly digital world, financial institutions must go beyond requiring only usernames and passwords for the sign-in process. They need to employ a combination of factors to validate the individuals using their resources, whether they’re customers accessing electronic products and services or employees accessing systems, applications, and data. Institutions can choose various levels of authentication to verify people’s identity before giving them access to sensitive information, accounts, and other assets. However, multi-factor authentication (MFA) offers a secure and reliable approach for reducing the potential for unauthorized access.

One of the key values of MFA lies in its use of multiple factors for the validation process. MFA adds a layer of protection by requiring users to present a variety of elements to prove who they are. With this method, users must supply valid identification data such as a username followed by at least two types of credentials, such as:

Something the person knows: This represents “secret” information that is known or shared by both the user and the authenticating entity. Passwords and personal identification numbers (PINs) are the most commonly used shared secrets, but newer methods of identification are gaining popularity. Users may be required to answer questions that only they should know, like the amount of their monthly mortgage payment. Another example is they might have to identify their pre-selected image (chosen when they opened their account) from a group of pictures.
Something the person has: This is often a security token or a physical device, such as an I.D. card or smartphone, that people must have in their possession. Password-generating tokens can significantly enhance security because they display a random, one-time password or passcode that the recipient must promptly provide to complete the authentication process. Having unpredictable, one-time passwords makes it more challenging for hackers to use keyboard logging to steal credentials.
Something the person is: This more complex approach to authentication uses a physical characteristic (biometrics) such as face, fingerprint, or voice recognition to verify people’s identity.

Since MFA incorporates factors based on knowledge, possession, and/or biometrics, it makes it more difficult for cybercriminals to compromise people’s identity. Thus, MFA is an ideal verification method to use when more sensitive or critical assets are at stake. MFA is so reliable that the Federal Financial Institution Examination Council (FFIEC) recommends applying it in more high-risk situations. “Management should use multi-factor authentication over encrypted network connections for administrators accessing and managing network devices,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet.

MFA gives financial institutions a valuable security control for their internal and cloud resources. Take our quiz to see how much you know about multi-factor authentication.