TOPIC: Information Security

Who’s Watching the Watchers?

In a world of everything connected to the internet through the likes of IoT (Internet of Things) devices, the prospect of exploits and vulnerabilities abound. For the most part, these IoT devices lack the proper secure coding practices and security hardening that most well-known products implement. The focus is not on security, but convenience, and leads to numerous exploits being found on these remote devices. The remotely controlled video camera in the office or the one facing outside could have lurkers watching from another continent gaining intelligence on someone they’re trying to target. Or these exploits could lead to further escalation into your network if they aren’t segmented properly and ransomware all your files. Unsecured IoT devices provide an abundance of problems.
The best way to secure yourself is to keep these IoT devices off your network and to buy from a trusted vendor that has been checked for security vulnerabilities and exploits. If not, you may have someone from across the world watching your every move. 

    Microsoft Security Update Guide

    As most of you already know, Microsoft has been releasing Windows cumulative monthly updates for some time now.  Each of these updates (generally) includes relevant security updates from previous releases, making the installation process simpler.  Apply the most recent cumulative updates for your Microsoft software, and you should be in pretty good shape.The downside to this approach is that each update addresses multiple issues, and after applying the patch, there may be additional action needed (i.e. a registry key, GPO setting, etc.)  So how is a careful administrator supposed to find out what may be needed after the patch is “installed”?Microsoft has several update information resources, but the most concise place we have found to see the security implications of a particular patch, and any additional actions needed is the Microsoft Security Update Guide ( https://portal.msrc.microsoft.com/en-us/security-guidance ).   Here you can look up individual updates, CVEs, or products.  A nice section called “Release Notes” will tell you about the important patches for any given month, showing the products needing updates, links, and most importantly, recent Release Note documents now indicate what CVEs or advisories may need additional scrutiny.  Items with asterisks (*) link to additional information on registry keys or changed functionality.  This information is incredibly hard to find via other Microsoft support resources.
     
    Consider bookmarking this page and regularly reviewing the monthly update summaries.  This should help keep you up to date on the latest patches and can key you in on updates that might require you to read the “fine print”. 

      Penetration Testing – What Kind Should You Get?

      There are different types of penetrations tests that can be performed, depending on the threat being simulated.  A “no knowledge” penetration test with the tester starting outside the institution’s environment is performed as a “real world” attack on a network, and may involve port scans, exploits of vulnerabilities, and social engineering tactics.  A penetration test can start with the tester given access to the institution’s internal network as well, and a third type of test can strictly target the institution’s wireless networks.

      Which test should be performed depends entirely on the institution’s needs and targeted to accomplish the intended goals.  But making sure you get a worthwhile test comes down to knowing what is generally recognized as a true penetration test, and not just an enhanced vulnerability scan.

      For more details on the different types of penetration tests, the associated methodologies, and reasons why you might want to conduct one or more of the tests see our comprehensive blog post located at: https://10dsecurity.com/penetration-testing-what-kind-should-you-get/ , or you can download it below.

        Why you should consider Ad Blockers

        Many websites use advertisements to help supplement the cost of creating new content, hosting the site itself, and to generate revenue. Many site owners utilize various ad platforms to load ads onto their websites. However, bad actors have been known to abuse these platforms to direct users to malicious websites or download malicious content. This is known as "malvertising". A seemingly innocuous ad could lead a user to a drive-by download or load malicious code from a compromised website.

        Reputable ad blockers such as uBlock Origin and AdBlock Plus allow users to stop ads from loading on websites (as well whitelist specific sites if desired). These programs are usually in the form of browser plugins. Additionally, ad blockers may also offer the ability to import blacklists, which are lists of known bad domains or ad platforms with poor reputations. This can increase your security when browsing by stopping traffic before reaching a malicious website.

        If you haven't used an ad blocker before, try one out in your favorite browser and enjoy a cleaner, safer browsing experience. 

          Local Administrator Password Solution (LAPS)

          Local Administrator Password Solution (LAPS) addresses the basic issue where the same local administrator accounts are used on all hosts throughout the organization, leaving them susceptible for “Pass-the-Hash” and credential re-use attacks.  LAPS does this by leveraging a combination of an application installed on a Domain Controller, Active Directory (AD) Templates, and PowerShell modules. The LAPS password is stored as the ms-Mcs-ADMPwd AD attribute and associated with a domain computer.  LAPS credentials are also passed using Kerberos encryption by default. Additional benefits include automated password rotation of the admin password, and – if the administrator deems appropriate – can allow access to the password where appropriate, such as to help desk staff.  Another practical example would possibly be allowing a user access to an elevated account if they are in a bind without compromising local password (e.g., the user is out of the office and unable to access VPN due to a corrupt VPN client installation, requiring re-installation with elevated credentials).  Then after network connectivity is restored, the LAPS password can be automatically changed once Group Policy updates or via PowerShell.To read more about LAPS and to download all the associated components and documentation, check out this TechNet article.

            Guardian Analytics

            Manager at a bank ($488MUSA)
            Do any of you also use Guardian Analytics for Business Online & ACH anomaly detection? We're in the early stages of implementation and data gathering, but I was hoping some more seasoned users would be willing to share their daily process and what you look for/review. Thanks in advance!

              Are you prepared for the EOL Shockwave?

              Often, we take software that seems to have ‘always been there’ for granted, until suddenly it’s not supported.  At other times, ‘must have’ software fades into obscurity as it’s gradually replaced by alternatives.  Either way, you should be prepared for an End of Life (EOL) announcement just as much as you should for important software update announcements.
              This week it’s an announcement by Adobe.  They have announced the EOL for Adobe Shockwave, on April 9th, with extended support only for Enterprise customers.  This also means anyone who continues to use the software after April 9th is assuming a security risk because Shockwave will no longer be supported with security updates. 
              This is a great example of a piece of software that likely remains installed, albeit unused by many users.Staying informed about software updates are important to alleviate potential security risks; you should also stay informed of End of Life announcements.  Take a moment to see if it’s installed in the environment you maintain.  If you are using Shockwave, find a supported alternative soon.  If you don’t use this software, uninstall it.

                Intrusion Detection and Prevention Systems: Are they really working?

                Let’s face it, if you have a public IP you’re going to get some type of illegitimate access attempt directed at your network at some point. Probably multiple times per day. Just look at your firewall logs and alerts sometime. If you are not, you should be; daily.

                If you don’t have one or are not familiar with the concept, an Intrusion Detection and Prevention System (IDS/IPS) will actively detect and prevent malicious or unwanted attempts at access. Your IDS/IPS can be deployed as local software, appliances, Software as a Service (SaaS) solutions (or a hybrid), or potentially as separate systems – detection (IDS) and prevention (IPS) in separate parts. The usual deployment; however, is an IDS/IPS that that prevents as it detects. These systems perform their tasks based on definitions and/or heuristic techniques and may be monitored by a third-party Security Operations Center that can alert you and/or act on your behalf.

                If you don’t have IDS/IPS, you might be saying, “Isn’t my firewall good enough?” Well, a stateful inspection firewall is an absolute must. But even though you might have integrated inspection enabled, your firewall only passively stops what was defined in the last firewall OS release; and what you tell it to through Access Control Lists associated with zones or interfaces. That’s where IDS/IPS steps it up and may be something you can add to or enable on your firewall.

                After a few consulting hours, (maybe the purchase of a new firewall or appliance) and certainly the signing of some type of maintenance contract, you’ve committed many dollars in infrastructure changes to add an IDS/IPS. Things are ticking along great, right?

                Have you bothered to test whether the fancy new system is really doing what it the sales guy said it will do?

                A famous former President was very fond of this Russian proverb: Trust but verify.

                Have your IDS/ IPS checked by someone other than the vendor to ensure it is detecting and preventing while not impacting your network performance. Impact? Yes, impact. Another 1 or 2 seconds per transaction multiplied by the transaction volume and number of impacted employees or customers adds up quick. Time is money.

                  The Low-Down on Multi-Factor Authentication

                  Something You Have; Something You Know
                  There are a number of different types of Multi-factor authentication (MFA), but which is right for your organization? What should employees and Management know about MFA prior to implementing for your VPN access, administrator sessions to sensitive systems, or secure web-portals? Take a deeper dive into MFA on our blog, https://10dsecurity.com/the-low-down-on-multi-factor-authentication/ .

                    A picture is worth a thousand words! Network Diagrams.

                    This is especially true when talking about network diagrams. A network diagram is a roadmap that helps you illustrate and document what a network looks like, and how things are connected.

                    The following diagrams should be maintained:

                    1. WAN topology that clearly shows all ISP, VPN, and WAN connections, wireless connections, LAN segments along with router, firewall
                      and IDS implementations.
                    2. Individual LAN topologies showing default gateways, DNS implementation, all servers, and all network devices.

                    Here are some key elements of good network diagrams:

                    1. Keeping a diagram current and accurate is important, so network diagrams should be updated at least quarterly or after network
                      changes.
                    2. Label items with a name, function, and IP address(s).
                    3. The look and feel of the diagrams should be consistent, and a common set of visual objects should be used where possible.
                    4. Network diagrams should also contain a title that clearly defines the nature of the diagram, confidential statement notice, name of
                      the author, and date of creation / last update.

                    If you outsource your IT, make sure your vendor is providing you with current and accurate diagrams.

                      BSA/AML Compliance, Fraud Detection & High-Risk Customer Management - Join us on Feb. 27

                      A Consolidated Solution to Fight Financial Crime
                      February 27 at 12:30 PM - 01:30 PM EST

                      Register now: https://verafin.com/event/bsa-aml-compliance-fraud-detection-high-risk-customer-management-2/?src=cbanc

                      Today’s criminals do not limit their illicit activities to a single financial institution. More and more, multiple institutions are targeted for increasingly complex financial crimes. As these criminals evolve, traditional approaches to combat crime are largely ineffective.

                      Single institutions with siloed departments lack the visibility necessary to see the bigger picture, often seeing only a very small component of the crime within their data. These isolated teams often deploy point solutions that use broad rules in an attempt to catch suspicious or fraudulent activity – an approach that perpetuates the industry-wide problem of false positives. The solution? Working together to fight crime, in the same way criminals work together to exploit victims and institutions.

                      So, why choose Verafin?

                      Unlike first generation systems, Verafin builds deep analytical models for you, and uses machine learning and artificial intelligence to keep you ahead of evolving financial crime trends. Verafin’s FRAMLx software includes highly targeted detection scenarios that are enriched with open-source and third-party data, and provides cross-institutional analysis and collaboration through the power of the cloud. The result? Higher-quality alerts, expedited investigations, and richer, more detailed reporting.

                      • Integrated CDD/EDD and intelligent segmentation of high-risk customers including a Customer Due Diligence Questionnaire, high-risk customer identification analytics, stratified risk-models for high-risk customers and automated risk-reviews.
                      • Targeted AML and Fraud scenarios including structuring, international activity, terrorist financing, human trafficking and funnel accounts, first-party deposit fraud, deposit fraud scams, online account takeover, wire & ACH fraud, debit card fraud, and loan fraud.
                      • Risk-rated alerts enriched with third-party, open-source, and cloud data that provide you with more information at your fingertips, and help you expedite investigations and strengthen reporting.
                      • FRAMLx cross-institutional detection and 314(b) information sharing including Risky Entity Analysis, and facilitating collaboration with investigators at any 314(b)-registered institutions.
                      • End-to-end BSA compliance and process automation including regulatory reporting for SARs and CTRs, OFAC/Watchlist scanning, Case Management, Enterprise Reporting, etc.

                      Register now: https://verafin.com/event/bsa-aml-compliance-fraud-detection-high-risk-customer-management-2/?src=cbanc

                      Blob

                        DNS and MFA

                        DNS and MFA
                        On January 22, 2019, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive with the subject, “Mitigate DNS Infrastructure Tampering” ordering all federal agencies to secure login credentials for their internet domain records. Required actions include auditing DNS records, changing DNS account passwords, adding multi-factor authentication to DNS accounts, and monitoring certificate transparency logs to detect prior unauthorized certificate issuance. This directive was issued in response to an uptick in attacks on websites and email servers by altering DNS records.

                        CISA Director Christopher C. Krebs wrote in the emergency directive:

                        “Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services:

                        1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.

                        2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.

                        3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

                        To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.”

                        While this directive was aimed at federal agencies, all institutions should heed this warning and secure access to their public DNS account with multi-factor authentication.

                          What do ISO's need to know?

                          The role of the Information Security Officer is ever-changing, and the knowledge base required goes beyond patch management and tracking IT assets. This certification course outline gives you an idea of the topics we drill down in during the training. and highlights the skills required of a well-rounded ISO.

                          This one of a kind course was developed by industry experts, former examiners, and CISSP professionals to share the wealth of knowledge and insight accumulated from years on the banking side, the cybersecurity side, and the regulatory side. Your ISO leaves with the tools to secure your network, bringing you peace of mind. Plus, the opportunity to become a Certified Banking Information Security Officer (CBISO). The training meets FFIEC annual training requirements. Our 2019 courses will be in:

                          For more information, visit: www.10dacademy.com.

                            Outlook Web App and 2FA should keep your Exchange server secure, right? Think again.

                            10-D performs hundreds of penetration tests each year, so we see trends for weaknesses into customer networks. One of the more common weaknesses we currently see is a weakness with public facing Exchange servers. It is commonly perceived that if you lock down the Exchange Outlook Web App (OWA) login portal by denying most users access and enabling two-factor authentication for the others you will secure your Exchange server from attackers. Unfortunately, a service commonly enabled on many Exchange instances called Exchange Web Services (EWS) bypasses both of those controls. Simply put, EWS is a service that allows client devices to connect to the server to get email and other data. The vulnerability associated with this service is that an attacker can brute force logins and if successful, will be able to login to users email without two-factor authentication. This service can be disabled; however, that may cause a mutiny within your organization if users lose access to some of their data. 10-D Security doesn’t recommend a specific solution for this vulnerability as Exchange implementations vary greatly, but some options to consider for locking down this service would be as follows:

                            • Limit which users have access to the EWS service
                            • Limit which applications are allowed to access the EWS service
                            • Application Firewall/Reverse Proxy that can whitelist only valid EWS attempts
                            • VPN only access for email

                              Educational Seminar in Nashville, 2019

                              See why more than 925 of your peers have purchased loans from Bankers Healthcare Group, at the upcoming Nashville Info Seminar.

                              • Engaging seminar - Hear from the Founder/CEO and the c-suite leadership team in finance, credit, regulatory, marketing, sales and analytics.
                              • Understand the 5 convenient, hassle-free methods to purchase loans.
                              • Discover additional revenue opportunities for your bank:
                                • Consumer loans to licensed medical and other professionals
                                • Patient lending – connecting community banks to hospitals and surgery centers
                              • Network with key BHG personnel and other community banks from around the US.

                              Email us at bhgbanks@bhg-inc.com or call 866-461-5069 to find out the details!

                              "The BHG Info Seminar was an excellent experience. We are new to BHG, having just purchased our first loan last month. It’s was a valuable experience to have the company’s staff answer your questions and talk to other banks who have experience with BHG. I was able to learn how they manage their portfolio and loan terms. The event was first-class, all the way. I came away very impressed with BHG." – Minnesota Bank President

                              About BHG: Bankers Healthcare Group (BHG) is a well-established, direct lender that has a commercial loan program specifically tailored to the business needs of licensed healthcare and other professionals. BHG has provided over $4 billion of these originated, underwritten and funded loans to 925+ community banks throughout the US since 2001.