TOPIC: Operations

Penetration Testing – What Kind Should You Get?

There are different types of penetrations tests that can be performed, depending on the threat being simulated.  A “no knowledge” penetration test with the tester starting outside the institution’s environment is performed as a “real world” attack on a network, and may involve port scans, exploits of vulnerabilities, and social engineering tactics.  A penetration test can start with the tester given access to the institution’s internal network as well, and a third type of test can strictly target the institution’s wireless networks.

Which test should be performed depends entirely on the institution’s needs and targeted to accomplish the intended goals.  But making sure you get a worthwhile test comes down to knowing what is generally recognized as a true penetration test, and not just an enhanced vulnerability scan.

For more details on the different types of penetration tests, the associated methodologies, and reasons why you might want to conduct one or more of the tests see our comprehensive blog post located at: https://10dsecurity.com/penetration-testing-what-kind-should-you-get/ , or you can download it below.

    Nonbank Financial Institutions - NBFIs

    SVP at a bank ($3.3BUSA)

    Looking to see what others do relative to banking independent loan/finance companies that provide lending services to customers of the independent finance customer. Lately, our bank has been opening several accounts for independent lending companies that provide lending services to help individuals purchase residential real estate for investment purposes or for the real estate to be rehabbed and "flipped." According to FinCEN guidance, these type of companies are considered to be an NBFI and are required to have an AML program in place.

    Our question is, what are other banks doing? Are you asking and requiring these types of customers to provide evidence that they have an AML program in place?

    If anyone has an opinion or comments, please share...

      Review of large dollar items

      SVP at a bank ($2.2BUSA)

      We have two different reviews of large dollar items, and are curious as to others are handling these from a risk perspective. I know a lot depends on management's tolerance for risk based on experience/tolerance with losses, but please include your asset size.

      1. As the paying bank, we review all checks over $10,000 paying against our customers’ accounts, approximately 250-350 items. All aspects of the check are reviewed including date, signatures, endorsements, any irregularities.

      2. As the BOFD, we review items over $35,000 that were sent out in yesterday’s cash letter verifying proper endorsements and deposit into the correct account, approximately 50-75 items. These items should have been verified by the teller at the time of deposit.

      We are over $2 billion in assets.

        One Participant 401K

        VP at a bank ($2.7BUSA)

        I "misspoke" in a previous post and am looking for information about a one participant 401K account, not self-directed 401K. We have a customer who would like to open an account titled this way with us, but no one here is familiar with the product. My limited understanding is it just a non-consumer account titled to reference the 401K., but before agreeing to open I want to make sure we don't have any special reporting requirements. Any insight would be greatly appreciated. .

          Is This Partnership a Right Fit? More than 50 Banks Found Out Firsthand.

          In January, 56 community banks from 20 states joined Bankers Healthcare Group for a behind-the-curtain experience at our Informational Regional Seminar in Nashville, Tenn.

          Our 75 attendees heard from BHG’s Founder/Chairman/CEO Al Crawford and c-suite leadership team in finance, credit, underwriting, compliance, marketing, sales, and analytics. This was a great opportunity for them to learn about our business model, commercial medical loan program and financial strength, and uncover new revenue opportunities for their banks.

          We had a great mix of prospective customers and current customers from some of BHG’s 940 bank partners, which gave everyone a chance to network and learn. Prospective customers love to hear about the experiences of current customers, while current customers appreciate the business and product updates, as well as the opportunity to connect with key BHG contacts.

          Our seminars are a great way to get to know BHG—and we hold them throughout the year, across the country. If you’d like to attend an upcoming seminar, please email bhgbanks@bhg-inc.com or call 877-731-6562 to get the details!

          About BHG: Bankers Healthcare Group (BHG) is the leading provider of financial solutions for licensed healthcare professionals. The company originates, underwrites and funds medical and professional loans before selling them to local banks nationwide.

          To date, BHG has underwritten nearly $15 billion in commercial loan requests with an average size of $100,000, providing a network of more than 940 U.S. community banks a source for premium loans, portfolio diversification, and competitive yields without overhead costs traditionally associated with this quality borrower. Banks purchase BHG loans through a secure, online system that allows for daily sale and delivery of loans. This has been a highly effective channel for a bank to quickly approve and purchase loans according to their underwriting standards. BHG’s 2018 sales distribution has averaged $4 million per day and new loans are posted daily.

          Pinnacle Financial Partners, Inc., and its subsidiary Pinnacle Bank hold a 49% total interest in BHG.

            What do ISO's need to know?

            The role of the Information Security Officer is ever-changing, and the knowledge base required goes beyond patch management and tracking IT assets. This certification course outline gives you an idea of the topics we drill down in during the training. and highlights the skills required of a well-rounded ISO.

            This one of a kind course was developed by industry experts, former examiners, and CISSP professionals to share the wealth of knowledge and insight accumulated from years on the banking side, the cybersecurity side, and the regulatory side. Your ISO leaves with the tools to secure your network, bringing you peace of mind. Plus, the opportunity to become a Certified Banking Information Security Officer (CBISO). The training meets FFIEC annual training requirements. Our 2019 courses will be in:

            For more information, visit: www.10dacademy.com.

              Outlook Web App and 2FA should keep your Exchange server secure, right? Think again.

              10-D performs hundreds of penetration tests each year, so we see trends for weaknesses into customer networks. One of the more common weaknesses we currently see is a weakness with public facing Exchange servers. It is commonly perceived that if you lock down the Exchange Outlook Web App (OWA) login portal by denying most users access and enabling two-factor authentication for the others you will secure your Exchange server from attackers. Unfortunately, a service commonly enabled on many Exchange instances called Exchange Web Services (EWS) bypasses both of those controls. Simply put, EWS is a service that allows client devices to connect to the server to get email and other data. The vulnerability associated with this service is that an attacker can brute force logins and if successful, will be able to login to users email without two-factor authentication. This service can be disabled; however, that may cause a mutiny within your organization if users lose access to some of their data. 10-D Security doesn’t recommend a specific solution for this vulnerability as Exchange implementations vary greatly, but some options to consider for locking down this service would be as follows:

              • Limit which users have access to the EWS service
              • Limit which applications are allowed to access the EWS service
              • Application Firewall/Reverse Proxy that can whitelist only valid EWS attempts
              • VPN only access for email

                Educational Seminar in Nashville, 2019

                See why more than 925 of your peers have purchased loans from Bankers Healthcare Group, at the upcoming Nashville Info Seminar.

                • Engaging seminar - Hear from the Founder/CEO and the c-suite leadership team in finance, credit, regulatory, marketing, sales and analytics.
                • Understand the 5 convenient, hassle-free methods to purchase loans.
                • Discover additional revenue opportunities for your bank:
                  • Consumer loans to licensed medical and other professionals
                  • Patient lending – connecting community banks to hospitals and surgery centers
                • Network with key BHG personnel and other community banks from around the US.

                Email us at bhgbanks@bhg-inc.com or call 866-461-5069 to find out the details!

                "The BHG Info Seminar was an excellent experience. We are new to BHG, having just purchased our first loan last month. It’s was a valuable experience to have the company’s staff answer your questions and talk to other banks who have experience with BHG. I was able to learn how they manage their portfolio and loan terms. The event was first-class, all the way. I came away very impressed with BHG." – Minnesota Bank President

                About BHG: Bankers Healthcare Group (BHG) is a well-established, direct lender that has a commercial loan program specifically tailored to the business needs of licensed healthcare and other professionals. BHG has provided over $4 billion of these originated, underwritten and funded loans to 925+ community banks throughout the US since 2001.

                  Fix your policies & procedures now! Final webinar event of the year!

                  Start writing better policies & procedures! Join us for our final live webinar event of the year on Wed, December 19th @ 2 PM EST.

                  Policies and procedures that are written well are clear, accurate, and easy-to-follow. Failing to meet these three tenets leads most obviously to compliance risk, but poorly written policies and procedures also have direct impacts on employee productivity and customer/member satisfaction – leading to a higher rate of exceptions, rework, and low NPS ratings.

                  We will outline the 6 most common mistakes to avoid when writing banking policies and procedures and tips on how to fix them.

                  This webinar will cover:

                  • How to set up your institution to better write and manage policies & procedures
                  • The top 6 most common mistakes to avoid when writing policies & procedures
                  • How to fix common errors in your policies & procedures today
                  • Real-life case studies demonstrating why it matters

                  Register now!

                  Cheers,

                  The SilverCloud Team

                    Reduce Exceptions Now! Live Webinar Dec 5th @ 2PM EST

                    Join us Dec 5th @ 2PM EST for a live webinar on reducing exceptions at financial institutions.

                    Banks and credit unions today invest enormous amounts of time, energy, and money into managing exceptions. Though not all exceptions carry risk, those that do can result in injury to a financial institution’s reputation and bottom line. So what are leading institutions doing to manage risk while still delivering a winning consumer experience?

                    We’ll discuss the main drivers of exceptions and what top institutions are doing to address these root causes. Join us to learn about the state of exceptions in the banking industry today!

                    We will cover:

                    • Strategies for training and managing employees around exceptions
                    • Real-industry stories and approaches to reducing exceptions.
                    • How to utilize feedback strategies that support different types of learners
                    • Tips for enabling employees to more accurately follow policies & procedures
                    • How your policy and procedure information impacts the rate of exceptions

                    Click here to register!

                    Cheers,

                    The SilverCloud Team

                      Equipment Maintenance Providers

                      AVP at a bank ($209MUSA)

                      We are looking for a new company to provide maintenance for our bank equipment, cameras, alarms, night drop, time locks, etc. in the Dallas area. Would any of you be willing to share contact information for your provider?

                        Felony Lane Gang

                        VP at a bank ($476MUSA)

                        It appears that the Felony Lane Gang has popped up again in our area. I am looking for a PowerPoint presentation on The Felony Lane Gang as a training for our tellers. I had one at one time but can not seem to find it. Any help would be much appreciated.

                          Start writing better policies & procedures today! Live webinar on Nov 20th

                          Join us for a live webinar on Tuesday, November 20th @ 2PM EST.

                          Failure to write clear, accurate, and easy-to-follow policies & procedures most obviously leads to compliance risk, but poorly written policies and procedures also have direct impacts on employee productivity and customer/member satisfaction – leading to a higher rate of exceptions, rework, and low NPS ratings.

                          In this webinar, we’ll outline the 6 most common mistakes to avoid when writing banking policies and procedures and tips on how to fix them.

                          This webinar will cover:

                          • How to set up your institution to better write and manage policies & procedures
                          • The top 6 most common mistakes to avoid when writing policies & procedures
                          • How to fix common errors in your policies & procedures today
                          • Real-life case studies demonstrating why it matters

                          Register here!

                          Cheers,

                          The SilverCloud Team

                            Budget? For Information Security?

                            The midterms are finally over, and the ads have mercifully ended. We all deserve a little credit for putting up with the insanity. But now, is the time to get back on track and plan out your budget for 2019. Or, did you assume it will just be a part of IT’s budget? According to the FFIEC Cybersecurity Assessment Tool, a “baseline” requirement indicates: “The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20).”
                            Whether you’ve already submitted your 2019 budget or not, you might consider the following items. It may help your planning for 2020, or you may find need to go back to your CFO and plead for mercy…
                            An Information security budget should include items such as:

                            • Independent assessments, tests and audits (e.g., pen tests, social engineering, vulnerability assessments, etc.)
                            • Software licenses for security-related systems (e.g., SIEM system, IPS/IDS systems, web content filters, firewalls, email security appliances, encryption, antivirus, scanners, etc.)
                            • Hardware – for leases or for planned upgrades/implementations. Include firewalls, servers, security appliances, and any other system that relates to the security infrastructure.
                            • Security Certificates and registrations (for websites, domain registrations, security appliances, etc.)
                            • Training and Conferences related to information security (incl. travel expenses)
                            • Misc. Services – Forensic examiner retainer, monitoring services, technical consultants, etc.

                            To keep pace with emerging threats and regulations, Information Security Programs need to continually grow skills and response capabilities. Be sure to factor in the expected annual price increases, product upgrade charges, etc. (include a “fudge factor,” in case prices come in more than expected you can still look good at year-end). Also, remember to factor in additional human resources needed to manage the expanding demands.
                            Some other budget planning suggestions:

                            • Maintain a “next year” planning worksheet and update it throughout the year, adding in reminders to include improvements that you’ve noted during the current budget period.
                            • Have a shortcut to your planning worksheet on your computer’s desktop, so you can easily find and modify it as you think of things throughout the year.
                            • Keep track of “actual” compared to “budgeted” expenses as the year progresses, to help in fine-tuning your estimates for next year’s budget.
                            • Notate what budget items are “must have” (such as IDS/IPS, firewalls, log management systems, testing, etc.) and what are “should have” – In case of budget cuts OR if the budget fairy gives you an unexpected allowance to improve your security posture. Either way, you will have ready answers.
                            • And for election years be sure to include a reasonable allowance request, to cover the bar tab you’ll need to endure the next onslaught of campaign ads.

                              CBANC Premium - Workspace Tips

                              Manager at a Company (USA)

                              Here is a quick tutorial on how to add users to your CBANC Premium Workspace application. Workspace is a central source of truth for your policies, procedures, and other important documents. It also includes 25 policy & procedure checklists, updated by experts as regulations change, to help your team hit the ground running. Workspace is great for collaborating with your board of directors, impressing your examiners, and streamlining policy and procedure management. Works great on iPads without the need to download additional software and has bank-level security built in.