Follow Up to Out of Band Authentication Post

(This is a commentary follow up to my earlier post, located here.)

A couple of folks have commented on Twitter that they have a fear of using SMS for any sort of security operations. There have been discussions about the insecurity of SMS and the lack of attention to protecting the cellular network by carriers around the world. I generally disagree with blanket statements, and I would push for organizations considering SMS as a means of authentication to undertake a real risk assessment of the process before they jump in.
However, if the controls in place in the cell networks meet their appetite for risk, then I think it is a perfectly acceptable business case. It certainly beats in-band simple authentication mechanisms like “pictures of trust” and traditional login/password as a security control.
At least in SMS authentication, the attacker would usually need to have control over or access to more than one device belonging to the user. I think this helps make the risk model more acceptable for my views.
Other folks discussed how Out of Band Authentication (OOBA) has been done now successfully in many places. I agree with this. We know how to do it. There are a LOT of vendors out there who can successfully integrate, deploy and manage a solution for you. Sadly, though, there are still more than a few who are struggling to get it right or done at all. As with most things in life, it helps to do a little research. Organizations should perform due diligence on their vendors and factor vendor risks into the equation of purchases and project planning. 
Lastly, a few folks commented on the fact that they, too, are running into speed bumps with deployments and logistics. Several folks echoed the sentiments of the original challenges and few offered suggestions beyond simply “doing more homework” and looking for “quickly scalable solutions”. The good news with this is that you are not alone out there. Other folks are facing AND BEATING challenges. Feel free to reach out to your peers and discuss what is and what isn’t working for them.
As per the original post, the more communication and discussion we can have amongst the community about these topics, the better off we all will be. So, discuss, seriously…
##Special thanks to the vendors that replied with case studies, references or stories about how they have done integration and deployment. There are a lot of good vendors out there with knowledge in this area. Careful review of their capabilities will help you sort them out from the less capable. Communication is key.
Thanks for reading! 

Credit Unions and Small Banks Need Strong Security Relationships

With all of the attention in the press these days on the large banks, hacking, and a variety of social pressures against the financial institutions, it’s a good time to remember that credit unions and small banks abound around the world, too. They may offer an alternative to the traditional big banking you might be seeking, but they sometimes offer an alternative to the complex, well staffed information security teams that big banks have to bear against attackers and cyber-criminals, too.
While this shouldn’t be a worry for you as a consumer (in that your money is secure in a properly licensed and insured institution), it should be a concern for those tasked with protecting the data assets and systems of these organizations.
That’s where strong vendor relationships come in. Partnerships with good solution providers, security partners, virtual security teams and monitoring providers can be very helpful when there are a small number of technical resources at the bank or credit union. Ongoing training with organizations like SANS, CUISPA and our State of the Threat series is also very likely to assist the resources they do have in being focused against the current techniques used by attackers. Whether with peers or vendors, relationships are a powerful tool that help security admins in the field.
Smaller organizations need to leverage simple, effective and scalable solutions to achieve success. They simply won’t have the manpower to manage overwhelming alerts, too many log entries or some of the other basic mechanisms of infosec. They either must invest in automation or strategically outsource some of those high resource functions to get them done. If your bank has a single IT person who installs systems, manages software, secures the network, helps users, and never goes on vacation; you have one overwhelmed technician. Unfortunately, this all too common. Even worse is that many times, the things that can’t be easily done sometimes end up forgotten, pushed off or simply ignored. 
In some cases, where some of the security balls may have been dropped, attackers take advantage. They use malware, bots, social engineering and other techniques to scout out a foothold and go to work on committing fraud. That’s a bad way to learn the lessons of creating better security solutions.
So, the bottom line is if you are one of these smaller organizations, or one of the single technicians in question, you need to find some relationships. I suggest you start with your peers, work with some groups in your area (ISSA, ISACA, ISC2, etc.) and get together with some trusted vendors who can help you. Better to get your ducks in a row ahead of time than to have your ducks in the fire when attackers come looking for trouble. 

Know Who’s Out to Hack Your Credit Union

One of the biggest questions we get when we talk to Credit Unions is about threats. They often want to know who might be targeting Credit Unions and how they might get attacked. Based on these questions and how often we hear them, we have come up with a way for you to actually get some metrics and intelligence around your own threat postures.
I am proud to introduce a new short-term service for Credit Unions that leverages our patent-pending HoneyPoint technology in a useful, powerful, easy and affordable way.  The MSI Threat Posture Analysis is a new service that does just that. The service is comprised of the following phases:
1. Initial consultation – our teams work together to plan for a quick, safe and easy deployment of our HoneyPoint technology; this initial discussion helps us decide if we are going to leverage a HoneyPoint hardware, software or combined deployment and exactly what we want to emulate for metrics gathering; the length of the metrics gathering mission is also determined (usually 90 days).
2. Pricing and contracts – based on our work together, fixed bid pricing is provided for the analysis and monitoring.
3. Delivery of technology – our teams work together to deliver and install the technology; MSI monitors the deployment remotely back at our NOC.
4. Analysis – MSI performs analysis of the data gathered; generating a set of reports that details sources of attacks, general estimated capabilities, attack frequency and other metrics designed to feed real world threat data into the Credit Union’s information security program.
5. Decommission and return of the technology – our teams work together to uninstall the technology and return any hardware to MSI. 
6. Follow on Q&A – for 3 months, MSI will continue to be available to answer questions or discuss the data and metrics identified in the analysis.
It’s that easy. You can quickly, easily, safely and affordably, move from blunt estimations of threats to real world data and intelligence. If you would like that intelligence as an ongoing basis, give us a call and we can discuss our managed services with you as well. 
So, if you’re tired of doing risk assessments without real numbers to back up your data or if your team has hit the maturity point where they can use real world metrics and threat source data to create firewall rules, black holes and other dynamic defenses, this approach can give them the data they are hungry for.
If you would like to discuss the analysis or hear more about it, give your account executive a call or reach out to me on Twitter (@lbhuston). I look forward to talking with you about the successes we are seeing.
As always, thanks for reading and stay safe out there!

MSI Strategy & Tactics Talk Ep. 15: Information Security for Credit Unions

Credit Unions have become popular over the past few weeks as societal trends have placed greater pressure on bank policies. What’s the scoop on Credit Unions and information security? Take a listen! Discussion questions include:

  • Supporting Credit Union swap through infosec
  • The “hactivist” group Anonymous and “Dump Your Bank Day”
  • Is infosec strong at Credit Unions?
  • Our approaching toward testing Credit Unions and banking apps

Brent Huston, CEO, Founder, and Security Evangelist
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!