Thursday, December 18, 2014

Banks: Federal/State Rules

No holiday would be complete with out a stern warning to the banking industry from both state and federal regulators, right?  Ho, ho, ho Merry Christmas - can you please assure us that your security controls are in order!

I was going to review Governor Andrew Cuomo's Department of Financial Services as it pertained to "new" security regulations for chartered banks in New York State.  The Superintendent of the Department of Financial Services initiated a press release and letter to chartered New York financial institutions.  After reviewing the memo I concluded that if all companies implemented the items in the Superintendent's letter, the public and private industries would be in a much better place. 

Then late yesterday the FFIEC (federal financial institutions examination council)  OCC (Office of the Comptroller of Currency) spokesman Joel Anderson spoke up.  Mr Anderson responding in a interview in American Banking Magazine stated, "we already do this" and what's going on in New York is nothing new. 

This is what New York DFS said they would look for:

New Rules: NYS
  • Corporate governance, including organization and reporting structure for cyber security related issues;
  • Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
  • Resources devoted to information security and overall risk management;
  • The risks posed by shared infrastructure;
  • Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
  • Information security testing and monitoring, including penetration testing;
  • Incident detection and response process, including monitoring;
  • Training of information security professionals as well as all other personnel;
  • Management of third-party service providers;
  • Integration of information security into business continuity and disaster recovery policies;
  • Cyber security insurance coverage and other third party protections
These are all things we at Integris Security does.

New York State then went on to list more topics which chartered banks in NYS would be expected to furnish.  We list them here for your review:

1.  Provide the CV and job description of the current Chief lnformation Security Officer or the individual otherwise responsible for information security, describe that individual's information security training and experience, and identify all reporting lines for that individual, including all committees and managers. In addition, provide an organization chart for your institution's IT and information security functions.
2.  Describe the extent to which your institution maintains information security policies and procedures designed to address the information security goals of confidentiality, integrity, and availability. Provide copies of all such information security policies.
3.  Describe how data classification is integrated into information risk management policies and procedures.
4.  Describe your institution's vulnerability management program as applicable to servers, endpoints, mobile devices, network devices, systems, and applications.
5.  Describe the organization's patch management program including how updates, patches, and fixes are obtained and disseminated, whether processes are manual or automated, and how often they occur.
6.  Describe identity and access management systems employed by the organization for both internal and external users, including all administrative, logical, and physical controls and whether such controls are preventive, detective, or corrective in nature.
7.  Identify and describe the current use of multi-factor authentication for any systems or applications.
8.  Describe your institution's due diligence process regarding information security practices that is used in vetting, selecting, and monitoring third-party service providers.
9.  Describe all application development standards utilized by the organization, including the use of a secure software development life cycle, and the extent to which security and privacy requirements are assessed and incorporated into the initial phases of the application development process.
10. Provide a copy of, to the extent it exists in writing, or otherwise describe, the organization's incident response program, including how incidents are reported, escalated, and remediated.
11. Describe the extent to which information security is incorporated into the organization's BCP/DR plan, how and how often the BCP/DR is tested, and the results of the most recent test.
12. Describe any significant changes to the institution's IT portfolio over the last 24 months resulting from mergers, acquisitions, or the addition of new business lines.


It is a positive step forward for New York State Department of Financial Services to require its chartered financial institutions to meet minimum guidelines for the security of its information technology processes.  These security baselines are critically important not just to financial services institutions but to all public and private entities.  Since NYS has published these official rules it should now become the benchmark or de facto standard by which all other organizations are measured against.  These rules are appropriate and an outstanding starting point for any one who is not sure where to start.

The federal government provides an seemingly endless amount of guidance for the protection of information technology assets.  The fed's use the NIST framework and numerous NIST publications to assist everyone involved in the security of IT assets.  The federal regulators have been the go to professionals in the banking space for establishing standards so its not unusual to hear from Mr. Anderson of OCC or any of the regulators who are apart of the FFIEC. 

What is the news with this New York letter?  The federal regulators often calibrate their examinations according asset size.  Thus larger institutions receive more intense evaluation then smaller organizations.  However, New York has a very specific set of rules in which every institution must be prepared to comply with.  This is not a little matter and could have significant cost ramifications. 

Lastly, I have for years heard from administrators, mangers and CISO's who have tried to get budget authority to make the purchases necessary to secure their environments.  I am suggesting that security personnel use the NYS standards to present to CFO's as justification for future purchases.

Happy Holiday!

Happy Holidays every one and a healthy and happy New Year! 

All the best

Joe, Phil and Blake

Wednesday, December 3, 2014

The Rear View Mirror

Typical in the information technology sector everyone is always focused on what’s next, the latest, hottest new application, the coolest mobile telephone and of course the work around that just makes life a little easier.  Not to be ignored are all those newly fashioned functions and features. Technology at the speed of life forever changing our lives for the better, right?  Forward looking for ever.

2014 hopefully has hopefully taught us some very important lessons that should not be ignored even if we were not directly impacted.  A look in the rear view mirror can sometimes be very revealing.  We are so focused on what’s coming directly ahead of us that we refuse to see what’s going on right behind us.  So for 2014 let me list a couple of things which could have made this a better year in the security space.

Network segmentation: You can’t get there from here should be the mantra, no? Did we learn anything this past year? Network segmentation is the act or profession of splitting a computer network into subnetworks, each being a network segment or network layer. Advantages of such splitting are primarily for boosting performance and improving security.   Please review a great eWeek article clicking here.

Service Level Agreements: Service agreements are important and a quick web search can be helpful to identify some key questions for developing such important tools for your company. The Outsourcing Center has developed ten key questions for developing effective service level agreements. It’s a solid read and you’ll find plenty of similar research on the web. A service-level agreement (SLA) is a part of a service contract[disambiguation needed] where a service is formally defined. Particular aspects of the service - scope, quality, responsibilities - are agreed between the service provider and the service user. A common feature of an SLA is a contracted delivery time (of the service or performance). As an example, Internet service providers and telcos will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold in plain language terms. In this case the SLA will typically have a technical definition in terms of mean time between failures (MTBF), mean time to repair or mean time to recovery (MTTR); identifying which party is responsible for reporting faults or paying fees; responsibility for various data rates; throughput; jitter; or similar measurable details. {Attribution: Wikipedia}

Too big to fail: While not at all a technical term your company would do well to heed this warning. No company is too big to fail. No one. In our recent newsletter we talked about the breach of the week. The roadway is littered with companies failing over and over again until everyone in the industry is just tired of hearing of another breach. The breaches become “white noise” a distraction from the good work being performed by many security professionals in the field. Fight complacency, challenge everything and everyone with respect and “ASK Questions”. It won’t make you popular but it will certainly make you a very, very valuable employee.  Please read the ARS Technica article   HERE because it puts good perspective of what can happen after a breach. 

Alarms: Alarms are invitations that are yelling out, “come investigate me” I’m making noise and need your direct undivided attention. Please don’t ignore alarms. The story goes like this: Hey did you hear that alarm go off? Yeah, I’m getting a cup of coffee – you want anything? Hey, maybe I’ll come with you. Great! How many times do we ignore the obvious? Alarms are put in place for a reason to warn us, right? If the alarms are not configured appropriately and are creating noise, then someone has to go in and make a determination to turn them down and accept the consequences or turn them up and act each time they alert. 

Egress Filtering: Is that a freight train of information running out of our company? Egress filtering is protecting what’s going out as well as protecting others from malware coming from inside your own company. In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled. Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network. In a corporate network, typical recommendations [2][3][4][5] are that all traffic except that emerging from a select set of servers would be denied egress. Restrictions can further be made such that only select protocols such as HTTP, email, and DNS are allowed. User workstations would then need to be configured either manually or via proxy auto-config to use one of the allowed servers as a proxy. Corporate networks also typically have a limited number of internal address blocks in use. An edge device at the boundary between the internal corporate network and external networks (such as the Internet) is used to perform egress checks against packets leaving the internal network, verifying that the source IP address in all outbound packets is within the range of allocated internal address blocks. The purpose is to prevent computers on the internal network from IP address spoofing. Such "spoofing" is a common technique used in "Denial of Service" attacks. {Attribution: Wikipedia}

Enumeration: Thanks to Wikipedia we know that Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system run on them. Network Enumeration is the discovery of hosts/devices on a network, they tend to use overt discovery protocols such as ICMP and SNMP to gather information, they may also scan various ports on remote hosts for looking for well-known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the Operating System of the remote host.

We hope that this short laundry list helps each of you.  We understand the complications of local, national and global enterprises.  None of this is easy, but neither is dealing with the stockholders and the media if your company falls victim to a breach or other such incident.

Tuesday, December 2, 2014

Ten Mistakes that Boards Make

Too often we are learning of executive level errors or omissions which cause massive breaches to the data or PI of millions of citizens.  Here's the "Ten Mistakes That Board Make".

         1. Not Asking Questions

2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options
Taken from the magazine Corporate Board Members, an article written by Randy Meyers.
Make Integris Security your Chief Risk Officer (CRO) as the independent keeper of oversight in your corporate enterprise.  It is the job/function of the CRO to keep regulator awareness at a high level and to let the business be in charge of risk management.
Integris Security LLC grew from our passion for protecting our nation’s critical infrastructures and years of providing industry professionals with best of breed solutions, proven best practices and top notch security education. We work tirelessly to nurture our clients’ TRUST. We will work equally diligently to EARN your trust.