Pub. 12 2017-2018 Issue 4

WWW.NEBANKERS.ORG 18 Daniel Lindley is a security and compliance consultant for CoNetrix, a technology firm dedicated to understanding and assisting with the information and cybersecurity needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and tandem software, used by more than 1,400 financial institutions to help manage their information security programs, cybersecurity, and more. Visit CoNetrix at www.conetrix.com . TECH TALK F ROMOURDESKTOPS TOOURPHONES, we are a connected society. We check email, social networking sites, news sites, message boards, and a large variety of other websites on a daily basis without thinking about the security implications of having billions of devices connected to countless inter- connected servers that are run by people we have never met through an Internet infrastructure that was created without security in mind. While this is scary enough froma personal standpoint, it has even larger implications for businesses that store and transmit confidential com- pany and customer data. Actions may be taken, however, to help mitigate some of the security concerns that go hand in hand with Internet browsing. First, it is extremely important to limit system and network privilege levels for employees with Internet access. A recent analysis of Microsoft vulnerabilities by the security company Avecto revealed 94 percent of critical Microsoft vulner- abilities reported in 2016 were found to be mitigated by removing local admin- istrative rights. ¹ In other words, if your employees don’t have local administrator rights on their systems, the vast majority of critical Microsoft vulnerabilities would already be addressed without additional controls. Now, at times, a vendor will push for local administrator privileges for em- ployees in order for the vendor’s software to run without issues. While this was ac- ceptable many years ago, it is no longer a viable option, and other controls such as limiting elevated privileges to certain directories throughwhitelisting should be considered instead. In addition to normal users, it is perhaps even more important that domain administrators do not browse the web while logged in but instead use a standard account for normal tasks and only elevate when necessary. While an argument can be made that domain ad- ministrators are typically more security minded than the standard employee, they also have far greater capacity to install malware on all of the systems in the net- work domain. Secondly, restrictions should be in place for connecting to the Internet. This includes not only general ingress (incom- ing traffic) and egress (outgoing traffic) filtering at the firewall level but also block- ing access to sites and site categories that are not necessary for business use. At the firewall level, any knownmalicious IP ad- dresses should be blacklisted and access to/from any external IP should not be allowed but instead limited to IPs for the core provider, IT vendor, etc. As far as site category blocking is concerned, a number of categories should be restricted from all employees such as gambling, adult, and file sharing while other categories such as webmail, cloud file storage, and social networking should be restricted SAFELY SURFING Daniel Lindley, Network+, CISA, ISACA Cybersecurity Fundamentals, CISSP, HCISPP, CoNetrix from most employees with exceptions granted for legitimate business use only if approved by the board and senior management. It is surprising how often we see a disconnect between the number of security controls in place for company email through Exchange/Outlook and the wide-open access granted for personal email sites. Malicious email is being sent to ALL available email addresses, and personal web-based email is possibly even a bigger threat than business email due to the lack of controls in place. Finally, it all comes down to the user, which is both an encouraging and frightening statement. All it takes is one individual to download ransomware or visit a malicious site for company systems to be compromised. Because of this, most businesses take a defense-in- depth approach that includes firewalls, antivirus, effective patch management procedures, email filtering, and various other items; however, sometimes this ap- proach skimps on training the employee who is actually using company systems and accessing critical data. Hardware and software are important, but these con- trols will fail from time to time. At that point, it is up to the individual employees to maintain effective security. They need to be informed and reminded about ac- ceptable Internet usage and then tested to ensure this knowledge is retained and put into practice. In summary, even though it was created without security in focus, the Internet can be safely surfed if the proper precautions are taken, effective controls are put into place (and tested!), and us- ers are trained to be aware of the sites they visit and the actions they take when connected to the web.  1 https://www.avecto.com/news-and-events/ news/94-of-critical-microsoft-vulnerabilities-itigated- y-removing-admin-rights