Weekly Security Tips

May 5, 2022

From time to time, we are asked “Why do we need to do a risk assessment? Isn’t that the same as an audit?” Since the terms are sometimes used interchangeably, we thought we’d talk through these foundational concepts....

April 28th, 2022

In even the most rigorously managed networks or systems, there’s always some exception to security policies that must be allowed at some point. Maybe it’s a critical operational need, maybe it’s a temporary issue during a big rollout, maybe something new has cropped up and the rules need to be bent for little bit to keep the wheels rolling…it happens....

April 21st, 2022

I believe we can all agree that nothing prepares us more than having to deal with a Business Continuity Management event than an actual event. We can always derive better plans through results from testing and actual events. President Dwight D. Eisenhower’s take was: “[I] have always found that plans are useless, but planning is indispensable.” At the very least, having a plan gives us a jumping off point....

April 14th, 2022

We regularly field questions about testing methodology and examiner expectations. And while some of our answers can be very specific to your network and institution, the foundational concepts carry through to all...

April 6th, 2022

As tensions mount in Europe, our clients have reached out for advice on how to counter the possibility of foreign attacks. A few weeks ago, we released helpful tips related to strengthening security fundamentals, https://10dsecurity.com/wst/cybersecurity-fundamentals.html. As we continue to bolster our defenses, now is a great time to schedule any delinquent patch management across your environment. Patching efforts should include...

March 31st, 2022

Spring has officially sprung! If you are like us, you are swapping out closets with lighter clothing, and beginning an annual “spring cleaning” of the home. But why stop there at the house? What about peeking into your virtual closets to see if there are digital dust bunnies ready to be swept away? If it has...

March 24th, 2022

Government agencies continue to warn of potential cyberattacks targeting US entities related to the ongoing conflict in Ukraine. Just this week, President Biden and the Cybersecurity & Infrastructure Security Agency (CISA) warned...

March 17th, 2022

This week we have a blog post where Mike Smith supplies some tough love and straight talk on securing Microsoft 365, and why it’s important to enable multi-factor authentication and disable insecure protocols that don’t support it...

March 10th, 2022

On March 7, 2022, FinCEN issued an alert advising all financial institutions to be vigilant against potential efforts to evade U.S. imposed sanctions and restrictions implemented in connection with the Russian Federation’s invasion of Ukraine. The Office of Foreign Assets Control has...

March 3rd, 2022

Back in 1999, when Michael Jordan was enjoying his second retirement and everyone was freaking out about Y2K, Congress passed the Gramm-Leach-Bliley Act (GLBA), which ensured the safeguarding of consumer non-public personal information (NPI). The GLBA dictates what...

February 24th, 2022

Here at 10-D Security, we are constantly updating our Microsoft Security Review services to keep up with changes that Microsoft makes to everything from the placement of configuration controls in administrative consoles to...

February 17th, 2022

Looking for a new Information Security Officer? What skill sets should be considered? As information security professionals, we are often asked by our clients about...

February 10th, 2022

We hope everyone is enjoying the new year so far and wish everyone well in their endeavors for the remainder of 2022. Here’s a friendly note on the subject of backups. It is the guidance and typically the examiner’s expectation that ...

Feruary 3rd, 2022

With the growing geopolitical instability in the world today, now would be a great time to review security fundamentals. If you are looking for ways to sharpen the tools in your cyber defense toolbox, here is a list of suggestions...

January 27th, 2022

Last week, we mentioned the dangers of reusing passwords across multiple services. Now, we would like to tell you how you can make your passwords stronger to prevent...

January 20th, 2022

Since high profile breaches involving user credentials (usernames and passwords) continue to occur, we thought we’d revisit what the bad actors do with this information, provide ways you can help protect yourself, and point you to a tool that alerts if your email address has been included in a breach...

January 13th, 2022

Would you let someone else be in charge of your house keys? How about the keys to the front door of your business? ...

January 6th, 2022

Where did 2021 go? Happy New Year’s All! It is time to take a close look at your 2022 schedule to make sure the critical elements of your information security and compliance programs are mapped out...

December 27th, 2021

Just like Santa has had a busy month, so too have the financial regulators! During December, changes to the FFIEC BSA Examination Manual have been issued, a Notice of Proposed Rulemaking (NPRM) concerning beneficial ownership has been published, and a Request for Information has been posted seeking comments for changes to BSA regulations.....

December 22nd, 2021

If you have been on the internet at any point in the last couple weeks, you have no doubt heard about the log4j (Log4Shell, CVE-2021-44228) vulnerability making waves through the consumer and enterprise environment. To help underscore the seriousness of the issue, note that.....

December 16th, 2021

An organization’s Business Impact Analysis (BIA) is an important component of any Business Continuity Plan. A strong BIA allows an organization to effectively prioritize resources when designing your continuity structure, processes, and equipment. BIA development generally involves .....

December 9th, 2021

Let’s face it, most of us click “accept” without thinking about it. We install software, and don’t read the EULA. We just click “Accept.” We install an app on our.....

December 2nd, 2021

This week’s WST was inspired by a client asking, “What information IT/Information Security training should we do?” The easy answer is that all institutions must perform annual information security awareness training. However, we went spelunking through.....

November 24th, 2021

As an auditor, I am sometimes reminded, either directly or indirectly, that I am pessimistic, and have been described as “negative” at times. Well, yeah! Although I .....

November 18th, 2021

It’s always a good time for a refresher on some best practices and expectations for firewall management. Here are some concepts that should be observed while managing firewalls:......

November 12th, 2021

Did you run out of time to get your FedLine® Assurance Program attestation performed before the end of the year? Well, there may be some relief.......

November 5th, 2021

Back in the good old days, Multi-Factor Authentication (MFA) seemed like a silver bullet. “If only we got MFA enabled on email/VPN/etc., we can stop worrying about that high-risk service!” The industry .......

October 14th, 2021

Most everyone is aware of phishing, vishing, and other forms of electronic social engineering. It’s important to remember that social engineering can occur in-person as well. Responding appropriately in these situations can be an important part of an organization’s security stance.......

October 7th, 2021

According to a recent release from FinCEN, there has been a 147 percent increase in online child sexual exploitation (OCSE) between 2017 and 2020, including a 17 percent increase year-over-year in 2020. These......

September 30th, 2021

Tomorrow is October and it’s Cybersecurity Awareness Month! For the 18th year, we’ll mark a national month to raise awareness about the importance of cybersecurity and how to be more ......

September 23rd, 2021

Sometimes all the little things add up …. And such is the case for today’s Weekly Security Tip! Check out the following tidbits, Help Wanted, Cannabis Banking is One Step Closer to Being Legal, Padcast Anyone......

September 16th, 2021

On June 30, 2021, FinCEN, in consultation with other US Dept of the Treasury offices, relevant regulators, law enforcement, and national security agencies, released the first government-wide priorities for anti-money laundering and countering the financing of terrorism (AML/CFT) policy (the “Priorities”)......

September 9th, 2021

It’s always in the back of your mind. In 2021, it is on the news almost weekly. It’s no surprise there is a 185% jump in attacks in the first half of this year, as compared to the first half of 2020.....

September 2nd, 2021

The Cybersecurity & Infrastructure Security Agency (CISA) released a statement on adding single-factor authentication to its list of bad practices that are exceptionally risky. See .....

August 26th, 2021

Most organizations have some type of onboarding/offboarding process they use when handling staff changes. When a new person joins the team, there’s a process for getting.....

August 19th, 2021

Many financial institutions outsource some or all of their Information Technology operations and management to third-party organizations, commonly known as.....

August 12th, 2021

There is no question the core system is a high-risk adventure for every financial institution. This is why user access reviews have been an important part of managing this risk. The process of .....

August 5th, 2021

Are you keeping up on IT and Information Security work? Great! What if business is growing, and you’re starting to think “We are working a little too much to keep.....

July 29th, 2021

Cloud services are nothing more than infrastructure, software, or platforms hosted outside your data centers. If you have anything – core applications, email, SIEM, mobile banking.....

July 22nd, 2021

Undoubtedly, your institution has an evacuation plan that covers many scenarios, including but not limited to weather, active shooter, civil disturbance, and others. What do you.....

July 14th, 2021

Recently, the United States Supreme Court issued a decision where all nine justices found in favor of former Georgia police sergeant Nathan Van Buren and levied an opinion affecting the Computer Fraud and Abuse Act of 1986.....

July 8th, 2021

As more states legalize medical and/or recreational use of marijuana, your institution will need assistance to navigate the various aspects of cannabis-related businesses (CRBs). While still illegal at ....

July 1st, 2021

On Wednesday, June 30, the FFIEC released a significantly updated operations booklet called the Architecture, Infrastructure, and Operations Booklet . This new AIO Booklet replaces....

June 24th, 2021

Here are some simple steps that can be taken to improve your security posture as it pertains to malware and email....

June 17th, 2021

We continue our series on basic and helpful security tips for your Microsoft 365 instance. Keep in mind, some of these tips require 365 Business Premium or Enterprise subscriptions, and can be configured in multiple locations, including Conditional Access policies ...

June 10th, 2021

Vulnerabilities affecting three widely-used platforms are demanding some attention in this week's WST...

June 3rd, 2021

We continue our series on basic and helpful security tips for your Microsoft 365 instance. Keep in mind, some of these tips require 365 Business Premium or Enterprise subscriptions, and can be configured in multiple locations, including ...

May 27th, 2021

MMFA is the single-most impactful thing you can do to improve the security posture of ANY application accessed by users. It doesn’t matter if it’s hosted internally, in the cloud, only accessible from your domain, or...

May 20th, 2021

MMFA is the single-most impactful thing you can do to improve the security posture of ANY application accessed by users. It doesn’t matter if it’s hosted internally, in the cloud, only accessible from your domain, or...

May 13th, 2021

Most small- to medium-sized institutions don’t have a full-time employee available to devote to Microsoft 365 administration and security. If you are the person spinning about...

May 6th, 2021

Financial institutions often have a requirement to receive documents from customers, including financial statements, tax documents, and other types of information critical...

April 29th, 2021

Nearly all organizations maintain more than just a website when it comes to their online presence. Social media is a convenient, ubiquitous way for businesses to maintain and build a...

April 22th, 2021

Another 4.20 has come and gone, and for many institutions it means another year of puffing and passing the cannabis can down the road. A short blurb in your policy stating...

April 15th, 2021

Many financial institutions have developed extremely detailed disaster recovery (DR) / business continuity (BC) plans. Those plans normally...

April 8th, 2021

As Americans we often see the United States as the constant leader on a global scale - be it in athletic competitions, industry, military strength, or just...

April 1st, 2021

You’ve just put the final touches on the latest revision to your corporate Disaster Recovery plan. You have made arrangements to...

March 25th, 2021

Here are some helpful tips for audit and examination preparation to hopefully make the process go smoother for your institution and...

March 18th, 2021

Many organizations have opted to move some IT functions to the cloud. Sales management, off-site backups, document management, file sharing, and others are among...

March 11th, 2021

With the number of breaches that seem to occur each year it can be difficult to keep track of where your data may have ...

March 4th, 2021

On Tuesday, March 2, 2021, Microsoft released out-of-band advisories detailing serious vulnerabilities in...

February 26th, 2021

Beginning 2021, institutions that utilize FedLine services (FedLine Web, FedLine Advantage, FedLine Command, and FedLine Direct) must conduct an...

February 18th, 2021

Have you ever been in the grocery store check-out line and heard the person in front of you recite their entire life history while they're checking...

February 11th, 2021

As we watch the first COVID-19 vaccinations roll out to those who need it most, it got this particular Security Engineer thinking about how vaccinations...

February 4th, 2021

In a previous WST, you may have noticed a bulleted item for a Ransomware Self-Assessment Tool (R SAT). Or you may not have. Regardless, it's...

January 28th, 2021

Did you know that filing Suspicious Activity Reports, or SARs, is not limited to ...

January 20th, 2021

The writing has been on the wall for a while now regarding Adobe Flash Player, ...

January 15th, 2021

People often make judgements and decisions about risk. Modern technology environments are complex and pervasive ...

January 7th, 2021

Yep, another year has flown by and a new year is here. Now is a great time to take a close look at your 2021 schedule...

December 17th, 2020

Well, hacking is certainly in the news this week! We initially resisted adding to the cacophony of news stories and email alerts flooding your inbox, ...

December 10th, 2020

While Congress may not be making much progress passing a second COVID stimulus relief bill, something historic did happen in Washington D.C. last Friday...

November 6th, 2020

During our IT audits, we consistently find file shares containing sensitive information with poor access restrictions. Most of the time, the super sensitive...

October 8th, 2020

It’s October and for many that means it is budget time. Or, did you assume it will just be a part of IT’s budget? According...

October 1st, 2020

Browser Password Storage Thoughts - WST There is some risk when allowing a user’s browser to remember passwords. If a bad actor gets access to a machine, they...

September 24th, 2020

Earlier this month, the Financial Crimes Enforcement Network (FinCEN) put out a cryptic statement regarding the unlawful disclosures of suspicious activity reports (SARs). According to FinCEN, various media outlets were intending to publish a series of articles based on...

September 17th, 2020

Do you keep an accurate and up-to-date inventory of your IT assets? If not, you may be wasting money and decreasing your overall IT security posture. One of the most important aspects of managing your IT environment is...

September 3rd, 2020

As the pandemic continues to rage on, we’ve discovered some of the hardest working people during this time are fraudsters and scammers who never seem to be impacted by high unemployment rates. According to a recent FinCEN Advisory...

September 3rd, 2020

Recently, many of our clients have had significant increases in the number of vulnerabilities found during their Internal Vulnerability Scans. One of the primary reasons for this is...

August 20th, 2020

We live in a busy, and often stressful world. With most of us carrying around at least one always-connected device, we...

August 7th, 2020

Much like the contested area that separates two foreign powers that do not trust each other, a network DMZ is a place where you...

July 28th, 2020

Adobe will stop distributing and updating Flash Player after December 31, 2020. We shouldn’t be surprised by this...

April 29th, 2020

We wanted to expand on our WST about securing remote access from a few weeks ago with some additional...