Pub. 13 2018-2019 Issue 6

NEBRASKA BANKERS ASSOCIATION 17 Andrew Hettick is an Audit and Security Consultant for CoNetrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and tandem software, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Programs. Visit our website at www.conetrix.com . Utilizing Default Credentials One common security mistake that is more common than you might realize is that of not updating default account cre- dentials. If default credentials are left unchanged in a system or application, an attacker may be able to use those credentials to obtain legitimate authentication and thereby circumvent a large number of security controls. Also, due to the fact that the attacker is able to authenticate to the system with proper credentials, it is quite difficult to identify and respond to these intrusions. Make sure to update all default credentials when systems are set up on the network and change default admin- istrator account names. Lack of Controls on Mobile Devices In the ever-growing mobile device landscape, it is impor- tant to have controls in place to protect data on those devices. Utilizing some kind of mobile device management application is imperative in environments in which sensitive informa- tion, such as company email, is stored on mobile phones or tablets. This type of software can enforce security policies such as requiring a passcode, or allowing remote wiping of a device in the event of the device being lost or stolen. A mobile device management application can enforce encryption on devices as well. Unsupported Hardware and Software Another common security mistake that institutions make is that of utilizing unsupported hardware or software in the network. When a hardware appliance or software application reaches its end of support date, its vendor stops producing security updates and any vulnerabilities that are subsequently discovered are no longer patched. Staying abreast of end-of-life dates takes organization and foresight, but is necessary in order to ensure that hardware and software are updated before they are vulnerable. Maintaining accurate hardware and software inventories, which include accurate end-of-life dates, is a key step to take toward ensuring that these systems can be replaced in a timely manner. Inadequate Training Against Phishing and So- cial Engineering Attacks All companies face risks associated with social engineering attacks in which the attacker targets the human element of security. In social engineering attacks, the attacker tries to con- vince an employee to performan unknowinglymalicious action. Therefore, it is important to train employees to be suspicious of any unsolicited calls, emails, or even face-to-face interactions in which someone is asking about confidential information. Em- ployees should be instructed to avoid clicking links or opening attachments unless they can verify that they are legitimate. To supplement training, utilize internal social engineering tests that simulate an actual attack to help employees identify and respond to malicious activity. Failing to Follow Established Policies and Procedures The final frequently observed securitymistake to avoid is that of employees not being aware of – or not following – documented Proudly offering group insurance to NBA members for more than 30 years. To learn about our plans, visit nbaveba.com An Independent Licensee of the Blue Cross and Blue Shield Association company policies and procedures. As with social engineering awareness, extensive employee training is needed to ensure all applicable employees aremade aware of the proper procedures to follow. When new policies are put into place or existing policies are updated, employee training processes should be changed ac- cordingly, and employees should be made aware of the changes in a timely manner. These vulnerabilities are not secret, and most attackers know to look for these weaknesses. In the midst of the ever- changing security landscape, it is important to address these common areas attackers know are often vulnerable. Take the necessary steps to ensure appropriate technical controls are in place and train employees to be security-minded. Addressing these five common mistakes will greatly increase the security of your institution. 