TOPIC: Cybersecurity

Perimeter Security Basics (Spoiler Alert: It doesn’t start with a firewall.)

When thinking of perimeter security (or the security controls that protect where your trusted network touches less-trusted networks), many of us start thinking about the obvious controls, firewalls, routers, access rules, etc.  But in many cases, we see organizations struggle with a more basic concept: Where is my actual perimeter?

We are not talking about the often-repeated mantra of “There is no perimeter anymore.” (A valid discussion, but not the goal today) but the basic question of “Where does my network touch other networks?”  Here is a fun fact: Over half of the network diagrams we review are missing many of these basic intersection points.  Backup internet connections, secondary IP ranges, vendor VPN connections, MPLS endpoints, or even entire wireless deployments are simply not always documented or accounted for. 

You can’t protect, or understand the risks from, connections you don’t know about, and you can’t say all the doors are locked if you haven’t walked around the building to see how many doors you actually have.  That is why it is essential that network documentation (including those pesky diagrams we all hate to update) is complete, accurate, and thorough.  This also helps make sure that when the time comes to perform security testing on all “high risk” interfaces, you know what you need to test.

At a minimum, consider the following:
  • All interfaces or connections with other networks should be included in diagrams.  This includes backup internet connections, wireless networks, and connections to core vendors (even if trusted, they are “less trusted” than your own internal network.  Even that old wireless router that is only turned on for board meetings should be included with appropriate footnotes.
  • All public facing IP addresses should be inventoried and kept up to date, including used and unused addresses.  Again, this needs to be for all connections, even branch offices that have backup cable connections that aren’t normally utilized.
  • Have an updated list of Access Control List (ACL) entries that allow traffic between the internal network and others.
  • They say most network diagrams are already out of date before you hit the save button.  Make sure that your change control process includes steps to update applicable documentation as a final step.

    Low-Tech ID Theft (Dumpster Diving)

    Yes, dumpster diving is still alive and well and used to gain institution and customer information. This truly is an old school way of getting customer information, but it can be highly effective. The reality is that all of the high-tech controls we put into place cannot stop someone from tossing information into the waste basket instead of the shred basket. Let’s face it, most of us don’t want to dig through a dumpster to verify that sensitive information is not being thrown away by bank employees.  In fact, I think only 10-D Security Engineers love this part of their job description.   There is a better way to do this with a lot less grime and slime.  After your branch closes, conduct a trash inspection inside your institution by just looking at what is in each trash container at each desk.  You might be surprised at what you may find, and it will be a lot less messy. This type of internal audit should be done on a regular basis.  Make sure you document this audit because it never happened if you did not log it for the Examiners to see.  This is a good time to check and see if employees are complying with your clean desk policy.

      How do you test your Incident Response program?

      There are many great ways to answer this question when the examiner asks it, including:
      • “Our Information Security Officer develops scenarios and conducts exercises twice a year.”
      • “We hired 10-D to lead us through a tabletop exercise.”
      • “We publicly insult Vladimir Putin once a year and wait for him to ‘unleash the beast’ on our bank, and then see how we hold up.”
      And while some responses will be held in higher regard than others, almost any answer is better than ‘We didn’t test it.’  Your examiner will likely appreciate your honesty, and then turn around ask why you didn’t at least participate in FS-ISAC’s Cyber-Attack Against Payment Systems (CAPS) exercise that is offered at no charge. Save yourself from this uncomfortable scenario (and the Russians).  The Financial Services Information Sharing and Analysis Center (FS-ISAC) will conduct their “CAPS” exercise three times in 2019; September 24-25, October 1-2, and October 8-9.  CAPS is a virtual tabletop exercise that allows you to participate from your own location, without disclosing any confidential information to anyone outside the bank.  And again, it’s free.  To find out more information or register:  ·         September 24-25 - https://www.fsisac.com/events/caps-na19-3 , ·         October 1-2 - https://www.fsisac.com/events/caps-na19-1 , and ·         October 8-9 - https://www.fsisac.com/events/caps-na19-2  Another option is the FDIC’s “Cyber Challenge” – a set of nine scenarios designed to give financial institutions various operational issues to discuss.  Each scenario includes a short video followed by a set of challenge questions intended to spark discussion and evaluate the institution’s response capabilities.  And, it is another free and confidential option. These options are free, confidential, require minimal effort to participate, and may head off one less embarrassing moment with an examiner.  Sounds like a win, win, win, and win to me.

        Data Loss Prevention Strategy

        Employee at a bank ($500MUSA)
        I just started my role as Information Security Officer for a small bank based in Mass.  We are looking to strengthen our data loss prevention program which includes proper data classification and DLP policies and procedures. 

        I am wondering if anyone might be willing to share their strategies for enhancing this program as well as any template matrices/policies that may be beneficial.

        Eventually, we will be in the market for software to monitor DLP.  In the past, i have worked with Symantec's email DLP solution and Forcepoint's web DLP solution.  Does anyone have any recommendations for other solutions or further justification for Symantec/Forcepoint?

        Thank you!