52 JULY / AUGUST 2019 Ben Hayden Risk Services Manager SHAZAM Inc. bhayden@shazam.net SHAZAM Inc. is a Preferred Service Provider of the Indiana Bankers Association and an IBA Diamond Associate Member. Ensure Security At your financial institution Implementing a robust security program strengthens your financial institution by protecting your cardholders and lowering your institution’s risk. Mitigating risk may mean conducting audits in information technology, Bank Secrecy Act and Automated Clearing House, as well as testing for network penetration, vulnerability assessments and social engineering. Industry-wide, there are recurring findings that many institutions share. IT Audit Programs Access management. The majority of recurring findings in an IT audit are related to poor logical access management. This can include a wide variety of issues, but often focuses on poor control of Microsoft Active Directory. For example many institutions have users with domain administrator privileges who do not restrict logon hours, have not deleted unneeded or unused service accounts, haven’t removed terminated users from the system, and allow non-expiring passwords. Attackers look for these types of accounts. Digging deeper, many institutions lack processes for reviewing user access to wire platforms, core systems, internet banking or other systems. The term “least privilege possible” is a good security principle, but is not being followed consistently. Review why administrator accounts are needed. Are they being used for privileges that can and should be assigned to user accounts? Configuration standards. Industry best practices advise using configuration standards found in “hardening documents.” These standards are usually provided by firewall, switch and IDS/ IPS1 manufacturers, and the documentation outlines how to secure each system effectively. Download the documentation from the manufacturer’s website, and make it a priority to update system configurations based on these standards. Inventory. Another common issue is the failure of institutions to maintain current hardware or software inventories. It’s your stuff – know where it is! Institutions should maintain an inventory of their assets, including what operating system and version each is running, as well as a software inventory. If needed, find a tool that will do this for you. By having a software inventory in place, unwanted programs or even malicious programs can more easily be located, which can lead to reductions in system latency. It is common to find out-of-date inventories and vulnerable programs. Track findings. Once an audit is complete, it’s important that an institution track its findings, assign issues to a specific person, or establish deadlines to correct issues. Many audit-tracking tools are available, but a simple spreadsheet can be created to list the audit’s origin, responsible person, risk or priority level, and remediation deadline. Manage Risk Many institutions fail to manage their overall exposure when they do not adequately assess, track, mitigate or accept risks. While they may adequately assess risk, they fail to fully mitigate risks for high-risk items. More threatening, however, is improperly lowering a risk score of a specific product or business line. Institutions do this to “accept” risk, yet lower-risk items are easily forgotten. This practice simply isn’t proper risk acceptance. Institutions should assess the risk of the product in question only after careful scrutiny. If there is a business need for the risk, move forward with an acceptance process that includes senior management and the board of directors. Security Vulnerabilities Security vulnerabilities are often found during network penetration tests or vulnerability analysis. SECURITY / FRAUD
RkJQdWJsaXNoZXIy MTg3NDExNQ==