Pub. 8 2019 Issue 3

The CommunityBanker 14 F E A T U R E A s manager of SHAZAM’s risk consulting business, I have the unique opportunity to help institutions of all sizes fortify their defenses, with both information and physical security programs. We work with clients of all asset sizes, across the country and assist financial insti - tutions with “all things risk.” This may mean informa- tion technology audits, BSA and ACH audits, as well as network penetration testing, vulnerability assessments and social engineering. In our work, we’ve noticed re- curring findings that many institutions share. We strive to strengthen not only our clients’ security, but the secu- rity of all financial community institutions. Addressing these common findings is a part of that process. Information Technology Audit Programs Access management. When conducting an IT audit, the majority of recurring findings are related to poor logical ac - cess management. This can include a wide variety of issues, but often focuses on poor control of Microsoft Active Direc- tory. Many institutions have a high number of users with “domain administrator” privileges, don’t restrict logon hours, allow nonexpiring passwords, haven’t deleted unneeded or unused service accounts, or haven’t removed terminated users from the system. Attackers look for these types of accounts. Digging deeper, we find that many institutions don’t have a process for reviewing user access to wire platforms, core systems, internet banking or other systems. We hear the term “least privilege possible,” which is a good security principle … but it’s not being followed consistently. Review why adminis- trator accounts are needed. Chances are they’re being used for privileges that can actually be — and should be — assigned to user accounts. Configuration standards. Industry best practices tell us to use configuration standards found in “hardening documents.” These standards are usually provided by firewall, switch and IDS/IPS manufacturers and the documentation outlines how to secure each system effectively. Download a free (usually) copy from the manufacturer’s website. Make it a priority to update system configurations based on these standards. Inventory. Institutions failing to maintain current hard- ware or software inventories is another common issue. It’s your stuff — know where it is! Institutions should maintain an inventory of their assets, including what operating system and version each is running. In addition, a software inventory should be maintained. If needed, find a tool that will do this for you; knowing what software is on the system is critical. By having a software inventory in place, unwanted programs or even malicious programs, can be more easily located and this process can lead to reductions in system latency. In our reviews, we often find that these inventories are out-of-date and vulnerable programs exist. Ensure Security at Your Financial Institution Implementing a robust security program strengthens your financial institution by protecting your cardholders and lowering your institution’s risk. Strengthening community financial institutions. That’s our mission at SHAZAM. By Ben Hayden Continued on page 16