Information Security News

Home/Information Security News

Minding your P’s & V’s – Patch Management and Vulnerability Management


Congratulations!  Your boss has tasked you with creating a Patch Management Policy to address a recent IT Audit finding.  So, you think to yourself “No problem, I’ll just Google an example - or even better, request a template from 10-D Security and knock it out.”  Just when you think this is the easiest thing you’ve done all week, your boss comes back and nonchalantly states, “Actually our remediation tracker says, ‘Vulnerability Management Policy’, so create that instead.”  “Ok, fine,” you think, “I’ll call it whatever you want, it’s the same thing anyway.”  Or is it?  A quick web search for [...]

Minding your P’s & V’s – Patch Management and Vulnerability Management2020-07-30T17:35:51+00:00

SBA Release of PPP Data May Lead to Uptick in Attacks


On Monday, the U.S. Small Business Administration (SBA) released loan data for more than 660,000 large Paycheck Protection Program (PPP) loans made to businesses over the past few months.  You may have seen some scandalous local and national news articles regarding recipients, but the data released contains some much more concerning information that all financial institutions (FIs) and their business customers must now take into consideration to protect against general fraud, targeted phishing, other types of social engineering, and corporate account takeover (CATO.) The data set released by the SBA is divided into several parts; individual state records with anonymous [...]

SBA Release of PPP Data May Lead to Uptick in Attacks2020-07-09T17:40:05+00:00

Security Disciplines


Ah, security.  Network security.  Information Security.  Endpoint security.  Configuration security.  Cloud security.  Physical security.  All different but depending on the size of your institution or your role within it, you may have a hand in each of these security areas.  And while it may not seem important to the casual observer, it is important that anyone managing any aspect of these knows the differences between them. When I decided after six years in IT that security was where I wanted to focus, I dove in head-first, never really considering that there are subtle but real differences in each of these [...]

Security Disciplines2020-07-15T22:39:36+00:00

Network Access Control Basics


Network Access Control (NAC) can be a very confusing concept to understand if one tries to dig into the minutiae of how it works and every single thing it can do. Instead, to get an idea of how it can assist you in your security efforts, start by focusing on breaking down its name: Network.  Access.  Control. NETWORK.  It’s a bunch of jacks in the wall that have wires that run back to that blinky-light box in a closet or in the data center.  Or, maybe it’s those white boxes on the ceiling with the antennas pointing in various directions.  [...]

Network Access Control Basics2020-05-15T20:23:45+00:00

Getting to Know Your Stimulus Check


From April 24th through June 26th, 2020, the Treasury Department is mailing paper Economic Impact Payment checks, and like moths to flame, this substantial influx of money is already attracting fraudsters.  Now is the perfect time for a frontline check fraud refresher course and to shore-up your check cashing procedures. While check fraud is nothing new, these stimulus payments are a great incentive for con artists to dust off their old playbook of tried and true counterfeit check scams.  By getting to know your stimulus check, you can significantly reduce losses at your institution.  There are five key security features [...]

Getting to Know Your Stimulus Check2020-05-01T13:20:14+00:00

Deploying a Simple Open Source SIEM


Introduction There is a lot going on today in a modern network. The ability to visualize, search, and react to security events is critical. A SIEM (Security Information and Event Management) is typically used to meet these needs. There are a lot of SIEM solutions out there and it can be a very complex topic. However, there are some open-source solutions that can meet your needs. This blog will walk your though the process of deploying and some basic usage of an open source solution called the Elastic Stack. The Elastic stack is a great platform used for many different [...]

Deploying a Simple Open Source SIEM2020-04-23T16:59:25+00:00

Customer Security Awareness Training


It’s not only a moral obligation for an institution to advise its account holders on protection of their identity and assets; it is absolutely recommended by myriad experts, sources, and FFIEC guidelines which state that financial institutions should have a policy within the Information Security Program to govern “Customer Awareness” (FFIEC Information Security Booklet, II.C.16).  Financial institutions should comply with that policy, providing some type of ongoing training to their customers, members, and consumers. This training may be provided any number of ways: pamphlets, statement stuffers, and so on.  More frequently, training is being delivered electronically as content on institutions’ [...]

Customer Security Awareness Training2020-03-12T20:29:23+00:00

Issues for Issuers that Issue


More and more institutions are now payment card issuers.  Ten years ago, in-house payment card production was almost always an outsourced function within community financial institutions (FIs), but that’s no longer the case.  As currently observed,  more than 40% of our FI clients have now implemented in-house card printing and/or embossing (personalization) solutions for various reasons.  The most prevalent of those reasons are competitive in nature; to provide customers with quick access to their funds at account opening or following the lost, theft, or compromise of a payment card. While a large majority of in-house issuance adopters have made strong [...]

Issues for Issuers that Issue2020-03-19T16:44:39+00:00

We Accept the Risk


Whether you find them in a risk assessment, we find them in an audit, regulators uncover them as part of an exam, or you hear something scary and familiar on the news, IT risks require ACTION.  There are generally four things you can do once a risk is identified within your environment: Avoid it. No one likes being told, “You can’t do that. It’s too dangerous.”  Risk avoidance is when management determines that the risk outweighs the benefit of an asset (like a product offering, practice, or IT system) and decides not to go forward with implementation.  Avoidance is much [...]

We Accept the Risk2020-02-13T21:43:07+00:00



We spend a lot of time making sure we have policies in place to protect our institution from reputational risks associated with technology, and even more time is spent on training, auditing, and compliance to manage those risks. But rarely do we consider what goes on outside of the physical or virtual perimeter of our networks. Consider this: what would you say if I told you that there is a 79.7% likelihood that a third party is either actively sending email as if it came from your domain without your knowledge, or has in the past? Don’t get all bristly; [...]

SPF. DMARC. DKIM. Oh My!2019-11-19T23:28:24+00:00
Go to Top