Tag: IT Audit

800-53

NEW GUIDANCE RELEASED BY NIST REDEFINES ASSURANCE & TRUSTWORTHINESS FOR FINANCIAL INSTITUTIONS

On April 30th, 2013 the National Institute of Standards and Technology (NIST) issued their latest version of essential guidance: Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.  Led by Ron Ross, a NIST fellow and the project leader, a team of computer scientists spent the past two years developing this latest 457 page revision. One of the Essential Themes of the New Guidance Mr. Ross indicated that a key theme in the new guidance is the “reintroduction of the notion of assurance, or trustworthiness of information systems.”  The bottom line is that organizations will now be under higher scrutiny in terms of how effective they are at identifying vulnerabilities and security weaknesses in systems, which

Read More »
Computer Security

2013 INSIDER THREAT TO BANKS AND CREDIT UNIONS – DATA LEAKAGE

The following is an excerpt from an article regarding the “Top IT Security Threats for 2013” “One of the areas we see a dramatic increase of concern is over data leakage,” says Michael Bruck of Chicago-based BAI Security.  “The ease in which an individual can export sensitive information from an internal network is chilling for many institutions.  We often conduct such evaluations during our Security Audit program and demonstrate just how easy and undetectable the process can be in most environments.”  Even with the headlines and various forms of education on this subject, BAI Security recently reported that as many as 40% of institutions responded in a recent survey that they were concerned their organization has been a victim of

Read More »
Assessment

ARE YOUR EMPLOYEES GIVING AWAY CONFIDENTIAL SECURITY INFORMATION?

A man calls the receptionist at a competitors company and asks for the name of the Sales Manager.  The receptionist says the person you are looking for is Bob Jones.  Later, the man calls back to the same company and says he needs to speak with the IT helpdesk.  When the helpdesk operator answers the man says “Hi, my name is Bob Jones and I seem to have forgotten my new password.  I am on my way to an important meeting can you reset it right away?” In an effort to help the user regain access to the system, the helpdesk operator resets the password and tells the man the new password.  The man then accesses the employee area of

Read More »
Computer Security Employees

REAL WORLD SOCIAL ENGINEERING ATTACKS … IN THE TRENCHES WITH AN AUDITOR

How well are your users prepared for modern-day social engineering attacks?  If you’re like the majority of management personnel I speak with during our pre-audit consultations you’re wary, but confident that your staff has properly prepared your employees from this threat to your organization. In response, I routinely explain that it is admirable that you have that kinds of faith in your managers and user base, but based on our statistical averages be prepared for the possibility of a less than ideal result when you receive our audit findings report. Preventing Social Engineering Attacks with a Social Engineering Evaluations Statistically, the first time we perform a social engineering evaluation on an organization it’s not uncommon for as many as 65% of the users to

Read More »
Computer Security

MANY BANKS AND CREDIT UNIONS FAIL THE VULNERABILITY TESTING COMPONENT OF THEIR IT SECURITY AUDIT DUE TO WEAK PATCH MANAGEMENT

Do you have a patch management plan?  If so, how effective is it?  Many companies either lack a comprehensive plan or the necessary tools to properly automate the processing of updates.  In fact, the underlying reasons many banks and credit unions fail the vulnerability testing component of their IT security audit is this lack of effective patch management. Failed Vulnerability Testing Due to Weak Patch Management Often Root Cause of Poor IT Security Audit Results As for the tools, many companies rely only on Windows Server Update Services (WSUS) to patch their Microsoft Windows operating system and other Microsoft software.  WSUS does not patch non-Microsoft application software, such as Adobe Acrobat, Adobe Flash, Adobe Shockwave, which often have severe risks that can lead

Read More »
Assesement Tool

7 OUT OF 10 BANK IT AUDITS INADEQUATE – BANKING CYBER SECURITY STANDARDS

Are your IT auditors using best-of-breed commercial grade products or do they use freeware and open source IT Assessment tools? Vulnerability Assessment Tools – IT Audits and Banking Cyber Security Standards Based on BAI Security’s review of previous IT auditor’s results, the majority of banks are being left exposed with potentially serious undiscovered vulnerabilities. The most common underlying factor in these environments is the actual testing tools and testing methodology.  To fully understand the risks to your organization, you need to have your auditors use tools and processes capable of identifying all threats to your systems. Simply stated, traditional network-based vulnerability assessment tools send requests to systems/software running on the target machine and look at the responses to determine if particular vulnerabilities exist. 

Read More »
Assessment Tool

4 TECH TIPS FOR ORGANIZATIONS PLANNING A MERGER

Mergers, Acquisitions and Divestitures require special handling when bringing together two distinct organizations or separating a business from the remaining IT infrastructure. The technical environment can be rife with unsecure access points, un-patched servers, and incorrectly configured firewall settings. Information on the acquired company technical environment may be non-existent or incomplete and depending on the nature of the merger, it may be difficult to work with people during the transition. The idea of bringing together two organizations under one leadership requires understanding the risks. This risk analysis requires multiple tasks to uncover any underlying vulnerabilities in the architecture. So where do you start to untangle the colliding technical environments? 1.  Vulnerability Scanning 2.  Firewalls 3.  Remote Access 4.  Compliance Audits We

Read More »