Security News

January 30, 2024

2023 had a significant number of large and important cybersecurity incidents. Each event could provide ...

July 20, 2023

As we dig deeper into the topic of Business Impact Analyses, a picture is worth a thousand words, so let us start there...

June 22, 2023

Let’s look at a few examples of what we see and hear when looking for proper network segmentation. For instance...

May 18, 2023

What is the culture like in your company? Do you have a friendly and supportive environment where lunches and cake are brought to celebrate achievements or birthdays?...

March 30, 2023

Do you know someone who got a new set of golf clubs only to have it end up in the closet because they didn’t quite understand the mechanics needed to find success?...

March 1, 2023

During our audits, we’re often asked, “do you frequently see this same finding at other financial institutions?” We thought it might be helpful to share some of our most common findings...

August 25, 2022

This week, Mandiant—a well-respected threat intelligence leader—published yet another reminder that threat actors continue to target Microsoft 365 multi-factor authentication....

July 28, 2022

There seems to always be someone that needs access to something that is just outside the boundaries of their job duties and/or security roles. When it comes to security.....

July 19, 2022

The risk based FFIEC Internet banking authentication guidance has evolved over the years, and what started as simple customer authentication guidelines has progressed into a set of standards that institutions can use to help protect information systems, accounts, and data.....

April, 14th, 2022

We all want happy examiners . . . and board members . . . and clients . . . and employees. This guide will prepare you for a room full of smiles at your next examination . . . at least from an information security standpoint on your external network. The term “Penetration Test” has been thrown around a lot in the Information Security industry. Some vendors and institutions use the term Penetration Test interchangeably with “Vulnerability Scan” (or Assessment), when in fact, the two.....

March, 17th, 2022

During our journeys with clients through security reviews of Microsoft 365 tenants, we’ve noticed some fairly concerning trends. So, bear with us while we don our dad-hat’s and commence with the tough love.....

March, 3rd, 2022

This sardonic commentary, like its namesake, comes from the deep, dark, sometimes-paranoid filing cabinet of my mind labeled: Hypothetical. Those who know me, know there is a potential rabbit hole under every step taken. But I bet I have something here for you that you haven’t thought of....

February 10th, 2022

There are a lot of sideways looks thrown around when we talk about things like backing up Exchange Online mailboxes (part of Microsoft 365). In this scenario, everyone understands that Microsoft has provided a recoverable and resilient infrastructure for the email services and the mailboxes they are hosting in their cloud, as well as other 365 and Azure based services. So why should be care about backups, after all Microsoft has our backs…right?....

January 13th, 2022

Your institution builds a new facility in a high-crime area. This new building will be used for corporate operations overflow. There will be executive offices, lots of IT infrastructure, and rooms full of sensitive paper document archives....

August 5th, 2021

Categories: Information Security News

I was recently asked by a client how to keep his IT team's workload at an acceptable level as their institution is ramping up for additional growth. I’ve experienced a similar quandary when just needing additional staff for continued growth of defensive capabilities. It's an excellent question, and one I'd struggled with in the past, but after several attempts I finally ...

May 27th, 2021

Categories: Banking Compliance News

Something is definitely in the air with the SAFE Banking Act being passed by the House and on its way to the Senate; but before you hit your Board up to have a discussion on cannabis banking, you’ll want to complete a Cannabis Banking Risk Assessment. The risk assessment should give the Board a blunt view of the risks to assist in determining whether cannabis banking goes on...

July 20th, 2020

Categories: Information Security News

Congratulations! Your boss has tasked you with creating a Patch Management Policy to address a recent IT Audit finding. So, you think to yourself “No problem, I’ll just Google an example - or even better, request a template from 10-D Security and knock it out.” Just when you think this is the easiest thing you’ve done all week, your boss comes back and nonchalantly states, “Actually our remediation tracker...

July 12th, 2020

Categories: Information Security News

From April 24th through June 26th, 2020, the Treasury Department is mailing paper Economic Impact Payment checks, and like moths to flame, this substantial influx of money is already attracting fraudsters. Now is the perfect time for a frontline check fraud refresher course and to shore-up your check cashing procedures. While check fraud is nothing new, these stimulus payments are a great incentive for con artists to dust off ...

July 8th, 2020

Categories: Information Security News

Ah, security. Network security. Information Security. Endpoint security. Configuration security. Cloud security. Physical security. All different but depending on the size of your institution or your role within it, you may have a hand in each of these security areas. And while it may not seem important to the casual observer, it is important that anyone managing any aspect of these knows the differences between them. When I decided...

May 12th, 2020

Categories: Information Security News

Network Access Control (NAC) can be a very confusing concept to understand if one tries to dig into the minutiae of how it works and every single thing it can do. Instead, to get an idea of how it can assist you in your security efforts, start by focusing on breaking down its name: Network. Access. Control. NETWORK. It’s a bunch of jacks in the wall that have wires ...

April 29th, 2020

Categories: Information Security News

From April 24th through June 26th, 2020, the Treasury Department is mailing paper Economic Impact Payment checks, and like moths to flame, this substantial influx of money is already attracting fraudsters. Now is the perfect time for a frontline check fraud refresher course and to shore-up your check cashing procedures. While check fraud is nothing new, these stimulus payments are a great incentive for con artists to dust off ...

March 11, 2020

Categories: Information Security News

Introduction There is a lot going on today in a modern network. The ability to visualize, search, and react to security events is critical. A SIEM (Security Information and Event Management) is typically used to meet these needs. There are a lot of SIEM solutions out there and it can be a very complex topic. However, there are some open-source solutions that can meet your needs. This blog will ...

March 11th, 2020

Categories: Information Security News

It's not only a moral obligation for an institution to advise its account holders on protection of their identity and assets; it is absolutely recommended by myriad experts, sources, and FFIEC guidelines which state that financial institutions should have a policy within the Information Security Program to govern"Customer Awareness" (FFIEC Information Security Booklet, II.C.16). Financial institutions should comply with that policy, providing some type of ongoing training to ...

March 5th, 2020

Categories: Information Security News

More and more institutions are now payment card issuers. Ten years ago, in-house payment card production was almost always an outsourced function within community financial institutions (FIs), but that's no longer the case. As currently observed, more than 40% of our FI clients have now implemented in-house card printing and/or embossing (personalization) solutions for various reasons. The most prevalent of those reasons are competitive in nature; to provide customers ...

February 12th, 2020

Categories: Information Security News

Whether you find them in a risk assessment, we find them in an audit, regulators uncover them as part of an exam, or you hear something scary and familiar on the news, IT risks require ACTION. There are generally four things you can do once a risk is identified within your environment: Avoid it. No one likes being told,"You can't do that. It's too dangerous." Risk avoidance is ...

August 8th, 2019

Categories: Information Security News

We spend a lot of time making sure we have policies in place to protect our institution from reputational risks associated with technology, and even more time is spent on training, auditing, and compliance to manage those risks. But rarely do we consider what goes on outside of the physical or virtual perimeter of our networks. Consider this: what would you say if I told you that there is...

July 18th, 2019

Categories: Information Security News

A tongue-in-cheek, but realistic scenario for IoT compromise Your customers are complaining. And they make a valid point that your Internet banking application is unavailable inside your very own bank branch walls, because you don't offer free Wi-Fi in your 150-year-old stone building with no cell signal. Well shucks, that makes a lot of sense, doesn't it? Now the employees are complaining that they can't listen to Pandora while...

July 3rd, 2019

Categories: Information Security News

Full disclosure, I was a Firefighter. And we love water. A few years after getting my Firefighter 1 certification I found myself on a quarter section of blackened earth, with a shovel and a six-foot wall of fire extending a few hundred yards in either direction moving away from me at a rather quick pace thanks to those hot summer Kansas winds. A pond, a loafing shed, and a...

February 21st, 2019

Categories: Information Security News

The Low-Down on Multi-Factor Authentication Multi-Factor Authentication, Strong Authentication, 2FA, MFA, Token-Based, Out-of-Band Authentication; what does it all mean? Many more people are familiar with these terms than just a few years ago. But, not all multi-factor authentication (MFA) types are created equal. MFA solutions are designed to protect their users' accounts in the event of credential theft. With more advances in software technology and features, comes more vulnerabilities...

June 13th, 2018

Categories: Information Security News

I'll Tell You What You Need to Know While walking past the president's office, he sees and summons you into his office and asks if you can fix the printer on the back wall. After astutely seeing the printer's status panel is indicating"Out of paper," you load paper and voila, it prints."Hey, you're pretty good at this technology stuff. Our last exam said we had to appoint ...

May 31st, 2018

Categories: Information Security News

Windows Update Management Tips Windows Updates... Believe it or not, they've been around since the days of Windows 98. They are often despised by end users and IT support staff because they may interrupt the workday, delay leaving at the end of the day, or they may break functionality. Along the way, Microsoft has improved the deployment and installation process with functions such as Windows Server Update Services (WSUS). ...

May 23rd, 2018

Categories: Information Security News

Virtual Private Networks: Should you be using one? A VPN, or Virtual Private Network, allows you to create an encrypted connection to another network over the Internet. Most users are familiar with them for connecting back to their institution's network for remote access. While this is one reason to use a VPN, it's far from the only reason to use one. In today's environments, eaves-dropping, public Wi-Fi, and location. ...

May 10th, 2018

Categories: Information Security News

GDPR is coming... but what does it mean, and why should I care? If your organization hasn't heard these four letters by now, it may not be time to panic - but it is time to learn what they mean and if they could impact organization. Below is a brief overview intended to get you familiar with this new international regulation and hopefully answer some of the basic questions ...

April 26th, 2018

Categories: Information Security News

50 Shades of Administration During our work, both our auditors and engineers have noticed a common issue our clients large and small have - overly permissive administration accounts. Many times, we see all IT users given a Domain Admin account, from the greenest helpdesk tech, to the person overseeing the network. Microsoft's Active Directory has a couple of different ways to grant rights to a user, group, or organizational ...

March 22nd, 2018

Categories: Information Security News

Passwords... it's no secret; most of us are really bad at creating and maintaining passwords. In fact, 81% of hacking related breaches leveraged either stolen or weak passwords. But unfortunately, passwords won't go away any time soon. Almost every resource, application, web site, and the like requires some form of username and password. Because of this, it's no surprise that almost all of us struggle to follow recommended password...

February 22nd, 2018

Categories: Information Security News

Saying Goodbye to NetBIOS Gallery Saying Goodbye to NetBIOS By Dave Kelly|February 22nd, 2018|Categories: Information Security News NetBIOS (Network Basic Input/Output System) was created in the early 1980's, but is surprisingly still alive and well on many networks today. Microsoft Windows still uses it for its name resolution function (often by default), when DNS is not available. Network resiliency and access to resources is a good thing, but keeping NetBIOS enabled for that reason, is not. There are many security concerns with NetBIOS; and disabling its ...

December 28th, 2017

Categories: Information Security News

Today's mobile workforce has generated the awareness and subsequent need for mobile security like never before. As data growth increases, the requirements set forth in new laws and regulations also demand that organizations demonstrate due-care in protecting sensitive customer data. Meanwhile, the ever-increasing amount of sensitive data continues to find its way onto laptops and adds additional threats to these devices. Because of these threats, organizations should follow a...

October 12th, 2016

Categories: Information Security News

Penetration Test vs the Vulnerability Assessment Some say Potato, some say Patato. The term"Penetration Test" has been thrown around a lot in the Information Security industry. Some vendors and institutions use the term Penetration Test interchangeably with"Vulnerability Scan" (or Assessment), when in fact, the two define very different scopes, methodologies, and deliverables. The recently updated FFIEC Information Security Booklet discusses these types of tests and offers definitions ...

October 12th, 2016

Categories: Information Security News

Baselining and anomaly detection are security concepts that have been around for quite a while, however, recently both have received renewed interest. This new attention stems from increased regulatory focus on incident response and that in today's cybersecurity world it's no longer a question of"if" but"when." Cyber-attacks have evolved to the point where they can pass through technical defenses, blend into an environment and remain undetected as long...

September 7th, 2016

Categories: Information Security News

Responding to Robberies Your Incident Response Plan for Cyber Robberies Ask anyone outside of the banking industry"What do banks have in place for responding to robberies?" and you will likely get a response referring to silent alarms, surveillance video, guards, tracking systems and/or exploding dye packets. It's assumed, and obvious, that banks have robbery prevention and response plans. Now consider this: in 2010 the average bank robbery netted...

August 1st, 2016

Categories: Information Security News

The Patch Sometimes it is only the beginning. Not all patches work out of the gate. Anyone who has been responsible for patch management knows that it is a never ending cycle of download, test, patch and repeat. What is often overlooked, unfortunately, is that sometimes, even when a patch is applied, the vulnerability it is supposed to fix isn't always fixed…not right away at least. Over the past...

July 12th, 2016

Categories: Information Security News

Recommended Audit Policy Settings The following recommended settings are based on Microsoft and industry best practices. Note that these settings are basic, and more advanced audit configuration settings exist beginning with Windows 7 and Windows Server 2008 R2. See"Advanced Security Audit Policy Step-by-Step Guide" https://technet.microsoft.com/en-us/library/cc778162(v=ws.10).aspx for more information. Audit Policies Audit policies can be set using the Group Policy Manager, where you can find them at: Computer Configuration\Policies\Windows Settings\Security Settings\Local...

March 10th, 2016

Categories: Information Security News

Eliminating Local Administrative User Access Requirements in Your Environment Back in the Windows 95/98 days, Windows had no file system security, and users always had full control of their systems. With the advent of Windows NT/XP, granular access controls and limited user accounts (LUA) were introduced to enhance security. While LUA's were available, there were many limitations and the default was for users to be administrators of their machines. As ...

April 6th, 2015

Categories: Information Security News

IT Security Assessment Bids The Good, The Bad and the Ugly Tips, tricks and shortcuts for evaluating vendors of independent IT security assessment. This information will help you better understand the bid in front of you and some possible outcomes as you work to shorten the stack of vendors responses. While the information is not intended to be all-encompassing it should help with non-technical considerations. In no particular order,...

October 23rd, 2014

Categories: Information Security News

Finding Weakness in Todays Networks Evaluating the security of an internal network environment can be accomplished several ways. We routinely field a number of questions about internal network security assessments. A few of the most common questions are regarding: Internal Penetration Test vs Internal Vulnerability Assessment Authenticated or Unauthenticated Assessment To White List or Not to White List Black Box, Grey Box or White Box Patch Management Reporting The,...

August 8th, 2014

Categories: Information Security News

EMET Security Tool The security tool you haven't heard about. Microsoft's Enhanced Mitigation Experience Toolkit, or EMET, is a free security tool that has been around for some time, but outside of a few circles, it hasn't received the attention it deserves. Microsoft recently released version 5.0 of this tool, so it's a great time to get acquainted if you are unfamiliar. What is EMET? EMET is a system tool...

July 15th, 2014

Categories: Information Security News

Going Next Level The shape of the internet as we know it is constantly changing and evolving to meet the growing demands of business and entertainment. This constant growth however has added levels of complexity to Information and Network Security which can lead to complex and mismanaged network environments. One of the newer products to hit the Security scene that is hoping to help reduce those layers is a Next...

May 9th, 2014

Categories: Information Security News

Memory Acquisition Tools Combating today's advanced malware requires skill and an advanced toolset. The most common incident response procedure that we see in smaller organizations is to identify infected machines and simply run malware scanners (Malwarebytes, Spybot, etc...) until the scan comes back clean. This"scan until clean" mindset often results in repeated infections and gives the organization a false sense of security. Malware scanners suffer from the same...

May 2nd, 2014

Categories: Information Security News

Exposed Management Consoles - A look at Microsoft Exchange In most organizations where we find Microsoft Exchange, we find Outlook Web Access (OWA) open to the internet. Generally, external access to OWA and ActiveSync is allowed when mobile users are accessing Exchange email. This is all hosted using Microsoft's Internet Information Services (IIS). What many administrators may not realize is what other websites are running by default and may...