2009 3rd Quarter Newsletter
The Scoop on "Pen Tests"
Tony and I call on a lot of community banks and one thing that seems to be consistent is the lack of a true definition of what constitutes a penetration test. Here’s a quick description of the three types of pen tests:
ELECTRONIC VULNERABILITY SCAN
This is by far the most common type of test and it is the first line of defense for your network. It actually isn’t really a “pen test”, as it only looks for and identifies places in a computer or device that could be vulnerable to an attack. This scan can check your network either from the outside or the inside. A list of suspected vulnerabilities is delivered and your IT personnel would then act to fix these issues. So far, this seems to satisfy most examiners looking for a “pen test”. Actually, this vulnerability scan can be “turned up” to try to attack, or penetrate any vulnerability found, but in most instances, this isn’t done, as the network can be compromised. Due to the massive increase in the number of exploits being added to the scan libraries, the external, or outward, public IP addresses should be scanned more often than the internal ones, which are protected by your firewall. NSS recommends that an external scan be run monthly and an internal be run quarterly, or at least annually.
PHYSICAL PENETRATION TEST
Usually performed in conjunction with the electronic pen test, vendor personnel will use social engineering methods to attempt to compromise the subject network. This involves trying to gain access to computer rooms, employee’s desks and other areas where access to data is available. With the advent of the latest generation of electronic defenses, the hacker’s emphasis has shifted to the new “weak link”, bank personnel. We’ve found that, particularly in community banks, employees are trained to go out of their way to help, and the hacker will use this trait to gain unauthorized access. Vendor personnel will visit branches, act as customers and, in general try many different ways to outsmart the employees. This is a good exercise to run annually. It serves as a good way to keep everybody on their toes.
We are seeing a new emphasis by hackers on attacking smaller and smaller financial institutions. Remember that a community bank is now in the information business and the information on your servers is often worth more than the money in your vault.
It’s good practice to understand just what you can do to protect this valuable asset. Please email me at gkramer@netsecuritysvcs.com or call me at 832-368-2575 if you need any more information.
Glenn Kramer
The Death of Cash
It has long been my assertion that hard currency or cash as we know it is dying. A few years ago, its use was surpassed in the US by electronic transactions (credit/debit). This differential will continue to grow until the use of cash to transact business will be all but dead. It may still be legal tender, but the number of restrictions, fees and other limitations will draw all but the most dedicated to abandon its use. A recent event went mostly unnoticed but highlighted this change. The Federal Reserve closed the San Antonio Federal Reserve item processing center, consolidating much of the activity at the Dallas Fed to Baltimore. This means they are processing fewer and fewer check items. You have probably noticed this trend in your increasing percentage of debit and ACH transactions. The truth is the younger generation does not understand cash and checks and prefers to work online or with a card.
What does this mean to your bank? It means that all your cash management procedures and protections around physical currency, finely honed over decades will become less and less important and security measures around electronic transactions will become more and more significant. The reality is that even today, you are no longer in the money business. You are in the financial information business. Most of your job is moving electronic zeros and ones, representing your customer’s net worth back and forth over electronic systems. Protecting the confidentiality and integrity of those zeros and ones becomes job number one in the bank of the future. You will be using more and more of your resources for this type of activity. Things like online banking and bill pay will continue to expand and morph to become primary services for your bank. Branch capture and even remote deposit will become more accepted and even expected from a younger customer base that takes as a given electronic interchange.
To survive and thrive in this new era, you have to train your employees to think of the computer room, the server and even their individual PCs as the new” Vault”. Most bank employees would never think to give a stranger access to their cash vault. However, it is often surprisingly easy to convince them to let someone into the computer room, unescorted. Access to computers, the keys, the codes, even the login IDs are the “Keys” to your kingdom. Put in this light, employees should have a more accommodating attitude when asked to change their passwords so often. If they equate it with the complicated procedures they follow when handling and accounting for cash, it isn’t that much different. And the thing to emphasize is that while cash is important, if it is stolen, it can always be recovered and insurance covers large losses. However, if customer information is stolen from the “electronic vault”, it can never be recovered. Customer identities can be copied and traded a million times and float around in cyberspace forever, affecting the bank’s reputation for years.
NSS offers general IT Security awareness classes that teach these concepts to employees in an interesting and engaging way to make sure they take away the lessons of how important cyber security is to your bank now and into the future. Contact our office for more information.
Tony Howlett
The Physical Side of IT Security
Data protection is only half of your business's IT security strategy — the other part is physical.
Firewalls, anti-malware applications, encryption technology and other data-security tools are all important, but so is the physical protection of your company's systems and storage media. Sadly, many businesses have confidently installed a full complement of data-security measures only to have a thief walk through the door and steal the server.
Here's how to make sure that your IT assets are protected against real-world threats such as burglars, vandals and employees with sticky fingers.
Lock the door. A high-quality deadbolt lock, mounted on a strong, metal door, is the cheapest and most effective physical security investment a company can make. Locked doors can help keep items such as workstations, servers, mobile devices and data discs from "walking away" or being tampered with. If your company's budget allows, you may also want to install additional lock technologies such as a PIN keypad or a card or fingerprint reader.
Install a surveillance system. Recent technological advancements — and price reductions — have made cameras, motion detectors and other surveillance technologies far more useful and affordable. Deploy these devices at strategic locations inside and outside your business's premises. Besides protecting IT assets, surveillance systems can enhance your company's overall physical security.
Use rack-mounted equipment. It's a lot easier for a thief to walk off with a stand-alone server or network device than one that is mounted inside a rack. Rack-mounted gear also tends to be slightly less expensive to buy and is much easier to organize and service than stand-alone hardware.
Corral your portable devices. Any laptop, PDA or other portable device that isn't actually being used by an employee should be stored inside a securely locked room. You may even want to double the protection by chaining laptops to a wall or another permanent fixture with a cable lock. Smaller devices can be safely stored in a locked filing cabinet or safe.
Exile your backups. You can safely store primary backups inside the same locked room as your laptops and other mobile devices. Also, plan to keep secondary backup copies at a second site in case a fire or other calamity wipes out your primary business location. Be sure to use locks and other physical security tools at your remote storage site.
Seal open ports. Consider removing or sealing (with glue) open USB and FireWire ports on your office workstations. This move will keep employees and visitors from stealing data by plugging a USB drive, an iPod or a smartphone into a workstation.
Secure vulnerable workstations. Computers — particularly systems that are located in public places like a reception area or a point-of-sale location — are vulnerable to grab-and-run thieves. Make sure that these machines are securely attached to the desk or table.
Lock the cases. Each workstation should be locked down to prevent a thief from reaching inside the machine and stealing its hard drive — and the valuable data it contains. A variety of vendors offer inexpensive case locks.
Protect your printers. A stolen printer is a nuisance and a minor financial loss. Potentially far more valuable is the data that resides inside the printer's memory. A thief in possession of a company printer may be able to make copies of recently printed documents. Printers should be bolted down to prevent theft.
