Pub. 8 2019 Issue 1

The CommunityBanker 20 F E A T U R E I n the course of my work, I find myself visiting several financial institutions throughout the year. Although these institutions vary in size and complexity, many of them share several common deficiencies. Some of the prevalent security mistakes listed in this article may be resolved with relatively simple implementations, but others can take more substantial amounts of time and user training to remediate. Fixing these five deficiencies would greatly help to improve the security of any institution. Utilizing Default Credentials One common security mistake that is more common than you might realize is that of not updating default ac- count credentials. If default credentials are left unchanged in a system or application, an attacker may be able to use those credentials to obtain legitimate authentication and thereby cir- cumvent a large number of security controls. Also, due to the fact that the attacker is able to authenticate to the system with proper credentials, it is quite difficult to identify and respond to these intrusions. Make sure to update all default credentials when systems are set up on the network and change default administrator account names. Lack of Controls on Mobile Devices In the ever-growing mobile device landscape, it is important to have controls in place to protect data on those devices. Utiliz- ing some kind of mobile device management application is im- perative in environments in which sensitive information, such as company email, is stored on mobile phones or tablets. This type of software can enforce security policies such as requiring a passcode, or allowing remote wiping of a device in the event of the device being lost or stolen. A mobile device management application can enforce encryption on devices as well. Unsupported Hardware and Software Another common security mistake that institutions make is that of utilizing unsupported hardware or software in the network. When a hardware appliance or software application reaches its end of support date, its vendor stops producing security updates and any vulnerabilities that are subsequently discovered are no longer patched. Staying abreast of end-of- life dates takes organization and foresight, but is necessary in order to ensure that hardware and software are updated before they are vulnerable. Maintaining accurate hardware and software inventories, which include accurate end-of-life Five Common Security Mistakes to Avoid By Andrew Hettick, SSCP, Security+, ISACA Cybersecurity Fundamentals