Tuesday, July 23, 2019

Detective, Reactive and Preventive: Evolving Your IT Security

Posted by OnCourse Staff January 17, 2014 11:49am

Photo Credit: clix

In my The Credit - Er, IT Crisis post I talked about some of the forces influencing security in community banking.  One of the forces I mentioned was that the audit process has remained largely the same, while at the same time, the IT environments of modern banks are rapidly evolving.  But what does that mean? Given the evolving environment, how does the audit process have to evolve to ensure the information security of a community bank? What does a community bank need to do to complement the audit process?

In community banking, the process of validating the adequacy of information security has traditionally been completed through Audit. Audit is an important information security control in that it validates the proper working of other controls in an organization.  When auditors come into your bank, they look at things such as training plans, incident response plans, disaster recovery and business continuity plans, risk assessments, business impact analysis studies, proper governance, and a host of other things.  Now, all of the controls the auditors examine are important in mitigating IT risk.  However, there is a fundamental weakness in relying solely on the audit function to validate information security.

What do most of the controls your auditors examine have in common? Many are reactionary in nature.  They're designed to mitigate exposure after something happens.  Not all, but many of them.  They provide procedures to follow in reaction to an event.

For example, think about your incident response plan.  What is the purpose of that document?  It describes the procedures to follow in the event an actionable incident occurs within an organization.  It describes what constitutes an actionable incident, who the people are who are tasked with dealing with it, what they need to do, the escalation process, how it should be documented, and how it should be ultimately reported.  An incident response plan is designed to minimize the damage from an incident after it occurs and ensure that sufficient documentation exists so that additional controls can be developed in the future.

The same thing can be said about disaster recovery and business continuity plans.  They are designed to ensure that the business can survive an otherwise catastrophic event, that is, survive after an event occurs. Even risk assessments, business impact analysis, mandatory vacation policies, and reporting are only going to plan for, detect, or deal with events after they have happened.

Even audit itself is a detective control. The audit process detects control weaknesses by looking for failures after they have happened. 

Don't get me wrong; all of the controls discussed so far are critically important to a bank.  Auditors will rightly get their underwear in a bunch if they are missing.  However, the information security weakness arises when IT audits focuses too heavily on these reactionary controls.  The highly technical infrastructure of modern organizations and highly technical attacks (both internal and external) requires us to consider more.  IT audit programs need to be expanded to include the examination of controls that outright prevent or allow for pro-active responses to incidents. They need to balance the emphasis on reactionary controls, like incident response, disaster recovery, etc., and the controls that allow for preventive, or real-time responses.  

To be clear, your auditors are already examining controls that fall under this preventive category.  They examine things like dual controls, segregation of duties, system password policies, access control lists, training, physical access controls (e.g., how access to the vault or server room is controlled), and other authorization and approval processes.  All of which are designed to prevent incidents from happening in the first place.

I know what your thinking, "If my auditors are already looking at reactive and preventive controls, then what's the problem?"  The problem is twofold. First, many IT audit programs are skewed towards the reactionary controls.  In my opinion, that is largely due to regulatory emphasis.  Regulators spend a lot of time looking at the adequacy of your policies. Therefore, auditors spend a lot of time there as well.  Auditors hate it when an issue is identified in a regulatory audit that was not identified as part of an internal audit.  Where the regulators go, the auditors will follow.  Secondly, we must be careful to consider the highly technical risks associated with modern information systems.  As I explained in Keeping the Balance: IT Security and the Org Chart, dual control and segregation of duties work marvelously in preventing internal fraud, but they potentially do very little to prevent a laptop compromised with the latest malware from opening a tunnel that can be used by an attacker to siphon data out of the bank. 

Given that, what should the audit process be looking for?  What are some additional preventive controls that can be implemented by a bank to improve its information security posture?

At the top of the list are Intrusion Detection Systems ("IDS"). Now, before you say anything, I know that a service provider might manage your network.  I know that your network might be part of your service provider's larger network.  I'm still going to tell you to consider the deployment of IDS across your Bank.  At the very least consider the deployment on critical servers and critical network segments.

Let's describe Intrusion detection systems as coming in two basic flavors, Host-based and Network-based. In reality there are other categories such as anomaly and signature based systems, but they are beyond the scope of this post. I'll cover intrusion detection in detail in a subsequent article. For our purposes today, let's say that Host-based systems are capable of detecting and stopping attacks against an individual machine and Network-based systems are capable of detecting and stopping network based information gathering techniques, like port scanning, and network based attacks like the spread of a worm across the network. The point I want to make is that these systems are preventive.  They can detect, report, and prevent anomalous events in real-time.

Right behind IDS is the need for centralized patch management.  Here is the mistake many organizations make: patch management must include all critical software installed in the bank, not just operating system updates.  You cannot rely on the auto-update feature of non-operating system software programs.  First of all, you have probably configured your systems such that end users do not have permission to install software.  And secondly, we train our users over and over to not click the malware spreading pop-up boxes they encounter on the Internet.  What is the first thing a software program does when it wants to download an update? It displays a pop-up box.  How can we expect our users to decipher a good pop-up from a bad pop-up? Don't even try. Look for a centralized system that allows you to push the critical patches.  It is unlikely that an external attacker will compromise the bank through the external interface managed by the firewall.  It is far more likely that malware will compromise a machine on your network and open a tunnel out of the bank. Consistent and robust patch manage is a preventive control to mitigate that threat.

Another control you can consider is the incorporation of a Syslog Server into the network infrastructure. Syslog servers allow for consolidated logging across the Bank. Just about all modern networking devices and operating systems support Syslog or have software programs available that provide the functionality. The use of consolidated logging in coordination with a backup strategy is especially important in outsourced network management arrangements in order for a Bank to have the ability to enlist the services of different service providers for the purpose of forensic investigation in the event of a system breach.  Additionally, when you combine it with a reporting solution you have real-time access to reports that include the state of all systems in the bank. While not strictly preventive in nature, the fact that it allows for real-time monitoring, reporting, and alerting blurs the line between a detective and preventive control by allowing an admin to very quickly become aware and respond to events.

Website monitoring is a system that watches the bank's website and reports if content on the site has changed.  It alerts in real-time if the site is exploited or if the domain name server has been compromised.  It doesn't matter if you have no customer data on you site.  You still carry significant reputation risk with your customers, potential customers, and the regulators if your public image is attacked.

Network monitoring provides real-time load monitoring to detect network anomalies.  Network anomalies can result from virus and worm infections.  If the admin at the Bank notices an anomalous spike in traffic across the Bank it may indicate a worm at work.

What all of these controls are doing is bringing us closer to a technique know as Continuous Auditing. "Continuous" refers to the near real-time validation that internal controls are functioning correctly.  Think about it.  We have website monitoring that alerts us the instant the content on our website is changed.  We additionally have controls in place that dictate the procedures that allow for access to the website to make changes.  If the website monitoring software detects that a page has been changed improperly, it is not only detecting an attack on the site, it is also detecting a failure in the internal controls that govern access to the site.  You can think about intrusion detection, network monitoring, and Syslog in the same way.  These controls not only prevent attacks, they act as sentries that continually monitor your control environment. Continuous auditing is your future. We have a tendency to think about technology from the point of view of the operational efficiencies it can provide. One thing we can also do is to think about using technology to provide us real-time monitoring capability.  

Up until this point I've focused on controls that a bank can employ to bolster its information security profile.  But what should the auditors be doing? Well, the first and obvious thing for an auditor to do is to expand the scope of work to also evaluate the need for preventive controls like those I describe above.  In cases where preventive controls have been deployed, the auditor can validate that they are operating effectively. In high-risk environments, like a bank, its not enough to rely purely on a detective control audits to validate information security.  Auditors should be suggesting the use of preventive controls that provide a continuous monitoring capability. Technology is not slowing down.  It will continue to become more and more prevalent in all of the things we do. The control environment must evolve with the systems it is designed to protect.

Auditors should also be using Computer Assisted Auditing Techniques ("CAAT"). CAAT tools allow an auditor to audit more efficiently, more thoroughly, and more accurately than a manual audit alone. Tools can be as simple as using spreadsheets to validate financial data to using network-scanning devices to validate the topology and system configurations of devices on the network.  From an information security point of view, using automated tools allows the auditor to get away from sampling.  Modern network infrastructures, of even small community banks, are very complicated and evolve very quickly.  Picking a few machines at random and checking things like password policies, patch status, and anti-virus may or may not be reflective of the environment as a whole.  There are too many variables to consider.  Things like the physical topology, over-riding domain policies, the management culture, other mitigating controls, and a host of other things all contribute the security profile of an organization.  For auditors to come in, take a sample of a few machines, and then extrapolate the findings as being representative of the overall environment is just not correct.  However, if the auditor is using tools that allow for an assessment of all devices on the network, and even an assessment of the topology itself, then the subjectivity goes away.  The auditor can render a much more informed and objective opinion.

I'm just scratching the surface here.  Hopefully I've got you thinking about additional controls you can consider implementing and the techniques your auditors should be using.  Modern IT audit programs should be looking for, evaluating, and assessing the need for these types of real-time preventive controls.  Does your current audit process look for them?  If you don't have these types of controls, has your audit function recommended them to you?

Comments

Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.



 Image

OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment



OnCourse Staff's Posts Subscribe to RSS Feed



New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
The Credit -- Er, IT Crisis?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
Wag the Dog
Consumerization of Technology and its influence on Information Security
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
Allowance for Loan Loss Tips and Tricks
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Pandemic Preparedness: Are you testing your Pandemic Plan?
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why P&G Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA