What the FFIEC Cybersecurity Assessment Tool tells you about vulnerabilities and penetration testing

first_img 61SHARESShareShareSharePrintMailGooglePinterestDiggRedditStumbleuponDeliciousBufferTumblr,Robert Yowell Robert is a pragmatic leader, strategic planner, and resourceful management professional with distinguished career designing solutions to meet company goals and objectives in a variety of technical services and customer … Web: https://www.tracesecurity.com Details As you probably already know, the FFIEC released its Cybersecurity Assessment Tool (CAT) on June 15, 2015.  The tool is intended to be a self-study by the organization, to determine if their maturity level matches the level of inherent risk in the organization.  But you can learn a lot by reading and analyzing the declarative statements in the maturity assessment portion of the CAT.  In this article I’ll discuss the declarative statements in the Maturity Level of Baseline, as they relates to vulnerability detection.BASELINE MATURITYD3.DC.Th.B.1 – Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external facing systems and the internal network. (FFIEC Information Security Booklet, page 61)  This of course means you need to have a third party who will be impartial, conduct penetration testing and vulnerability scanning on BOTH your external facing systems and your internal network.  Vulnerability management is the first line of defense against vulnerabilities.   This means you should be scanning for vulnerabilities on a schedule appropriate for your organization’s maturity, generating reports, and turning the reports over to the individuals responsible for remediating your found vulnerabilities.  Many organizations scan on a monthly basis as a rule of thumb, but organizations with different maturity levels scan either more or less frequently.  It’s important to gauge how soon you can make an impact on remediating vulnerabilities prior to running the next scan.  For example, you probably shouldn’t run scans weekly if you aren’t planning to fix anything for a month.  But you could run scans weekly and decide to remediate all the high risk vulnerabilities on critical assets.  Whatever you decide to do, it’s important to have a planned and documented vulnerability management process.  Of course, this may be largely dependent on available personnel.  Scanning is an automated process, and many organizations (and vendors) confuse vulnerability scanning with penetration testing, which are two entirely separate services with different goals.  According to the FFIEC, “A vulnerability assessment is a process that defines, identifies, and classifies the vulnerabilities in a computer, network, or communications infrastructure…  A penetration test subjects a system to real-world attacks selected and conducted by the testers. A penetration test targets systems and users to identify weaknesses in business processes and technical controls. The test mimics a threat source’s search for and exploitation of vulnerabilities to demonstrate a potential for loss.”  Some organizations believe vulnerability scanning covers them for penetration testing too, which is not true.  A true penetration test may begin with a scan, but the automation ends there.  A penetration test is typically a manual process where someone attempts to breach your system simulating real-world attacks, as a hacker would.   Additionally, many institutions fail to conduct internal testing which can be dangerous, since insiders have the ability to create problems in your system whether intentionally or unintentionally.  This is likely because the internal tests are often overlooked, or left out of the budget to reduce cost.  (See Accounting for Internal Threats to Your Network.)  So not only should External Penetration Tests be done on a regular basis, but Internal Penetration Tests should be done as well.  This baseline declarative statement also mentions a Risk Assessment.  Many organizations start their IT Security program with an IT Risk Assessment which is good practice.  This allows the organization to determine potential problem areas, probability of a threat, and the resulting financial consequences should appropriate controls not be in place.  This also helps the organization budget monies on the most effective protection appropriate for the organization.  D3.DX.TH.B.2 – Antivirus and anti-malware tools are used to detect attacks. (FFIEC Information Security Booklet, page 55) Antivirus and anti-malware tools are not the same as vulnerability scanning, but both are important.  The vulnerability scans looks for improperly configured services and settings on your network, out-of-date software, etc., and is intended to help you find places in your system where vulnerabilities may accommodate threats to compromise your system.  Antivirus and anti-malware tools try to prevent threats from making it onto your network.  You need to have all of these in place, as they all play a role in your overall IT security program.  It’s important to keep these services in place and not allow a lapse in service.  D3.DC.Th.B.2 – Firewall rules are audited or verified at least quarterly. (FFIEC Information Security Booklet, page 82) Amazingly, this is an often overlooked, but important activity in your IT Security program.  Conditions change often and so too will your need to review your firewall rules to make sure they are still valid and will protect your system from unwanted consequences.  The hackers are getting smarter and smarter, and you really need to audit your firewall rules on a regular basis.  As indicated here, the FFIEC CSAT recommends a minimum of quarterly.  D3.DC.Th.B.4 – E-mail protection mechanisms are used to filter for common cyber threats (e.g., attached malware or malicious links). (FFIEC Information Security Booklet, page 39) This is perhaps one of the most effective ways of preventing your employees and vendors who share your system, from opening up email attachments or clicking on links.  This takes the antivirus/antimalware protection to the next level.  The idea here is to isolate and scan anytime an attachment is opened or a link clicked inside an email.  There are ways to prevent employees from doing this altogether but the difficulty often outweighs the benefit.  Again, it depends a lot on the organization and the risk appetite involved.  There are many organization who block the use of thumb drives on their devices as well.If you have achieved all of the maturity levels listed in this article, you have probably reached the Baseline level.  That may or may not be appropriate for your organization.  It’s up to your executive group to determine what level of maturity you want to achieve.  And remember, it’s an ongoing process.  If you haven’t yet achieved Baseline Maturity, then you are at risk of possibly being out of compliance.  last_img read more

Differing views from Kyrie Irving, Austin Rivers highlight NBPA’s internal struggle

first_imgThe National Basketball Players Association is not some sort of monolith. There are hundreds of players in the NBA with different backgrounds and viewpoints.That’s an obvious statement, but it’s important to keep in mind, especially after the latest news about NBPA discussions regarding the resumption of play. To drive that point home further, top reporters couldn’t even agree on how to frame Kyrie Irving’s participation in Friday’s conference call, which included nearly 100 players. The Nets star voiced his opposition to continuing the 2019-20 season in Orlando, Fla., preferring to focus on the fight against racial injustice following the death of George Floyd. View this post on Instagram “I’m not as interested in him as the messenger than I am in the message,” one Western Conference player told Wojnarowski.Stars rule the league, and big names like James and Paul appear ready to move forward. But the middle-tier and minimum-contract guys shouldn’t be ignored.Much like the NBA bubble itself, a “unifying front” sounds nice in theory. It’s much harder to actually establish it. MORE: Key dates, schedule & more to know about NBA seasonESPN’s Adrian Wojnarowski described Irving as a “disruptor,” someone holding a stance that “pitted him against the league’s establishment,” including former teammate LeBron James. Yahoo Sports’ Chris Haynes, meanwhile, said the call with Irving helped build a “unifying front.” He also noted Irving would be on board with the final decision regardless of whether it aligned with his position.”If it’s worth the risk, then let’s go and do it,” Irving said, per Haynes. “But if you’re not with it, it’s OK, too. We’ve got options for both ways. Let’s just come to a middle ground as a family.”Irving, who is out for the season following shoulder surgery, isn’t alone in his trepidation, as a significant number of players have expressed concerns about returning to the court in late July. The novel coronavirus remains a threat. Such a long layoff could increase the risk of injury. Basketball could be seen as a distraction from important social issues. Participating players would be stuck in isolation, far from friends and family.But there are valid arguments on the other side. Rockets guard Austin Rivers said on Instagram that he appreciates Irving’s “passion toward helping this movement,” but he believes players can use the money and platform gained from resuming the season to help their causes. Ending the season would mean $1.2 billion lost in player salary and a potentially ugly negotiation over a new collective bargaining agreement.”Us coming back would be putting money in all our pockets,” Rivers said. “With this money you could help out even more people and continue to give more importantly your time and energy towards the [Black Lives Matter] movement. Which I’m 100 [percent] on board with. Because change needs to happen and injustice has been going on too long. …”We can do both. We can play, and we can help change the way black lives are lived. I think we have to! But canceling or boycotting a return doesn’t do that, in my opinion. Guys want to play and provide and help change!” Austin Rivers responds to Kyrie’s comments on not resuming the NBA season.A post shared by SportsCenter (@sportscenter) on Jun 13, 2020 at 9:48am PDTIrving and Rivers highlight the main challenge for NBPA executive director Michele Roberts and president Chris Paul: Address the biggest questions from players without allowing division within the group. And really, some of this consternation could have been avoided if there was better initial communication.While the “NBA is back” messaging brought great excitement, it also wasn’t entirely accurate. Here is the NBPA’s statement from June 5:”The Board of Player Representatives of the National Basketball Players Association (NBPA) has approved further negotiations with the NBA on a 22-team return to play scenario to restart the 2019-20 NBA season. Various details remain to be negotiated and the acceptance of the scenario would still require that all parties reach agreement on all issues relevant to resuming play.””Approved further negotiations” is hardly “yep, all done here!” Some players were disappointed the board didn’t give them a chance to vote on a return to play, per Haynes. Trail Blazers forward Carmelo Anthony stressed the importance of young players having a voice, according to The Athletic’s Shams Charania, but it’s hard to understand why these conversations didn’t happen earlier when so many details have yet to be finalized ahead of the targeted July 30 restart.So right now:-The NBA hasn’t finalized health and safety standards for Orlando-COVID cases are rising in Florida though the state continues to reopen-Most NBA players didn’t vote on the return-Disney workers will not be strictly tested, can enter/exit the bubble— Rohan Nadkarni (@RohanNadkarni) June 12, 2020″It is reflective of what is going on in a wider sense,” one prominent agent told Forbes’ Sean Deveney. “I think what you are seeing is more players wanting their input counted, their voices heard. You can go back to the last CBA and the emphasis was on the stars getting their paydays and creating new opportunities for them. For the middle-of-the-road players, they sacrificed the mid-level exception, they gave up the tools that lower-level guys have to get a good contract.”For a lot of players, this is just a continuation of that. Going back to play has been about the stars’ input but not everyone else’s.”Sure, Irving is a polarizing figure because of his past comments and unceremonious exits from Cleveland and Boston. A portion of players may be quick to dismiss someone who is currently injured and financially secure. Still, he raised valid concerns — and those concerns don’t just belong to him.last_img read more