(This is a commentary follow up to my earlier post, located here.)
Many of our client financial organizations have been working on implementing out of band authentication (OOBA) mechanisms for specific kinds of money transfers such as ACH and wires.
A few have even looked into performing OOBA for all home and mobile banking access. While this authentication method does add some security to the process, effectively raising the bar for credential theft by the bad guys, it does not come without its challenges.
Many of our assessment customers have benefitted in the last several years from having their important network devices and critical systems undergo a configuration review as a part of their assessments. However, a few customers have begun having this work performed as a subscription, with our team performing ongoing device reviews of one to three devices deeply per month, and then working with them to mitigate specific findings and bring the devices into a more trusted and deeply hardened state.
From credit unions to boards of elections and from e-commerce to ICS/SCADA teams, this deep and focused approach is becoming a powerful tool in helping organizations align better with best practices, the 80/20 Rule of Information Security, the SANS CAG and a myriad of other guidance and baselines.
- The organization defines a set of systems to be reviewed based on importance, criticality or findings from vulnerability assessments.
- The MSI team works with the organization to either get the configurations delivered to MSI for testing or to access the systems for local assessments in the case of robust systems like servers, etc.
- The MSI team performs a deep-level configuration assessment of the system, identifying gaps and suggested mitigations.
- The MSI team provides a technical level detail report to the organization and answers questions as they mitigate the findings.
- Often, the organization has the systems re-checked to ensure mitigations are completed, and MSI provides a memo of our assertions that the system is now hardened.
- Lather, rinse and repeat as needed to continually provide hardening, trust and threat resistance to core systems.