February 2015 Issue
Security Auditing and Compliance Leader
From cloud computing to cashless payments, mobile remote deposit capture to FX robots, financial institutions worldwide are looking for ways to improve the customers’/members’ experience. However, when integrating new technologies, the number of threat vectors contributing to breaches, particularly for financial institutions, is larger than ever before. The recent cyber-attack on JPMorgan Chase was one of the largest intrusions of an American bank. “Though there were many layers of protection in place, hackers still found a vulnerable asset and managed to grab gigabytes of information.” notes Michael Bruck, President and CTO of BAI Security. According to the 2014 Data Breach Investigations Report by Verizon, the financial industry suffered the largest number of data loss incidents during the previous year. In fact, most institutions are not even equipped with the latest techniques to detect breach activity, which costs, on average, $3.5 million per incident. This is due to the volume, frequency, and sophistication of security threats, which have put nearly every institution at high risk. “Simply spending money on security equipment does not solve this problem; security is dynamic and demands highly-skilled security professionals that are frequently trained on breach prevention and security best practices in order to identify the latest threats.” says Bruck.
The professionals at BAI Security evaluate systems, processes, and personnel traits to identify vulnerabilities that have contributed to real-world breaches. Whether you are looking for an IT Security Assessment, an effective Security Awareness Training program, or sophisticated malware detection, BAI Security provides these and other specialized services for institutions who wish to go beyond compliance and are interested in truly securing their information assets. “We help institutions select audit options that not only evaluate their regulatory compliance, but more importantly, assess their security posture.” asserts Bruck.
Audit Focus: Security, Compliance, or Both?
The banking sector, as with many regulated industries, has traditionally focused on compliance standards to determine how they protect their information assets. To ensure compliance, institutions are required to perform an annual, third-party security audit/assessment and controls evaluation that benchmark their Information Security Program against regulated standards. While these standards have helped further the use of security technologies, policies, and procedures, technological advancements have occurred faster than advances in regulatory requirements. Sometimes compliance standards are too vague; therefore, institutions fail to protect their assets because the methods used to comply with regulation are inadequate.
“Compliant does not mean secure; even organizations that meet compliance standards often, unknowingly, have many preexisting security vulnerabilities. A fundamental requirement in keeping your environment secure is to perform an in-depth, authenticated assessment yielding actionable findings, which can be used to remediate the identified weaknesses. This will help protect the institution’s environment, reputation, and all the individuals who trust the institution to secure their assets and personal information.” Bruck advises. With many years of IT experience, BAI Security’s compliance experts utilize their Advanced Security Practices Methodology that not only meets government regulations, but also exceeds those standards to help ensure that the institution’s data is truly secure. “We provide innovative service offerings for our clients that focus on responding to the latest threats and breach activity; our audit offerings provide timely, relevant information so that our clients can bolster their security posture.” offers Bruck.
A company’s security program needs to be dynamic in order to defend the institution against newly-identified and zero-day threats targeting the production environment. When an institution is only benchmarked against regulations that are several years old, this can create a security gap that leaves many institutions vulnerable to today’s threats. BAI Security recently performed a study that analyzed previous findings from first-time clients’ audits. The study concluded that 73 percent of the institutions had serious security risks that went undetected during previous, third-party audits. These audits only measured the institutions’ security program against the minimum, required guidelines and did not incorporate essential security principals. “Our Security Audit Methodology employs key regulatory guidelines from FFIEC, GLBA, FDIC, OCC, NCUA, and HIPAA/HITECH, in addition to stringent security standards, such as NIST and ISO.” says Bruck.
Not All Audits are Created Equal
The majority of true, high-risk vulnerabilities are related to third-party software—most commonly Acrobat, Flash Player, Shockwave, and Java. The vulnerabilities associated with these applications and the core operating system are often leveraged in breaches and ransomware attacks. Unfortunately, these vulnerabilities are often undetectable with network vulnerability scanners that do not use authentication.
Unfortunately, industry regulations are often vague and do not mandate what type of scanning must be performed to maintain compliance. There are IT security firms that take advantage of this flaw and will put together a “proprietary” scanning methodology, which usually just involves using several pieces of freeware that are readily available online. When these vendors are asked by their clients to list the software they are using, the firms will say nothing more than “It’s proprietary.” This poses a threat to the institution and their customers, members, and clients. If vulnerabilities are not discovered and validated, they cannot be remediated. The number of vulnerabilities can escalate over time, until some devices may have as many as 400 critical threats each. Any device with this many issues can be easily compromised and used as a pivot point to attack the rest of the environment.
“We routinely compare environments’ authenticated and non-authenticated results. The findings have consistently shown that authenticated scanning finds more confirmed, high-level vulnerabilities (on average 50 times more) versus antiquated, unauthenticated scanning.” clarifies Bruck. What this means for the industry is that many institutions are operating under a false sense of security when they accept the findings of an unauthenticated vulnerability assessment as an accurate report on their environment.
During an audit, BAI Security’s employs their advanced methodology, seasoned auditors, and industry-leading tools, which are essential components of an in-depth, comprehensive audit. Furthermore, the company’s deliverables address both technical and non-technical stakeholders. “Our Executive Summary contains a well-written narrative that ultimately is a roadmap to securing the environment; the deliverables highlight each audit area and clearly identify its associated risk rating.” adds Bruck.
The content includes a prioritization of items to be remediated, as well as a detailed description of the underlying problems. Additionally, the assessment provides easily-navigable results that list the identified vulnerabilities, background information, support resources, links to patches, and remediation/mitigation instructions. However, Bruck also notes that “BAI Security is more than just an auditing company; we strive to be a trusted security partner. Our clients are encouraged to contact us whenever they have security questions or needs throughout the year.”
Compromise Assessments: Has Your Organization Been Unknowingly Breached?
In addition to performing an annual, third-party audit, many security-minded institutions are incorporating a Compromise Assessment. BAI Security developed this service to identify, through behavioral analysis techniques, idle malware, rootkits, Trojans, key loggers, and other data capturing programs. “Even with significant advancements in corporate antivirus solutions, many sophisticated, morphing, and zero-day threats can easily go undetected.” stresses Bruck.
The process can be conducted on hundreds or even thousands of devices at a fraction of what a traditional, forensic investigation would cost. This service offers forensic malware detection at a price point that institutions can justify for routine, preemptive discovery of these malicious threats that plague institutions and lead to data compromise.
Practical uses for BAI Security’s Compromise Assessment include: validating that previous virus infections have been eradicated; determining if sensitive, customer, proprietary, or intellectual data is being secretly syphoned out of their network; providing peace of mind to management and electronically connected partners that their network is safe from malware; detecting the presence of hidden malware prior to connecting multiple networks after an acquisition/merger; validating that any employee, past or present, has not embedded any Trojans, key loggers, etc. in the network; or detecting whether a malicious and/or unauthorized entity has unknowingly infiltrated their network.
Industry-Leading Security Awareness Training
The Security Awareness Training program offered by BAI Security is designed as an enterprise-wide communications tool that fosters a security conscious culture within each organization. “During our engagements, we routinely find that one of the weakest components of an institution’s security program is its susceptibility to social engineering. To help our clients remediate this security gap, we offer a training program that instructs users how to identify and respond to tactics that have led to successful breaches.” cites Bruck. Their program includes a unique approach that educates all employees, including the management team. Each user has a dedicated web-based portal where they work directly on their training curriculum. The curriculum is customized to meet each client’s needs, goals, and regulatory requirements.
“To be effective, security awareness training must be routinely updated with relevant content, scenario examples, and interactive awareness education that mimic’s current threats.” asserts Bruck. As a leader in breach risk analysis services, BAI Security brings proven expertise from current, real-world breach events into their Security Awareness Training program.
Headquarters: Hoffman Estates, IL
Management: Michael Bruck, President and CTO
Description: Security Auditing and Compliance Leader