TOPIC: Cybersecurity

Guardian Analytics

Manager at a bank ($488MUSA)
Do any of you also use Guardian Analytics for Business Online & ACH anomaly detection? We're in the early stages of implementation and data gathering, but I was hoping some more seasoned users would be willing to share their daily process and what you look for/review. Thanks in advance!

    Are you prepared for the EOL Shockwave?

    Often, we take software that seems to have ‘always been there’ for granted, until suddenly it’s not supported.  At other times, ‘must have’ software fades into obscurity as it’s gradually replaced by alternatives.  Either way, you should be prepared for an End of Life (EOL) announcement just as much as you should for important software update announcements.
    This week it’s an announcement by Adobe.  They have announced the EOL for Adobe Shockwave, on April 9th, with extended support only for Enterprise customers.  This also means anyone who continues to use the software after April 9th is assuming a security risk because Shockwave will no longer be supported with security updates. 
    This is a great example of a piece of software that likely remains installed, albeit unused by many users.Staying informed about software updates are important to alleviate potential security risks; you should also stay informed of End of Life announcements.  Take a moment to see if it’s installed in the environment you maintain.  If you are using Shockwave, find a supported alternative soon.  If you don’t use this software, uninstall it.

      Intrusion Detection and Prevention Systems: Are they really working?

      Let’s face it, if you have a public IP you’re going to get some type of illegitimate access attempt directed at your network at some point. Probably multiple times per day. Just look at your firewall logs and alerts sometime. If you are not, you should be; daily.

      If you don’t have one or are not familiar with the concept, an Intrusion Detection and Prevention System (IDS/IPS) will actively detect and prevent malicious or unwanted attempts at access. Your IDS/IPS can be deployed as local software, appliances, Software as a Service (SaaS) solutions (or a hybrid), or potentially as separate systems – detection (IDS) and prevention (IPS) in separate parts. The usual deployment; however, is an IDS/IPS that that prevents as it detects. These systems perform their tasks based on definitions and/or heuristic techniques and may be monitored by a third-party Security Operations Center that can alert you and/or act on your behalf.

      If you don’t have IDS/IPS, you might be saying, “Isn’t my firewall good enough?” Well, a stateful inspection firewall is an absolute must. But even though you might have integrated inspection enabled, your firewall only passively stops what was defined in the last firewall OS release; and what you tell it to through Access Control Lists associated with zones or interfaces. That’s where IDS/IPS steps it up and may be something you can add to or enable on your firewall.

      After a few consulting hours, (maybe the purchase of a new firewall or appliance) and certainly the signing of some type of maintenance contract, you’ve committed many dollars in infrastructure changes to add an IDS/IPS. Things are ticking along great, right?

      Have you bothered to test whether the fancy new system is really doing what it the sales guy said it will do?

      A famous former President was very fond of this Russian proverb: Trust but verify.

      Have your IDS/ IPS checked by someone other than the vendor to ensure it is detecting and preventing while not impacting your network performance. Impact? Yes, impact. Another 1 or 2 seconds per transaction multiplied by the transaction volume and number of impacted employees or customers adds up quick. Time is money.

        The Low-Down on Multi-Factor Authentication

        Something You Have; Something You Know
        There are a number of different types of Multi-factor authentication (MFA), but which is right for your organization? What should employees and Management know about MFA prior to implementing for your VPN access, administrator sessions to sensitive systems, or secure web-portals? Take a deeper dive into MFA on our blog, https://10dsecurity.com/the-low-down-on-multi-factor-authentication/ .

          A picture is worth a thousand words! Network Diagrams.

          This is especially true when talking about network diagrams. A network diagram is a roadmap that helps you illustrate and document what a network looks like, and how things are connected.

          The following diagrams should be maintained:

          1. WAN topology that clearly shows all ISP, VPN, and WAN connections, wireless connections, LAN segments along with router, firewall
            and IDS implementations.
          2. Individual LAN topologies showing default gateways, DNS implementation, all servers, and all network devices.

          Here are some key elements of good network diagrams:

          1. Keeping a diagram current and accurate is important, so network diagrams should be updated at least quarterly or after network
            changes.
          2. Label items with a name, function, and IP address(s).
          3. The look and feel of the diagrams should be consistent, and a common set of visual objects should be used where possible.
          4. Network diagrams should also contain a title that clearly defines the nature of the diagram, confidential statement notice, name of
            the author, and date of creation / last update.

          If you outsource your IT, make sure your vendor is providing you with current and accurate diagrams.

            DNS and MFA

            DNS and MFA
            On January 22, 2019, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive with the subject, “Mitigate DNS Infrastructure Tampering” ordering all federal agencies to secure login credentials for their internet domain records. Required actions include auditing DNS records, changing DNS account passwords, adding multi-factor authentication to DNS accounts, and monitoring certificate transparency logs to detect prior unauthorized certificate issuance. This directive was issued in response to an uptick in attacks on websites and email servers by altering DNS records.

            CISA Director Christopher C. Krebs wrote in the emergency directive:

            “Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services:

            1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.

            2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.

            3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

            To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.”

            While this directive was aimed at federal agencies, all institutions should heed this warning and secure access to their public DNS account with multi-factor authentication.

              What do ISO's need to know?

              The role of the Information Security Officer is ever-changing, and the knowledge base required goes beyond patch management and tracking IT assets. This certification course outline gives you an idea of the topics we drill down in during the training. and highlights the skills required of a well-rounded ISO.

              This one of a kind course was developed by industry experts, former examiners, and CISSP professionals to share the wealth of knowledge and insight accumulated from years on the banking side, the cybersecurity side, and the regulatory side. Your ISO leaves with the tools to secure your network, bringing you peace of mind. Plus, the opportunity to become a Certified Banking Information Security Officer (CBISO). The training meets FFIEC annual training requirements. Our 2019 courses will be in:

              For more information, visit: www.10dacademy.com.

                Don't Miss Out: Free January Webinar on 2019 Risk Trends

                You are invited to our January webinar discussing the top risk trends to expect in 2019. Register for free today! If you are not able to make it to the live event, the recording will be available for download afterwards.

                What does 2019 hold for risk, and what can you do about it? From fintech to Brexit and everything in between, this engaging webinar will explore the most notable risk trends for 2019 and what they mean for the industry and your institution.

                You’ll gain insights into a variety of known and emerging risks addressing:

                • Technology investments & cyber risk
                • Compliance
                • Economic issues
                • Industry concentration & the environment
                • Competition - including products and markets
                • M&A activities & de novos

                This analysis of the industry’s most recent trends will give you the information you need to get 2019 off to a strong start.

                Register Today!

                  Outlook Web App and 2FA should keep your Exchange server secure, right? Think again.

                  10-D performs hundreds of penetration tests each year, so we see trends for weaknesses into customer networks. One of the more common weaknesses we currently see is a weakness with public facing Exchange servers. It is commonly perceived that if you lock down the Exchange Outlook Web App (OWA) login portal by denying most users access and enabling two-factor authentication for the others you will secure your Exchange server from attackers. Unfortunately, a service commonly enabled on many Exchange instances called Exchange Web Services (EWS) bypasses both of those controls. Simply put, EWS is a service that allows client devices to connect to the server to get email and other data. The vulnerability associated with this service is that an attacker can brute force logins and if successful, will be able to login to users email without two-factor authentication. This service can be disabled; however, that may cause a mutiny within your organization if users lose access to some of their data. 10-D Security doesn’t recommend a specific solution for this vulnerability as Exchange implementations vary greatly, but some options to consider for locking down this service would be as follows:

                  • Limit which users have access to the EWS service
                  • Limit which applications are allowed to access the EWS service
                  • Application Firewall/Reverse Proxy that can whitelist only valid EWS attempts
                  • VPN only access for email

                    Free January Webinar: Top Risk Trends of 2019

                    You are invited to our January webinar discussing the top risk trends to expect in 2019. Register for free today! If you are not able to make it to the live event, the recording will be available for download afterwards.

                    What does 2019 hold for risk, and what can you do about it? From fintech to Brexit and everything in between, this engaging webinar will explore the most notable risk trends for 2019 and what they mean for the industry and your institution.

                    You’ll gain insights into a variety of known and emerging risks addressing:

                    • Technology investments & cyber risk
                    • Compliance
                    • Economic issues
                    • Industry concentration & the environment
                    • Competition - including products and markets
                    • M&A activities & de novos

                    This analysis of the industry’s most recent trends will give you the information you need to get 2019 off to a strong start.

                    Register Today!

                      The Most Basic Ransomware Defense Technique

                      Aside from standard security practices such as antivirus software and security awareness training, one of the most effective steps you can take to protect against ransomware is very straightforward: limit what files users can access. Ransomware almost always runs with the same permissions as the infected user, so what they cannot access, the ransomware cannot encrypt.

                      The concept of ‘least privilege’ (allowing a user to access only what is needed for their job) is as old as information security itself, but it is not always easy to implement. Once you do, over time access control lists (ACLs) get modified - and by the very nature of things, generally get more permissive, not less. ‘Least privilege’ and ACL management is a big area, but here are some common pitfalls and recommendations:

                      • Regularly audit file permissions and shared folder ACLs. This can be done using automated tools, scripts, or just old-fashioned testing by logging in with different user types and seeing what you can access.
                      • Don’t just watch the common mapped drives. Often there are shares all over a network that are viewable by browsing the network using File Explorer. Some common issues we see are shares used by applications, backup target folders, temporary shares used for file transfers, and other network storage such as NAS devices. All can contain important information that may be improperly secured.

                        Free Webinar: The DarkWeb – A Treasure Trove Of Actionable Threat Intelligence

                        Free Webinar: The DarkWeb – A Treasure Trove Of Actionable Threat Intelligence
                        Thursday, December 13 - 1 p.m. CDT
                        This has been approved for the following CE credits: 1.25 CAFP, CFSSP, CRCM

                        Playing defense against sophisticated cybercriminals is too little and too late. To win, institutions must deploy proactive threat intelligence programs that detect threats with greater speed, accuracy, and effectiveness. In our upcoming free thought leadership webinar, learn how to leverage the Deep and Dark Web to collect highly targeted and actionable threat intelligence.

                        We'll also discuss:

                        • What is the “Digital Underground”? The “DarkWeb”? The “DeepWeb”?
                        • Who are the threat actors on the “Underground” targeting financial institutions?
                        • How can I collect targeted & actionable intelligence on the “Underground”?
                        • How do leading organizations leverage such intelligence to combat cybercrime and fraud?
                        • What can financial institutions do to eliminate these threats?

                        Register here: https://www2.bankerstoolbox.com/DarkWebWBN

                          Bye Bye Summer, Hello Flu!

                          Winter seems to be in a big hurry. In the Midwest, we raced right from Summer into Winter without so much as a goodbye handshake. Right on cue, with the colder weather, we are already seeing the first cases of flu pop up . . .and you all know what that means. Yup, time to dust off the pandemic plan and make sure it is up to date.
                          Pandemic Plan reminders:

                          • Focus on operating with limited staffing (are your procedures up to date, and have you cross trained?)
                          • Don’t limit the plan to any specific illness or medical condition.
                          • Consider your vendors; if they are short-staffed how will it affect your organization?
                          • Don’t hard-link your “pandemic declaration” to World Health Organization or the Centers for Disease Control declarations. Your plan should be escalated when your risk escalates.
                          • Train & Test. Use the day after Thanksgiving, July 5th, snow day, etc. as an actual “low staffing day”.
                          • Include in your Pandemic Plan:
                            1. Contacts, especially medical and governmental.
                            2. Shelter-in-place needs (e.g., food, hygiene items, medicines, etc.).
                            3. “Must perform” tasks, and identify areas that can be postponed.
                            4. Considerations for “working from home” (i.e., remote access, pay, etc.).
                            You may also consider:
                          • Providing Flu shots to your employees, or at least keeping them informed on where they can get them.
                          • Conducting good hygiene training with employees; you know the basics: cough in your sleeve, wash your hands, and don’t touch your face.
                          • Providing hand sanitizers and tissues for employees and customers.

                          And of course, if you are sick enough to be contagious, stay home.

                            Budget? For Information Security?

                            The midterms are finally over, and the ads have mercifully ended. We all deserve a little credit for putting up with the insanity. But now, is the time to get back on track and plan out your budget for 2019. Or, did you assume it will just be a part of IT’s budget? According to the FFIEC Cybersecurity Assessment Tool, a “baseline” requirement indicates: “The budgeting process includes information security related expenses and tools. (FFIEC E-Banking Booklet, page 20).”
                            Whether you’ve already submitted your 2019 budget or not, you might consider the following items. It may help your planning for 2020, or you may find need to go back to your CFO and plead for mercy…
                            An Information security budget should include items such as:

                            • Independent assessments, tests and audits (e.g., pen tests, social engineering, vulnerability assessments, etc.)
                            • Software licenses for security-related systems (e.g., SIEM system, IPS/IDS systems, web content filters, firewalls, email security appliances, encryption, antivirus, scanners, etc.)
                            • Hardware – for leases or for planned upgrades/implementations. Include firewalls, servers, security appliances, and any other system that relates to the security infrastructure.
                            • Security Certificates and registrations (for websites, domain registrations, security appliances, etc.)
                            • Training and Conferences related to information security (incl. travel expenses)
                            • Misc. Services – Forensic examiner retainer, monitoring services, technical consultants, etc.

                            To keep pace with emerging threats and regulations, Information Security Programs need to continually grow skills and response capabilities. Be sure to factor in the expected annual price increases, product upgrade charges, etc. (include a “fudge factor,” in case prices come in more than expected you can still look good at year-end). Also, remember to factor in additional human resources needed to manage the expanding demands.
                            Some other budget planning suggestions:

                            • Maintain a “next year” planning worksheet and update it throughout the year, adding in reminders to include improvements that you’ve noted during the current budget period.
                            • Have a shortcut to your planning worksheet on your computer’s desktop, so you can easily find and modify it as you think of things throughout the year.
                            • Keep track of “actual” compared to “budgeted” expenses as the year progresses, to help in fine-tuning your estimates for next year’s budget.
                            • Notate what budget items are “must have” (such as IDS/IPS, firewalls, log management systems, testing, etc.) and what are “should have” – In case of budget cuts OR if the budget fairy gives you an unexpected allowance to improve your security posture. Either way, you will have ready answers.
                            • And for election years be sure to include a reasonable allowance request, to cover the bar tab you’ll need to endure the next onslaught of campaign ads.

                              National Cybersecurity Awareness Month

                              It's National Cybersecurity Awareness Month (NCSAM) and the Department of Homeland Securty provides a free toolkit to businesses and individuals looking to stay safe online and increase everyone’s overall awareness of cyber-threats. Great information to share with employees and customers, alike. Check it out, https://www.dhs.gov/sites/default/files/publications/NCSAM_GeneralToolkit_final.pdf

                                Quarterly Firewall Reviews are a Requirement

                                For many companies there is only one device between their internal network and the whole wide world, AKA the Internet. This one device, called a firewall, is a key component in a secure architecture and it is often under managed. By that we mean the firewall is often not receiving the ongoing attention it deserves. The common issues we find with firewall configurations include:

                                1. Managed Firewalls: In today’s environments we often see the management of firewalls outsourced and all but forgotten about by the institution. Most managed service providers are not conducting independent reviews of the managed firewall configuration or rules as part of the service agreement. A misconfiguration or undesirable rule will still affect the institution regardless of who’s managing it.
                                2. Old Rules: Rules are usually added out of a need. This does not hold true for removing old and unneeded firewall rules. They tend to stay around.
                                3. Default Settings: You would think that in today’s world a new firewall would default to most secure. Well they don’t. By default, all traffic is generally allowed outbound. This is not a good idea for many reasons, but we find overly permissive outbound rulesets all the time.
                                4. Descriptions: The person adding a rule to a firewall knows why they are adding it, but 6 month later they may not remember and anyone else looking at the rule will not know the specific reason and history behind the rule. That is why every rule should have a comment or description with details about the rule. This will also help allow less technical staff to decipher the firewall configuration.
                                  FFIEC guidance calls for quarterly firewall policies audits or review. Significant network changes or rule changes may also warrant a firewall policy audit or review. NIST, PCI and HIPAA/HITECH have similar requirements as well.
                                  These firewall reviews do not need to be performed by an independent source and can be done internally. For those not comfortable with doing this internally or for those that would just like to have an extra set of eyes review their firewall let us know, we will be glad to help.