Keep Data Secure In The Cloud

To answer this question, let’s use the NIST definition of Cloud, which is referenced by the FFIEC, most financial institution service providers are technically not Cloud. Using the strict criteria outlined by NIST, Cloud providers would be services like Dropbox, Gmail, etc where anybody can sign up and get resourced dynamically allocated. However, many of our clients and some examiners have expanded the definition to include all things web-based. Traditionally known as Software-as-a-Service (SAAS), these services are hosted by the vendor and accessed via web browser so they look like a Cloud solution. To keep data safe in the…

Read more

Bash Remediation - Quick Steps To Recover

Shellshocked! By now you’ve heard that there may be a potential exploit of Bash, Shellshock, that could put you and your data at risk. At Rivial, we’ve analyzed the threat and can confidently say to do the following four things to ensure you and your customers data are safe. Scan your network to identify where Bash is present. Create a document to track each instance of where Bash is running on your network. Systematically upgrade the firmware as vendors push these updates out. Pay special attention to any…

Read more

PCI Compliance Challenges for Banks and Credit Unions

Regarding PCI compliance, financial institutions have an advantage. Having complied with GLBA for several years banks and credit unions have relatively robust and complete information security programs in place. They are audited several times per year by FDIC, NCUA, State, external firms, internal auditors, SOX audits, etc. The problem is card brands like Visa and MasterCard have been focused on the retail industry as a major trouble area. Compared to most retailers, financial institutions are more mature in their Information Security Management and Audit programs, less likely to cause a breach, and are therefore not the initial…

Read more

How Much Would You Spend to Fix a High Risk?

Would you spend $10,000 to fix a risk deemed as High? How about $100,000? I hope your response was “it depends” because it really should depend on the value of the asset you’re trying to protect. The traditional and most common means of rating risk is High-Medium-Low or a similar structure. Perhaps it’s a five-tier scale to give the person providing the opinion more flexibility. This presents two problems: the first is that business people have to make financial decisions on a daily basis to keep the company running smoothly and growing.…

Read more

Haven't Read About Lavabit Yet? You Should.

The front page of lavabit.com is worth 10 minutes of your day, I guarantee it. The implications are jaw-dropping and seem more probable after Edward Snowden’s adventure. The Lavabit post reads more like a fictional novel than a historical timeline. There are two sides to every story, of course, and it is the readers role to decide which side to believe. Check it out: lavabit.com

Read more

The 3 Myths of Penetration Testing

havewebeenhacked I do quite a bit of traveling on behalf of my clients at Rivial Security and people are always asking, “Do you offer Penetration Testing and is it enough to keep my data secure?” The truth is that we live in environment of ever flowing and growing data. It is our job and duty to protect the integrity of that data and merely having a Penetration Test conducted is not enough in these days of cybercrime and malware. With recent security failures with Target, this has begun much of the dialogue regarding consumer and organization security of a company’s…

Read more

Don't be another Target. Do these 5 things now to protect your company.

missile on target If the Target Blunder has been priced at a growing $170M and the FBI is warning the public that Cyber crime is a higher priority than terrission, then “these times are a changing,” as Bob Dylan once said. Unfortunately, this trend of attacks becoming more and more sophisticated every year is likely to continue with no end in sight. Each of us is a click away from a piece of malware, identity theft, or worse: a compromise of data security at work. Organizations that collect and store confidential data, whether it’s credit card data, hospital files, bank, or…

Read more

Target Breach is an Incident Response Opportunity

The recent credit card data breach at Target Inc, where 40 million credit and debit card accounts were compromised, presents a golden opportunity for financial institutions to improve their information security programs. The breach impacted hundreds of U.S. financial institutions who issue credit or debit cards. Therefore, many had to contact customers and reissue cards. As painful as this may have been for some institutions, there is opportunity here. That opportunity is testing the security incident response plan. A key component of a good Information Security Program is having a fully documented and tested Security Incident Response Plan. When an…

Read more

New FFIEC Guidance on Social Media

The FFIEC recently released final risk management guidance on Social Media for financial institutions. The action represents a much-needed, formal perspective on a technology trend that has become much more than a passing fad. In early 2008 I presented to a group of bank executives who were blown away by the figures I highlighted. I no longer have the slides, unfortunately, but remember a few statistics from the presentation. That year Facebook had eclipsed email as the number one virus delivery mechanism on the internet, and an online-only financial institution generated more than $1M in deposits in under 6…

Read more

IT GRC: Steroids for your InfoSec Program

When meeting with organizations across the country, perhaps the most common scenario I see is overworked, understaffed security teams trying to keep up with new attacks, new IT systems, Cloud services purchased by business managers, new regulations, and seemingly constant audits among the normal day to day grind of working in IT. The financial industry, in particular, is still recovering from the worst economic downturn in several generations which means financial resources are scarce. One of the last expenses to rebound, if it ever will, is staffing. Without the right resources—human or otherwise—it is difficult to maintain an appropriate security…

Read more