Hoosier Banker 53 Discover the personal touch, the seamless service, and the expertise of our banking professionals. Make the mark. Rob Bondy robert.bondy@plantemoran.com Mike Stearns michael.stearns@plantemoran.com Steve Schick steve.schick@plantemoran.com plantemoran.com 1 Intrusion detection systems / intrusion prevention systems 2 Sponsored by Office of Cybersecurity and Communications of the U.S. Department of Homeland Security, CVE is the de facto global standard for the identification and definition of security vulnerabilities. 3 Nessus is a proprietary vulnerability scanner developed by Tenable Inc., a cyber exposure company. 4 Secure Sockets Layer The following items include text from the Common Vulnerabilities and Exposures database2 and from findings identified by Nessus, a vulnerability assessment scanner.3 Security protocol. Most findings are related to institutions still running transport layer security (TLS) protocol, version 1. This protocol encrypts communication over a network using a symmetric key system. Originally, many governing bodies listed June 2016 as the deadline for depreciation of TLSv1, although the deadline was eventually extended to 2018. As of that 2018 deadline and moving forward, TLSv1 is considered a vulnerability. Institutions can correct this vulnerability by upgrading to TLSv1.1 or TLSv1.2. SSL certificates. Many institutions have findings related to SSL4 certificates which cannot be trusted. An SSL certificate verifies that the data being shared is from a trusted source. When the certificate is correctly installed on the institution’s web server, a secure connection is established. A registered certificate authority issues these certificates to ensure authenticity. Out-of-date certificates create vulnerability to man-in-the-middle attacks. These occur when an attacker secretly relays, and possibly alters, communication between two parties who believe they are communicating directly with each other. Take the following steps to make sure your certificates work to keep information safe: 1. Confirm that the top of the certificate chain sent by the server is from a known public certificate authority. When the top of the chain is an unrecognized selfsigned certificate, or when intermediate certificates are missing, the certificate may fail. 2. Make sure the certificate chain contains a certificate that is valid at the time of the scan. If the scan occurs before one of the certificate’s “Not Before” dates, or after one of the certificate’s “Not After” dates, it can fail. 3. Ensure that the certificate chain does not contain a signature that doesn’t match the certificate’s information, or doesn’t contain a signature that can’t be verified. A bad signature can be resolved by getting the certificate re-signed by its issuer. Cipher strength. Medium-strength ciphers are less than 112 bits (but more than 64) or using 3DES encryption. Using poor encryption makes your organization susceptible to attackers. The fix is to configure applications using higher-strength ciphers. Internet Key Exchange. Essentially, IKE version 1 supports aggressive mode with preshared key (PSK) authentication. “Aggressive mode” refers to the nature of the encryption between the two entities taking part in the key exchange. Using aggressive mode means the identity of the two entities in the key exchange is not encrypted. Using this type of authentication allows an attacker to crack the PSK of a virtual private network gateway. The easiest fix is to upgrade to IKE v2, which does not allow aggressive mode. If upgrading isn’t an option, IKE v1 allows for “main mode,” which encrypts the identity of the entities involved in the key-sharing. If none of these options are available, use very strong keys. Protect Your Institution Cybersecurity and IT risks present some of the scariest challenges to financial institutions. To compound the problem, an IBM study conducted by the Ponemon Institute, an independent research firm, published in 2018 found the average amount of time from breach to discovery is 197 days. This means the attackers could be in your network for more than six months before you know it! For the security of your institution and your accountholders, don’t treat audits or security testing as a compliance “check the box.” These risks should be analyzed with the same priority and level of concern as credit or liquidity risks. HB
RkJQdWJsaXNoZXIy MTg3NDExNQ==