Pub. 11 2016-2017 Issue 1

www.nebankers.org 20 Extraordinary Service for Extraordinary Members. M OST SMALL TOMEDIUM-SIZED community banks rely on an outside vendor to per- formsecurity testing, often times in the formof a penetration test or IT/GLBA security audit. Engagements performed by independent third parties can help identify security oversights and issues that might be out of the internal staff’s expertise. However, develop- ing an in-house security testing plan is also critical to the overall success of information security and cybersecurity programs. While not currently mandatory, working through the FFIEC Cyberse- curity Assessment Tool is an excellent starting point to gain a greater under- standing of your institution’s overall risk profile. Working through the tool is a valuable exercise that allows you to step back and take amore objective view of your security program. Performing the initial assessment provides financial institutions with baseline data that iden- tifies the activities and products posing the greatest risk or concern. Subsequent assessments then can be used to track progress as the information and cy- bersecurity programs continue to grow and adapt. Developing verification processes and checklists is a good starting point for smaller institutions that outsource some, or all, IT functions. For example, developing a new computer checklist can help make sure all of the intended controls are working on newly imple- mented systems. A simple checklist might include verifying the following: • Antivirus software is installed with up-to-date definitions. • Web-filtering rules are restrict- ing access appropriately. • Removable media (USB, CD/ DVD, etc.) controls are working. • Screensavers are set to lock after a specified time of inactivity. Setup checklists also can be used to perform periodic spot checks or, for regression testing, to ensure primary se- curity controls are working as intended. Craig Schurr is a security and compliance consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem—a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit CoNetrix at www.conetrix.com. Security Self-Help Craig Schurr , CISA, CISSP, CCNP, CoNetrix TECH TALK For example, you might want to spot check several workstations to ensure antivirus controls are still working as expected after installing an update to endpoint security software. For more established in-house IT departments, security baseline checklists can be used by a second administrator, or possibly audit personnel, to ensure the intended controls are implemented. Since outsourced external penetra- tion testing is typically performed on a periodic basis, it is important to develop and run some verification tests on newly deployed systems that are exposed to the Internet. SSL/TLS vulnerabilities and configuration weaknesses on exposed web services are common issues when performing external penetration tests. Several SSL/TLS vulnerabilities made worldwide headlines over the last few years (e.g., POODLE and Heartbleed). Often, these weaknesses are discovered on dedicated appliances like VPN fire- walls or secure email gateways because they are assumed to be securely config- ured by default. Qualys’ SSL Labs SSL Server Test (https://www.ssllabs.com/ ssltest) is a simple-to-use but extensive free service that could be used to vali- date the configuration of any SSL/TLS service. The ever-changing threat landscape makes entering into the security test- ing realm seem very overwhelming. However, as with developing any other skillset, the hardest step is the first step. It is unrealistic to expect to know everything about security testing. A quote from Nelson Mandela comes to mind, “It always seems impossible until it’s done.” As we continue to learn and develop security skillsets, tasks like as- sessing risk and developing appropriate mitigating controls will start to become easier and, hopefully, more proactive. 