Tag: Webinar Promotion

08 Jun 2023
Maintenance Best Practices to Enhance Azure Security

Maintenance Best Practices to Enhance Azure Security

Maintenance Best Practices to Enhance Azure Security

Financial institutions that use Microsoft Azure with Exchange Online, OneDrive, and SharePoint can apply good maintenance practices to enhance their security in the Cloud. They can employ a variety of Azure Active Director (AD) concepts to summarize their data and ultimately recognize anomalies to make the cloud environment more secure. Two of the main areas that institutions can examine to identify inconsistencies are users and devices.

Anomalies with Users

The primary Azure AD user properties to analyze are the user type, synchronization status, disabled status, and creation date. Within user type, if there are a significant number of guest users, this can raise an obvious red flag especially if there is no justification for guest users to exist. In this case, for guest users without a specific approved use case, the best option is likely to delete the user.

It can be more difficult to detect abnormalities within the synchronization status of some users, especially those being synchronized to Azure AD from on-premise AD. The key is to build a good baseline to use for comparative analysis. Because users are sourced on-premise, this number should be quite familiar. But if the number does not match expectations, it should be obvious and prompt further scrutiny.

Accounting for cloud users can also be challenging because they typically are not tracked as closely as on-premise users. But if the number of cloud users drastically changes, this may indicate an anomaly. In addition, IT administrators should be cognizant of modifications involving disabled users. If the number of disabled users changes, the situation should be reviewed to determine why.

Creation date is a unique kind of property in that it relates to both security and utility. Identifying an anomaly here should be fairly simple; the number of users should match expectations. For example, if the number of users spikes abnormally for a particular day, it definitely warrants investigation.

Inconsistencies with Devices

Another critical form of identity in Azure AD is devices, including desktops, laptops, phones, and tablets. In terms of device management, we can focus on Azure AD, Intune, and Exchange Online. Having access controls with devices makes it easier to recognize anomalies. With strict access policies, the number of devices connecting should not change significantly without an administrator’s knowledge.

Conversely, spotting anomalies becomes more difficult without stringent access policies. If IT administrators are relying on default settings, those default policies will allow users to enroll devices on their own. Administrators should build a baseline to see where their numbers are and monitor device enrollment accordingly.

Scrutinizing synchronization status can also reveal inconsistencies. IT administrators should remove devices that have not been synchronized in at least 30 days and those that have no sync data, which represents a gray area. Closely monitoring the synchronization status makes device management easier and more secure going forward.

The Maintenance and Security Connection

We have seen several real-life scenarios that illustrate the connection between maintenance and security. Here’s a common type of situation that involves the creation date and sync status: You notice that a new user was created unexpectedly, which is suspicious. You investigate, starting with the synchronization status, and find that the number of cloud users does not match. Next, you review Azure AD details based on the display names and do not see the new user. Then when you examine the users by creation date, there are only existing users.

This leads to an interesting question: Can you have more than one user in Azure AD with the same name? The answer: yes and no. There are a variety of name properties, however, the User Principal Name (UPN) must be unique. If you notice that the UPN of two users is ‘identical’ check again. Look for characters that might appear the same due to typography. It could indicate intentional obfuscation and represent a form of attack on your organization. In this case, if a user is already being created as a component of an attack, it would be safe to assume some form of administrative account has been compromised.

This type of attack could happen to almost any financial institution, and it shows the importance of using ongoing maintenance to discover irregularities. Good maintenance leads to better security in Azure AD, and Safe Systems’ CloudInsight™ family of products can assist in these efforts. They provide reports that make it easier for community banks and credit unions to catch anomalies, so they can improve their security posture. For more insights about this topic, watch our “Good Maintenance Leads to Better Security in Azure” webinar.

02 Jun 2023
The Virtual ISO: Best Practices for Maximum Effectiveness

The Virtual ISO: Best Practices for Maximum Effectiveness

The Virtual ISO: Best Practices for Maximum Effectiveness

The concept of a virtual information security officer (VISO) has been gaining more traction with regulators and financial institutions. In the past, regulators have said very little about institutions using a virtual ISO. But recently, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and Federal Reserve System have expressed at least conditional approval of the idea. They indicated that virtual ISOs can be a viable option—as long as their activities are subject to the same oversight requirements as in-house ISOs.

These regulators caution financial institutions to be careful when considering the risks and benefits of using a virtual ISO. They advise institutions to do their due diligence prior to choosing an external ISO partner, just as they would before selecting any other key vendor or critical service provider. These and other best practices can help institutions strategically leverage a third-party solution to maximize the effectiveness of the virtual ISO role for their organization.

Approaches to Implementation

There are three broad approaches to implementing a virtual ISO solution: do-it-yourself (DIY), hybrid, and off-load. These models come with specific benefits and responsibilities that institutions should carefully consider. Here is a summary of each approach:

  • DIY: This model typically provides some apps, tools, checklists, templates, and other pre-packaged components that allow institutions to fill in the blanks. One-on-one consultation with a human would be relatively limited and likely provided for an extra charge.
  • Hybrid: This approach often includes a complete set of tools: apps, templates, pre-configured reports, and sometimes pre-configured policies. Some consultation is also provided, which makes this model better suited to institutions that require a higher level of support.
  • Off-load: With this model, the virtual ISO vendor does most of the heavy lifting, providing extensive consultation, on-demand reporting, and other ISO requirements. However, as is the case with the hybrid model, the financial institution remains responsible for understanding and approving all actions taken by the vendor on behalf of the institution.

Our Virtual ISO Model

At Safe Systems, we offer a hybrid virtual ISO model—ISOversight™—that supports regulatory guidance on the ISO’s role as prescribed by the Federal Financial Institutions Examination Council (FFIEC). Our model is a moderately priced, middle-ground solution that is ideal for community banks and credit unions with limited internal resources. It combines a suite of integrated compliance apps with a dedicated lead consultant, allowing institutions to benefit from the expertise of our entire compliance department. What’s more, ISOversight provides institutions with a more objective, arms-length perspective on information security. The FFIEC Management Handbook states that “To ensure independence, the CISO/ISO should report directly to the board, a board committee, or senior management and not IT operations management.” Having these two critical roles formally separated makes it easier for the network administrator to be in more of a support function for any resident or virtual ISO, which can minimize audit or exam findings related to a possible “conflict of interest” or “concentration (or separation) of duties.”

Although the apps are useful tools that assist institutions with day-to-day tasks, the key to ISOversight’s effectiveness is the consultive and advisory piece provided by the ISOversight lead consultant. Our consultants are all information security subject matter experts, with decades of experience. We know what tasks need to be completed, with what frequency, and by what groups or individuals. We hold regular touchpoint meetings with the ISO, and often the network administrator and other third-party consultants, to ensure institutions stay on track. After each touchpoint, we also provide a comprehensive point-in-time summary report on the current status of their information security processes that the ISO can then present to the steering committee and the Board.

In addition, our consultants will often engage with clients as they prepare for and respond to an audit or exam, but it’s not unusual for us to consult directly with the auditor and examiner during the engagement. We encourage this, as it helps ensure the FI is providing auditors and examiners with exactly what they are requesting (no more and no less), which avoids unnecessary confusion, possible issue escalation, and over (or under) commitment by management. In addition to the advisory piece, the ISOversight apps keep things organized, making it easier for customers to manage their policies and procedures and all the associated documentation, and provide customizable email alerts when tasks come due.

To date, we have found that ISOversight has proven to be a great fit for many institutions and for many different reasons. For example, it is extremely helpful in situations where the IT administrator or ISO has recently left or has transitioned to a new role. Another good application for the virtual ISO role is when the size and complexity of the institution make the day-to-day information security responsibilities too burdensome, or when the institution just wants to free the existing admin or ISO from the uncertainty of the rapidly evolving regulatory landscape.

Whether it’s third-party risk management, business continuity management, cybersecurity, or strategic planning, guidance is clear that ISO’s have very specific responsibilities and should be held accountable for their completion. ISOversight assures all tasks the ISO is responsible for are addressed in a timely manner, that all current regulatory guidelines and best practices are met, and just as importantly that on-demand, stakeholder-specific documentation is available to confirm all related activities. Ultimately, selecting the right virtual model and the right vendor can often translate into “cleaner” audits and exams, resulting in a less stressful, more productive staff, a more compliant and more secure environment, and a better-informed management team.

To learn more about this topic, listen to our webinar on “The Virtual ISO: Best Practices for Maximum Effectiveness.”

05 Apr 2023
Evolution of Third-party Management

Evolution of Third-party Management

Evolution of Third-party Management

Pending interagency guidance on the management of third-party relationships will significantly alter how financial institutions (FIs) handle risks related to external service providers. The new guidelines will increase the complexity and responsibility of third-party management for banking organizations in the near future. These standards will apply to all financial institutions—including community banks—with third-party relationships.1

The updated guidance—proposed jointly by the Board of Governors of the Federal Reserve System (the Board), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—will consolidate2 the agencies’ separate rules into a single common guideline built around the OCC Bulletin 2013-29. The proposed guidance states that “the new framework is based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.”

Increased Regulatory Expectations

FIs s need to consider the key implications of increased regulatory scrutiny in this area, particularly where they expand on current expectations. For instance, regulators will expect them to do more due diligence on the pre-engagement side, which affects the initial selection and contract negotiation process. Institutions will also be held more accountable for understanding and predefining the termination process for outside service providers. This includes considering who owns data, how the data is returned, and how it is disposed of after the relationship with the provider ends.

From a regulatory perspective, third parties represent the biggest single source of noncontrollable risk to a bank or credit union. To a considerable extent, examiners will draw comparisons to overall enterprise risk management maturity from an institution’s third-party risk management program. In their words; “A banking organization’s failure to have an effective third-party risk management process that is commensurate with the level of risk, the complexity of third-party relationships, and the organizational structure of the banking organization may be an unsafe or unsound practice.” In addition, they will expect to see sufficient oversight at all levels, from the board to senior management, and ultimately the employees directly overseeing the individual relationships.

Vendor vs. Third Party

It is also critical for FIs to be aware of—and adjust for—the difference between the terms “vendor” and “third party.” While banks have historically used these words interchangeably, it is now clear that institutions will have to remove the term “vendor” from their vocabulary and substitute “third-party” in its place. The proposed guidance uses the term “vendor” only 4 times, while the term “third-party” is used 262 times!

The reason for the change is more than just semantic, it represents a significant shift in how a third party is defined. A third party can be any entity with which the institution has a business relationship, and neither a written contract nor monetary exchange is necessary to establish a business arrangement. A business relationship can include more obvious arrangements such as referral agreements and professional services providers like law and audit firms, but also less obvious companies such as maintenance, catering, and custodial service companies. Business arrangements have greatly expanded and become more varied and, in some cases, far more complex. FI’s should be prepared to expand the scope of their third-party risk management (TPRM) program.

Expansion of Third-Party Risk Assessment

Financial institutions will also need to expand third-party risk management beyond the scope of the Gramm-Leach-Bliley Act (GBLA) to comply with the new guidance. They should broaden their focus beyond non-public information (NPI) to include anything that may not be directly related to customer information, but still needs to remain confidential. This can include strategic plans, unaudited financial statements, HR and shareholder records, and committee meeting minutes. Regardless of the type of information, regulators will expect institutions to manage their risk by accurately assessing all third-party exposure to the storage, transmittal, and processing of information.

While institutions cannot directly control third-party risks, they will need to request and review certain documents—especially from critical parties. A few key third-party documents that institutions should examine prior to engagement3 include contracts, audit reports4, and financials. Depending on criticality, FIs may also need to maintain a list of potential alternate providers in case their primary provider fails or cannot complete the terms of their contract. Finally, institution management should be fully aware of any gaps or limitations in third-party contracts, so they can manage any increased residual risk effectively.

Another area likely to draw increased scrutiny is Complementary User-entity Controls (CUECs), included in the SOC report. These are the controls third parties require for you to utilize their products or service. The best practice strongly suggests you document these CUECs and adhere to them.

Financial institutions that may lack the internal time and/or expertise to review third-party contracts, financials, and SOC reports, can consider adding a solution like Safe Systems’ Vendor Management Document Review. The service enhances the control review process and makes it easier for institutions to meet the increased regulatory expectations for managing third parties. Read more about this topic by accessing our “Evolution of Third Party Management” webinar.

1 As of this date the NCUA has not indicated that they will be a signatory on this new guidance.

2 The Board’s 2013 guidance, the FDIC’s 2008 guidance, the OCC’s 2013 guidance and its 2020 FAQs.

3 Certain documents such as SOC reports may only be made available after a contract is in place.

4 Depending on the trust criteria selected, audit reports like the AICPA System and Organization Controls (SOC) 1 and SOC 2 should also include an auditor opinion on the information security and business continuity controls in place at the third party.

06 Mar 2023
MFA - Why You Can’t Set It and Forget It

MFA—Why You Can’t Set It and Forget It

MFA - Why You Can’t Set It and Forget It

Multifactor authentication (MFA) is not a static, set-it-and-forget-it process. Financial institutions must constantly monitor—and make necessary adjustments—to ensure effectiveness so that only authorized users are accessing their network, data, and services.

MFA Methods and Risk

Some of the most common MFA methods, particularly with Microsoft Azure are:

  • FIDO2 security key
  • Microsoft Authenticator app
  • Windows Hello for Business
  • OATH hardware/software tokens
  • Short messaging service (SMS)
  • Voice calls

FIDO2—the latest and greatest MFA—enables easy and secure authentication. It takes passwords out of the equation and instead uses public key cryptography for authentication to enhance security. The Microsoft Authenticator app is also capable of passwordless authentication in Azure, which is making it an increasingly popular option. This modern multi-factor authentication method can act as a FIDO2 key, send push notifications, and support user awareness by providing location and client data within the app.

Windows Hello for Business is another form of advanced authentication that is also capable of passwordless authentication. However, institutions should be careful when implementing this approach to MFA because it can entail unique stipulations.

Two of the riskiest types of authentication are MFA facilitated by either SMS or voice calls. SMS-enabled MFA, which combines the use of a text message and code, is one of the most frequently used methods of authentication. However, since text messages are not encrypted, they are vulnerable to telecom tower relaying interference. Because of this vulnerability and its wide adoption, SMS is a major target of attackers. Voice calling, which uses telecom services to call with the code, is another risky form of MFA because it is possible that someone else could intercept the phone call.

For any TOTP-based method of MFA, there is an inherent risk of users giving away the codes. This can be accomplished via clever phishing techniques or malicious applications on mobile devices.

Combining MFA with Other Defensive Layers

Today’s sophisticated cyberattacks often attempt to exploit weaknesses that are present in the MFA workflow. Unlike traditional attacks that sought to bypass basic authentication protocols, newer schemes tend to follow normal MFA workflows to exploit human behavior. Attackers are also using other creative strategies to effectively circumvent MFA requirements. For example, they may hijack an already MFA-authenticated session to gain unauthorized access.

To evade cyberattacks, institutions must go beyond taking a relaxed, set-it-and-forget-it stance for MFA. They must enhance MFA by adopting newer more modern methods for their users. They must also be cognizant of attacks that can effectively bypass MFA, as we have seen with MFA-resistant phishing scams. To compensate for these newer styles of attacks, institutions should seek to implement multiple layers of security. In Azure, this will mean the adoption of Conditional Access Policies (CAPs). Stacking multiple CAPs targeting various combinations of MFA, apps, clients, locations, compliance status, and device types is the best way to improve an organization’s security posture. For more information about this important topic, watch our webinar on “MFA–Why You Can’t Set It and Forget It.”