Category Archives: Risk Management

ClawBack For Credit Unions

Posted on by
Reply

I got a question recently from one of our Credit Union clients about ClawBack™. They explained that they don’t really do any internal development, so leaking source code was not a concern for them. Based on that, they wondered, would ClawBack still be a useful tool for them?

I pointed out that most larger Credit Unions do some form of development, or at the very least, that their systems admin folks often write (and potentially expose) scripts and other management tools that would be of use to an attacker. However, even if they didn’t do any development at all, leveraging something like the Professional level of ClawBack as a DIY tool ($149.00 per month) is still a good idea.

Further, I explained that source code leaks are only one third of the focus of the ClawBack tool. It also searches for leaked device/application configurations and leaked credentials. Every Credit Union with a network needs to think about leaked device and application configurations. These are the most commonly found items in ClawBack’s history. Whether by accident, or misunderstanding or malicious intent, thousands of leaked configuration files wind up on the Internet in repositories, support forums, answer sites, social media and paste bins. When found, they can provide significant amounts of damaging information to attackers, ranging from logins and passwords to sensitive cryptography and API keys. In some cases, they can be a nearly complete map of the internal network.

Thirdly, ClawBack also focuses on leaked credentials. It can help identify stolen and compromised passwords belonging to members of your organization. Many times, these credentials contain the same or similar passwords as Internet exposed applications, webmail or email access and potentially even weakly secured VPN instances. Stolen and leaked credentials are among the most significant root causes of breaches, business email compromise and a variety of other fraud.

Your CU Security team can add ClawBack to their toolkit for less than $150 per month. It’s simple to use, flexible and an incredibly powerful capability to minimize the damage from data leaks. Check out this less than 8 minute video for more information. If you’d like to discuss ClawBack or our ClawBack Managed and Professional Services, please drop us a line, or give us a call at (614) 351-1237 today. 

Closing the CUSO Security Loop Hole

Posted on by
Reply

The CUSO Security Loop Hole

The NCUA Inspector General (IG) suggested this week that the agency have regulatory oversight of Credit Union Service Organizations (CUSOs) to reduce the overall risk to the system. CUSOs have long been seen as a separate firm from the credit unions, though they may have an ownership stake in them. To date, many of these organizations have been outside the regulatory and oversight controls that are applied to the very credit unions they serve. In terms of information security, that often means they aren’t held to the same level of security and risk management controls as required by NCUA 748 and other guidance.

DigitalMoneyCUSO Security Oversight Challenges

The NCUA IG suggests that NCUA guidance and regulatory oversight be directly applied to CUSOs, instead of through vendor or partner risk management programs of the CUSO customers. This would provide for more direct regulation of the security controls and risk management processes in use at the CUSOs themselves. However, this introduces several challenges for some CUSOs, who may be more focused on agility, market speeds and innovation – areas where regulatory guidance can be especially impactful and can create significant budgetary challenges. This gets even more complicated when regulatory guidance is vague, or can be inflexible – the very opposite of the needs of organizations focused on innovation and market speed adaptation. An excellent example of this is CUSOs working on financial technologies, crypto currencies, blockchain and other exciting new areas. Regulatory guidance lags or lacks in most of those areas and hasn’t caught up to these new, and in some cases, experimental technologies.

One Approach – Best Practices CUSO Security and Third Party Attestation

One approach that might work, is for CUSOs to work with independent third-party assessors who could then measure the CUSO against industry standard best practices that apply to their specific lines of business, research or innovation. These vendors could then help the CUSO build a relevant and respectable CUSO security and risk management program – which they could attest to the NCUA. If this attestation were required on a yearly basis, along with some basic guidance, like ongoing risk management reviews, ongoing vulnerability management, etc – this could go a long way to mitigating the risks that concern the NCUA IG, while still maintaining independence and control by the CUSOs – thus, empowering their mission. Programs like these have been very successful in other industries and don’t have to add the overhead and bureaucracy of full regulatory compliance or programs like PCI-DSS. 

If you’d like to build such a program for your CUSO, please get in touch with us. We’d love to work on creating this process with a handful of CUSOs around the US, and are more than capable of applying our 30 years of experience in information security to each organization’s independent needs. Drop us a line or give us a call at (614) 351-1237 and let’s work together to close the CUSO Security loop hole in a way that reduces risk but doesn’t destroy the power and flexibility of the CUSO ecosystem.

ClawBack Professional and Managed Services Launched

Posted on by
Reply

Clawback small

ClawBack™, our data leak detection engine which we released last fall, is a cloud-based SaaS tool focused on helping organizations detect leaked source code, device/application configurations and credentials. You can learn more about the product and why we made it in this quick 8 minute video by clicking here.

While ClawBack has been a very successful product in its own right, the SaaS platform is primarily “Do It Yourself” in terms of operations. It’s easy to use and manage, but the customer does the work of reviewing the alerts and managing the responses. Over the last several months, some clients have asked for a managed service option, where MSI will manage the ClawBack product, review the alerts and work with the customer to issue take downs or provide mitigation advice. Today, we are proud to announce the immediate availability of the ClawBack Managed Service. Now you can get the power and vigilance of ClawBack without the overhead of managing and monitoring the product directly, reviewing the alerts and issuing appropriate take down requests.

Several clients have also asked us about other professional services associated with ClawBack and with Data Leak Prevent/Protection (DLP) capabilities in general. MSI is also proud to announce the immediate availability of the following associated professional services:

  • Monitoring term identification, optimization and improvement
  • Watermark implementation in source code and device configurations
  • Data leak awareness training, especially focused on source code, configurations and credentials
  • Data leak impact modeling and table top simulations
  • 30/60/90 day data leak assessments
  • Exfiltration testing and Data Loss Prevention (DLP) assessments and optimization
  • Data classification and data leak policy and process development and reviews

Additionally, we are launching multiple year packages that combine these services in 3 and 5 year plans, allowing our clients to create long term solutions to the problems of data leakage, intellectual property risk management and compromises stemming from leaked source code, configs and credentials. To learn more about these services or create a package that fits your firm’s needs, give us a call at 614-351-1237 or drop us a line (info@microsolved.com).

WARNING: Migrate Windows Server 2003 Immediately

Posted on by
Reply

Believe it or not, we still get queries from a few utility companies that have operational processes locked on Windows Server 2003 as a platform. Most of the time, these are legacy applications associated with some form of ICS device or data management system that they have not been able to afford to replace.

Windows 2003 Server end-of-life searches are still among the most popular searches on our StateOfSecurity.com blog, receiving more than 200 queries most months. Keep in mind, this is an operating system that patches haven’t been released for since 2015. According to Spiceworks, an online community for IT professionals, the Windows 2003 Server operating system still enjoys a market share of 17.9%, though we could not validate the time frames of their claim.

But, just in the last year or so, we have seen it alive and well in natural gas, energy and the communications infrastructures, both foreign and domestic. So, we know it is still out there, and still being used in seemingly essential roles.

I’m not going to lecture you about using a system that is unmatched for 5 years. That’s just common sense. Instead, what I am going to do is make three quick suggestions for those of you who can’t get rid of this zombie OS. Here they are:

1. Install a firewall or other filtering device between the legacy system and the rest of your environment. This firewall should reduce the network traffic allowed to the system down to only specifically required ports and source addresses. It should also restrict all unneeded outbound traffic from the device to anything else in the network or the world. The device should be monitored for anomalies and security IOCs.

2. If the hardware is becoming an issue, as well, consider virtualizing the system using a modern virtualization solution. Then apply the firewalling above. Server 2003 seems to be easily virtualized and most modern solutions can handle it trivially.Hardware failure of many of these aging systems is their largest risk in terms of availability.

3. Eliminate the need AS SOON AS POSSIBLE. Even with the firewalling and filtering, these systems have high risk. You might also consider if you can migrate portions of the services from Windows 2003 to a more recent system or platform. This isn’t always possible, but everything you can move from Windows 2003 to a supported OS is likely to let you crank down your filtering even more.

Lastly, if you’re still trapped on Windows 2003, make sure you review this every quarter with the application owners and management. Keep it on their mind and on the front burner. The sooner you can resolve it, the better. 

If you need more help or advice on risk mitigation or minimization, get in touch. We’d love to help! Just email us at info@microsolved.com and we can connect.

EDI – The Often Overlooked Critical Process in Utilities

Posted on by
Reply

EDI (Electronic Data Interchange) is an often forgotten underpinning of many utility companies, even though many of its functions are likely to be critical to the operation. In many states, EDI is a mandated operation for commercial bill pay and meter reading data exchange with third party services. In fact, between the Gas Industry (GISB) and North American Energy (NAESB) Standards Boards, a substantial set of requirements exist for industry use of EDI.

Data

While EDI exists as a specific set of functions for exchanging digital data, it is often managed through third party applications and networks. These operations carry several different threat models, from disruption of service and outages that impact the data availability, to tampering and compromise of the data in transit. As such, it is essential that utilities have performed business function and application specific risk assessment on EDI implementations.

Additionally, many of our clients have performed EDI-focused penetration testing and technical application assessments of their EDI translators and network interconnects. Some clients still utilize a Value Added Network (VAN) or other service provider for EDI transmissions, and MSI can work with your VAN to review their security program and the configuration of your interconnections to ensure maximum security and regulatory compliance.

Lastly, our team has been very successful doing tabletop incident response and disaster recovery/business continuity exercises involving modeling EDI outages, failures and data corruption. Impacts identified in these role playing exercises have ranged from critical outages to loss of revenue.

If you’d like to learn more about our EDI services and capabilities, give us a call at 614-351-1237 or drop us a line at info@microsolved.com. We’d love to talk with you about our nearly 30 years of experience in EDI, information security and critical infrastructure.

 

 

 

Announcing the Launch of the SecureDrive Alliance

Posted on by
Reply

LMS Consulting and MicroSolved are proud to announce the launch of the SecureDrive Alliance. This team effort is specifically focused on the needs, regulatory requirements and threats facing automotive dealerships today.

SecureDrive Alliance

The alliance will be providing the following focused services to dealerships across the US:

  • Risk assessments
  • Vulnerability assessment and penetration testing
  • Application security
  • Phishing simulations
  • Risk management training

To learn more about the SecureDrive Alliance, the leaders of both companies have put together a quick MP3 discussing the reasons behind the launch and the capabilities that the alliance brings to bear. You can listen to the 9 minute MP3 here.

To put the team to work on securing your dealership, give a call to Justin LeBrun, or drop him an email.

Three Things I’ve Learned About Credit Union Risk Management

Posted on by
Reply

I have been working with Credit Unions for more than 20 years and have done a wide variety of information security and risk management work over that time. I’ve worked with technical teams, management and boards over the span of more than two decades. Here are three things I’ve learned about how CUs manage risk during that time. 

1) Most credit unions that I’ve worked with care just as much, if not more, about information security than most of the regional size banks they often compete with.

I’ve heard more than one CU leader tell me that they have to be better than the banks, because when a bank gets hacked – that bank makes the news and feels the impact. However, he said, when a credit union gets hacked – all credit unions suffer from the bad press. I am not sure the data supports his claim, but it’s an example of how CUs often focus on working together to solve big problems, and put a lot more attention to detail into it.

2) Many of the credit unions I have worked with look at information security and threat awareness as something that they can offer to their members (“customers, in bank speak”).

More than a few of the CUs have engaged so deeply with their customers on phishing and identify theft, that they include them in discussions about what products and services the CU buys. They do trials, include members in beta-tests and I’ve even seen them do onsite training for how to use new multi-factor authentication tools – even ones that weren’t in use at the CU – just to help make the members more secure and reduce the threat of password re-use across personal sites.

3) The board is often more involved in the risk management process at my CU clients than my banking clients.

The NCUA has taken a lot of steps to increase board member awareness about information security, and it often shows at credit unions. Several times a year, I am asked to present threat updates or review the information security program of a CU, specifically with a presentation to the board in mind. I am often engaged as a third party, to spend a couple of days looking at a security program and reporting to the board on it’s maturity and areas of potential improvement.

During these board sessions, it is not uncommon for the board questions to last more than an hour, after the presentation has completed. The point is, most CU boards that I have worked with are deeply engaged in thinking about risk management at the credit union.

For those of you interested in more about risk management at credit unions, here are some of the best sources, which I refer to often in my presentations:

  • Credit unions also face such internal risks as internal fraud, legal and regulatory noncompliance, data breaches, and injuries to staff and visitors. (boardeffect.com)

  • The bottom line: Figuring out the risk appetite will help guide credit unions to create realistic and measurable risk guidelines. (visibleequity.com)

  • We have helped Credit Unions develop risk appetite statements and risk frameworks and can work with your Credit Union to develop the documentation you require. (creditunionupdate.com)

If you’d like to learn more about MSI and our work with credit unions, just drop us a line (info@microsolved.com) or give us a call (614-351-1237) and we’d be happy to talk about how we might be able to help your credit union excel in IT risk management.

A Quick Expert Conversation About Gap Assessment

Posted on by
Reply

Gap Assessment Interview with John Davis

What follows is a quick interview session with John Davis, who leads the risk assessment/policy/process team at MicroSolved. We completed the interview in January of 2020, and below are the relevant parts of our conversation.

Brent Huston: “Thanks for joining me today, John. Let’s start with what a gap assessment is in terms of HIPAA or other regulatory guidance.”

John Davis: “Thanks for the chance to talk about gap assessment. I have run into several HIPAA concerns such as hospitals and health systems who do HIPAA gap analysis / gap assessment in lieu of HIPAA risk assessment. Admittedly, gap assessment is the bulk of risk assessment, however, a gap assessment does not go to the point of assigning a risk rating to the gaps found. It also doesn’t go to the extent of addressing other risks to PHI that aren’t covered in HIPAA/HITECH guidance.”

BH: “So, in some ways, the gap assessment is more of an exploratory exercise – certainly providing guidance on existing gaps, but faster and more affordable than a full risk assessment? Like the 80/20 approach to a risk assessment?”

John Davis: “I suppose so, yes. The price is likely less than a full blown risk assessment, given that there is less analysis and reporting work for the assessment team. It’s also a bit faster of an engagement, since the deep details of performing risk analysis aren’t a part of it.”

BH: “Should folks interested in a gap assessment consider adding any technical components to the work plan? Does that combination ever occur?”

JD: “I can envision a gap assessment that also includes vulnerability assessment of their networks / applications. Don’t get me wrong, I think there is immense value in this approach. I think that to be more effective, you can always add a vulnerability assessment to gauge how well the policies and processes they have in place are working in the context of the day-to-day real-world operations.”

BH: “Can you tie this back up with what a full risk assessment contains, in addition to the gap assessment portion of the work plan?”

JD: “Sure! Real risk assessment includes controls and vulnerability analysis as regular parts of the engagement. But more than that, a complete risk assessment also examines threats and possibilities of occurrence. So, in addition to the statement of the gaps and a roadmap for improvement, you also get a much more significant and accurate view of the data you need to prioritize and scope many of the changes and control improvements needed. In my mind, it also gets you a much greater view of potential issues and threats against PHI than what may be directly referenced in the guidance.” 

BH: “Thanks for clarifying that, John. As always, we appreciate your expert insights and experience.”

JD: “Anytime, always happy to help.”

If you’d like to learn more about a gap assessment, vulnerability assessment or a full blown risk assessment against HIPAA, HITECH or any other regulatory guidance or framework, please just give us a call at (614) 351-1237 or you can click here to contact us via a webform. We look forward to hearing from you. Get in touch today! 

Zelle…quick, easy, and…problematic?

Posted on by

Measuring risk

With the increasing adoption of PayPal, Venmo, and other instant payment services…it’s no surprise that the financial services industry entered the arena. The concept is simple – P2P payments via phone or email. At least one entity – sender or recipient – needs to have a bank account with a bank that supports Zelle. The other entity can simply link a supported debit card to enable the exchange.

Continue reading

About the Ohio Data Protection Act

Posted on by

The Ohio Data Protection Act differs from others in the country in that it offers the “carrot” without threat of the “stick.” Although companies are rewarded for implementing a cyber-security program that meets any of a variety of security standards, having a non-compliant program carries no penalty under this act.

The theory is that Ohio companies will be more willing to put resources into their information security programs proactively if a tangible return on their investment is available; like investing in insurance to hedge risk. Alternatively, if there is no threat of penalty for non-compliance, why wouldn’t a business simply adopt a wait and see attitude? After all, most companies do not have big data breaches, and developing and documenting a compliant information security program is expensive.

Continue reading