- Unfair, Deceptive or Abusive Acts or Practices (UDAAP) Audit
- Loans to Insiders (Reg O) Audit
- Garnishment of Federal Benefit Payments (Part 212) Audit
- Protecting Tenants at Foreclosure Act (PTFA) Audit
- Website/Advertising Compliance Audit
- Expedited Funds Availability Act (Reg CC)
- Reserve Requirements (Reg D)
- Truth in Savings Act (Reg DD)
- Electronic Funds Transfer Act (Reg E)
- Truth In Lending Act (Reg Z)
- Real Estate Settlement Procedures Act (Reg X)
- Equal Credit Opportunity Act (Reg B)
- Home Mortgage Disclosure Act (Reg C / HMDA)
- Flood Disaster Protection Act (FDPA)
- Fair Credit Reporting Act/Fair and Accurate Credit Transactions Act (Reg V)
- Consumer Protection in Sales of Insurance Act (Reg H)
- Fair Debt Collection Practices Act (FDCPA)
- Fair Housing Act (FHA)
- Homeowners Protection Act (FPA)
- Servicemembers Civil Relief Act (SCRA)
- Military Lending Act (MLA)
- Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act)
- Privacy of Consumer Financial Information (Reg P)
- Community Reinvestment Act (CRA)
- Bank Bribery Act
- Right to Financial Privacy Act (RFPA)
- Bank Protection Act
- Advertisement of Membership (Part 328/Part740)
- Electronic Signatures in Global and National Commerce Act (ESIGN Act)
- Unlawful Internet Gambling Enforcement Act (Reg GG)
Wire Transfers are a high-risk function of any institution and are often subject to fraudulent, erroneous and malicious activity. The result of such activity almost always involves financial losses, some of which may be substantial. In addition, an institution can experience a damaged reputation as a result of these activities.
The threats to Wire Transfers are both internal and external in nature. Unfortunately, for banks, this risk exposure may also result from client account takeovers.
A Wire Transfer Audit will identify weaknesses or vulnerabilities in your Wire Transfer Operations and help identify gaps in controls that can prevent or reduce the bank’s risk exposure.
Understanding how fraudulent, erroneous and malicious transactions can happen gives us a unique perspective on how to prevent such activity.
Our Wire Transfer Audit Reports summarize the overall risk level and provide detailed findings that are also risk rated. This allows the institution to prioritize any remediation efforts.
These audits are often scheduled in conjunction with other audits, such as BSA/AML & ACH NACHA Audits.
Designed for those companies with customized web applications exposed to the Internet, whether the application has been developed internally or outsourced, it is vital to have the peace of mind knowing that these web applications are secure.
While security should be part of the development project from the start, knowing that the final product meets your organization's risk tolerance is worth its weight in gold.
Most web applications interact directly or indirectly with critical databases, which are a key target for most malicious attacks. Understanding the vulnerabilities these applications have and working through the mitigation process will result in a more secure web application environment.
Our Assessments use a variety of toolsets and tests that are designed to ferret out the most sophisticated web application vulnerabilities. In addition, general coding and configuration best practices are identified.
Web Application Assessments should be a regular and ongoing part of any Internet accessible web application development process, with a full assessment being performed annually and/or on each major version change.
A single weak password can expose your entire network to an external or internal attack. Password harvesting is one of the easiest and most commonly exploited network security threats.
Network users often employ passwords that conform to standard complexity and length rules, but are based on common dictionary terms. These passwords are easy to remember and also easy to break.
Performing periodic password audits can uncover weak passwords used within your organization and allow you to educate users on proper password utilization. An Active Directory password audit can show you who picks weak passwords before an attacker can exploit that weakness.
10-D Security uses a forensically sound and completely safe process to extract password hashes from the Active Directory database. This process uses no third-party tools like many other password auditing services do, guaranteeing that your domain controllers remain online with no disruption of service or instability issues.
Our Security lab has a high horsepower, state-of-the-art password cracking engine that was designed specifically for this task.
We are able to work with our clients to provide yearly or quarterly assessment engagements.
10-D Security uses a forensically sound and completely safe process to extract password hashes from the Active Directory database. This process uses no third-party tools like many other password auditing services do, this guarantee's that your domain controllers remain online with no disruption of service or instability issues.
The objective of the ATM Physical Assessment is to assess the general security of a bank's ATM operations at each installation as well as compliance with State and Federal Regulations.
State Regulations: Many states now have a regulation requiring specific minimum lighting standards at and around ATM installations. In addition, some states have other physical requirements pertaining to ATM user safety and security.
Federal Regulations: Americans with Disabilities Act (ADA) requires specific access requirements for disabled persons on and around ATM installations. These regulations are backed by fines and penalties that can cost a bank dearly.
ATM installations typically do not receive a lot of attention and tend to fall victim to common maintenance issues which may cause them to become out of compliance.
In recent years ATM skimming has become a real issue facing all institutions, giving even more reason to assess ATM installations.
ATM Physical Security Assessments look at many aspects, including but not limited to the following areas:
Evidence of tampering;
Lighting at and around the ATMs;
Notices and disclosures; and
Appendix Eight of the NACHA Operating Rules & Guidelines require all participating Depository Financial Institutions, Third-Party Service Providers, and Third-Party Senders to conduct an annual ACH audit in compliance with the provisions of the ACH rules. This audit must be conducted no later than December 31 of each year.
An audit is important for several reasons, most notably:
To ensure compliance with the Rules;
To assist in minimizing risk associated with ACH processing;
To strengthen the financial institution's ACH services/program; and
To assist in maintaining the quality and integrity of the ACH network.
10-D Security offers financial institutions trusted and experienced compliance staff to help reduce the burden on your internal resources.
Let’s face it, Wireless Networking is not the most secure form of communications, but it sure is convenient. Like a lot of things, there is a time and a place for 802.11 connectivity. Just make sure it is as secure as possible, or it will be convenient for attackers.
A Wireless Assessment is designed to identify vulnerabilities in your wireless infrastructure so they can be addressed before they are exploited by malicious attackers.
We have several levels of Wireless Assessments to meet your needs. This includes options ranging from a configuration review to an onsite attack simulation review. We can create an assessment that will fit your needs and budget.
Here are a few of the areas we can include:
Overall Architecture Review;
Documentation and Policy Review;
Access Control Review;
Wireless (802.11) Scanning;
Rogue Access Point Scanning;
Encryption and Decryption Review; and
Don’t wait until it is too late. Get your wireless implementation assessed soon.
FFIEC guidance calls for quarterly firewall policy (rules) audits or review. Significant network or rule changes may also warrant a firewall policy audit or review. NIST, PCI and HIPAA/HITECH have similar requirements as well. 10-D Security offers both quarterly and annual firewall reviews.
In today’s environments, we often see the management of firewalls outsourced and all but forgotten by the institution. Most managed service providers are not conducting independent reviews of the managed firewall configuration or rules as part of the service agreement. A misconfiguration or undesirable rule will still affect the institution regardless of who's managing it.
Rules are added but rarely removed after they are no longer relevant. Over time, stale rules add to management overhead and possible security issues.
In the old days, firewalls were overly permissive out of the box. While this is generally not the case anymore, we still see firewalls configured to be wide open outbound so things will “just work”, going against established guidelines and best practices.
There are many reasons behind performing regular firewall reviews and all of them will serve to better protect a company's IT Infrastructure as well as meet regulatory requirements.
For those not comfortable with doing this internally or for those that would just like to have an extra set of eyes review their firewall let us know, we will be glad to help.
The goal of an Internal Penetration Test is to gauge the effectiveness of internal security controls against an attacker with access to internal network resources. This attacker could be a knowledgeable malicious insider or an external attacker that has gained limited access or a "beachhead" on the internal network. The purpose of this test is to simulate a real-world attack with specific goals, generally gaining root or administrative access to targeted systems, or access to data stores.
Our assessment process is performed by specially trained individuals using current attack methodologies and tactics. The Internal Penetration Testing deliverables include a detailed report with specific attack paths and scenarios, along with recommended remediation strategies.
The test is performed in two phases: One with network access only, and one with network access and limited user access to simulate an internal user compromise. Our test mirrors how actual attacks occur, but without stress or liability. 10-D Security's Red Team will employ cutting-edge techniques and strategies used by today’s bad guys to detect and evaluate your security controls.
This test does not replace a traditional Internal Vulnerability Assessment but complements it by enabling institutions to assess how their layered security controls hold up to a skilled attack.
In administering a BSA program, financial institutions may choose to utilize AML monitoring software. The use of such software is becoming more common in the financial services industry and may help the institution more properly allocate resources to its BSA program.
An effective model validation of BSA/AML software will verify if an institution's processes and activities are performing as expected and are in line with their design objectives and the organization's needs. A 10-D BSA/AML model validation will assess the development, implementation, and use of the institution's BSA/AML risk monitoring model according to the Supervisory Guidance on Model Risk Management OCC2011-12 and SR 11-7.
10-D Security utilizes this guidance in the scope of our assessment which includes the following four (4) areas of model validation:
Business and Regulatory Environment
Enablement of Technology (System, Data, Process)
The resulting assessment report will give the institution an overall rating of model effectiveness and identify any compliance issues.
Do your Internet-connected systems have vulnerabilities? This basic question can be answered by waiting for the cyber-criminals to uncover the vulnerabilities for you, or you can do so proactively with an External Vulnerability Assessment.
An External Vulnerability Assessment tests the public access areas of your network for vulnerabilities and security issues. This gives you the opportunity to correct problems before malicious attackers can exploit it and gain access to confidential information. As the saying goes, an ounce of prevention is worth a pound of cure.
Your deliverable from a 10-D Security External Vulnerability Assessment will include a risk-rated listing of detected vulnerabilities and mitigation recommendations, providing you with a clear roadmap for prioritizing and resolving any detected deficiencies. For repeat clients, we also include a trend report that demonstrates the organization’s progress throughout 10-D engagements over time.
The FFIEC's guidelines state that institutions are required to perform an independent assessment of high-risk systems at least annually. That's where we can help.
Our Security Engineers are trained and experienced "Ethical Hackers" that perform both manual and automated testing procedures to help ensure all your vulnerabilities are discovered.
Completion of independent testing for BSA/AML compliance is one of the original pillars of a financial institution's BSA program. While the frequency of this audit is not specifically defined in any statute, a sound practice is for the financial institution to conduct independent testing every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank.
The goal of a BSA/AML Audit is to identify and document all known compliance issues with the bank's BSA/AML program in accordance with FFIEC Guidelines. Each audit is tailored to the client's individual risk profile, but at a minimum will include:
An evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes;
A review of the financial institution's risk assessment for reasonableness given its risk profile;
Appropriate risk-based transaction testing to ensure compliance with recordkeeping and reporting requirements (e.g., SARs, CTRs, CTR exemptions, CIP, and information sharing requests);
An evaluation of management efforts to resolve past audit or exam violations and deficiencies;
A review of training for adequacy, accuracy, and completeness;
A review of the effectiveness of the suspicious activity monitoring systems used for BSA/AML compliance;
An assessment of the overall process for identifying and reporting suspicious activity; and
An assessment of the integrity and accuracy of reports used in monitoring for BSA/AML compliance.
Our testing will also cover pertinent sections of the Patriot Act and requirements specified by the Department of Treasury's Office of Foreign Assets Control (OFAC).
The resulting audit report will give the institution an overall rating and show any compliance issues found.
Our favorite service offering is the Social Engineering Assessment. This is because we are very skilled and successful at it and most everyone involved has fun. Unfortunately, cyber-criminals also love to social engineer, and they are good at it too.
Social Engineering (SE) is the art of hacking people to gain information or access. Since humans are so complex, and we all have good days and bad days, collectively we are the weakest link.
This weak link in a company’s defenses is exactly what the bad actors are targeting. Social Engineering is one of the highest threats facing today’s businesses.
To combat this growing threat, many companies have instituted a multitude of security controls including Policies, Procedures, Monitoring, and Security Awareness Training. These controls are what a good SE Assessment will test and evaluate.
Most of our clients are shocked at how successful we can be on their first test at tricking employees into divulging information. Those same clients seem to enjoy reducing our success rate year after year.
We see companies reduce their risk levels most effectively by engaging a complete SE Assessment annually, supplemented with focused based engagements such as phishing email and phone testing each quarter.
Pass or Fail, Win or Draw: there is always something to learn from a good SE Assessment.
Your end users have free-will and a mouse making them the most likely target of a cyber-attack. This means your endpoints are at high risk for exploitation. Don’t you want to know what vulnerabilities are on that system before attackers find out?
An Internal Vulnerability Assessment identifies vulnerabilities throughout your IT infrastructure and provides a report that you can use to remediate issues within your environment. This report will also help to identify the effectiveness of your Patch Management Program.
An Internal Vulnerability Assessment will allow you to correct problems before malicious attackers can exploit a system and gain access to confidential information. As the saying goes, an ounce of prevention is worth a pound of cure.
Your deliverable from a 10-D Security Internal Vulnerability Assessment will include a risk-rated listing of detected vulnerabilities and mitigation recommendations, providing you with a clear roadmap for prioritizing and resolving any detected deficiencies. For repeat clients, we also include a trend report that demonstrates the organization’s progress throughout 10-D engagements over time.
The FFIEC's guidelines state that institutions are required to perform an independent assessment of high-risk systems at least annually. That's where we can help.
Most institutions scan their perimeter and internal networks for vulnerabilities to see what may be exploitable from the outside. However, today's cyber-threats are multi-faceted with determined attackers that utilize all means at their disposal, including Social Engineering methods (targeted phishing emails and Pretext Calling) and even physical penetration attempts. Most incidents begin with phishing emails that exploit internal systems when clicked, and the breach spreads from there. How would your network defenses and security team respond to such an attack?
10-D Security's Penetration Test simulates a "real world" Cyber-Attack on your institution, challenging your team’s monitoring and alerting controls as well as incident response.
The test is performed as a “Black-Box Assessment.” Meaning we will have no advance knowledge of your infrastructure at the start. Our test mirrors how actual attacks occur, but without the stress or liability. 10-D Security’s Red Team will employ cutting-edge techniques and strategies used by today’s bad guys to detect and evaluate your security controls.
This test does not replace a traditional External Vulnerability Assessment or Social Engineering Assessment but complements them by enabling institutions to assess how their layered security controls hold up to a complex and persistent attack.
The framework for our IT Audit has been developed over a decade of auditing firms throughout the country and is derived from regulatory requirements and industry best practices.
Helping our customers understand the results of an IT Audit is a source of pride for us. By listening to our customer's feedback over the years, and a lot of hard work, 10-D has developed a reporting process that delivers “Risk-Based” facts in a universally readable language and format. Our IT Audit provides a clear and concise listing of risks, with logical mitigation recommendations.
Security Officers, Compliance Officers, and IT Professionals are extremely busy in today's work environment. To help minimize the impact of our IT Audits, we have developed tools that allow us to minimize time onsite and disruption to our customers while still providing extremely thorough and in-depth audits. This low drag and high-speed approach is a hit with our clients.
Generally, regulators are looking for an annual independent review of General Controls and the Information Security Program. This is often performed along with other assessments, such as External and Internal Vulnerability Assessments, Social Engineering Assessments, and Penetration Testing. When completed together, the engagement allows for a holistic snapshot of an organization’s threat landscape.