Federal Deposit Insurance Corporation - FDIC-Insured - Backed by the full faith and credit of the U.S. Government
Please be aware that First National Bank has received reports that scammers are texting our customers and claiming your account has been restricted due to unusual activities. If you receive a suspicious text DO NOT click on any links or respond to it. We would never text our customers and ask them to provide sensitive personal information and/or account information. Please contact the bank directly at 620-397-5324.
Federal Deposit Insurance Corporation - FDIC-Insured - Backed by the full faith and credit of the U.S. Government
FDIC Consumer News and Information
Health Insurance Marketplace Fraud
Federal Trade Commission Scam Alerts
4/17/2025
When Does an “Issue” Become an “Incident?”
I’ve had this question come up now and again over the years. A really short answer I’ve given is “it depends on the risk involved.” That’s true on the surface, but let’s dig a little deeper.
NIST defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”
(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf). OK, fair enough. If your policies are well-defined, and standard security practices are being followed, there should be enough clarity to decide when some event is a security incident. Right?
But what if you run into a situation that’s unclear? There can be events that are not covered under your current policies or practices. Or, what if there’s no data loss or breach related to an event, but a critical system is down for an extended period? Availability is one of the three tenets of information security (along with confidentiality and integrity). Would that be considered a security incident?
Consider the difference between “What if customer account data fell into the wrong hands?” and “What if the office March Madness pool fell into the wrong hands?” One is clearly a security incident, and one may just be an issue. Although, depending on your bracket…
But the same problem for a different organization could be an incident: if a major national sports network’s March Madness bracket portal was hacked, it would definitely be a major incident for that organization.
The same thing can be said for many things in IT and information security. Think about this example: A single workstation goes down versus 50% of all workstations are down. It seems like an obvious choice. But if the single down workstation is critical for payroll, and it’s the day before payday, the risk is different, and it may be an incident. The point is “it depends on the risk involved.”
Your organization’s risk assessments and business impact analysis should help your security teams decide whether an issue should be elevated to an incident relevant to your organization. Arguably, that’s one of the big reasons for doing all of that risk assessment work. Every organization has a unique risk profile, risk appetite, and incident response capabilities. Think about your incident response plans, and how well they reflect the results of your risk assessments.
These are ongoing processes. Threats change, systems change, people change – risks change. If you need help polishing up your existing risk assessment processes, or you need to think about a revamp, reach out and ask us!
Author: David Bentley, CISSP, Security+
4/3/2025
Beneficial Ownership Update: But Wait, There’s More
You’ve been giving your business customers heads up for literally years. After all it was 2021 when the Corporate Transparency Act (CTA) was passed and said beginning January 1, 2024, businesses would be required to provide information to FinCEN on people who own 25% or more of a business or who substantially control the business. The goal was to create a central repository for such information to aid in identifying and combatting illicit financial activities. But hold on a second, as with so many other regulations, implementation is not so simple.
During the years leading up to January 1, 2024, attorneys and tax professionals would alert business customers to the rules, some requiring the initial filing to be completed prior to providing additional services. Financial institutions did their part to absorb the almost constant updates, guidance, and Q &As to better assist business customers. Even if the idea made sense, businesses were not happy with the burdensome reporting/filing process and boy, could financial institutions relate.
On March 21, 2025, FinCEN adopted an interim final rule narrowing the beneficial ownership information (BOI) reporting requirements under the CTA to be applicable only to entities defined as foreign reporting companies, effective March 26, 2025. Requirements for U.S. companies and persons to report BOI have been removed. Foreign reporting companies are exempt from reporting the BOI of U.S. persons who are beneficial owners of their companies and U.S persons are exempt from providing such information to any foreign reporting company for which they are a beneficial owner.
Although a win for American small businesses against burdensome regulations, domestic business entities may be confused when their financial institution continues to request information on beneficial ownership – because those regulations implemented in 2018 as part of Chapter X, Part 1010.230 haven’t changed and reporting of beneficial ownership information to financial institutions remains intact. To be ready for questions from your commercial banking customers, please see the links below to the interim final rule and recently published Questions and Answers.
https://www.fincen.gov/boi/ifr-qa
Author: Dawn Merrick, CRCM
1/31/2025
It’s 9:00 PM. Do you know what your DNS is doing?
On Wednesday, January 22, Brian Krebs of Krebs on Security published an article about MasterCard and a public DNS (Domain Name System) misconfiguration that went unnoticed for five years and could have allowed a breach of MasterCard systems. That article can be found here: https://krebsonsecurity.com/2025/01/mastercard-dns-error-went-unnoticed-for-years/.
DNS is a critical component of routing Internet requests to the correct web servers and services. Basically, DNS converts human-friendly domain names (e.g., google.com) into IP addresses (e.g., 142.250.191.174) to route those requests. After noting the misconfiguration, the researcher was able to register and configure a DNS server to respond to requests for MasterCard systems. A threat actor could take that one step further and set up a server to respond and commit crimes against unknowing participants.
To synopsize, the independent security researcher was able to demonstrate the potential for exploitation of the security threat for $300.00. The researcher registered a domain name (akam.ne) and was able to do so because the “.ne” top level domain exists for websites and named assets intended to be associated with the country of Niger. After registering the domain, hundreds of thousands of DNS requests attempting to get to MasterCard started rolling in.
The threat noted above could lead to unwanted access and loss of not only corporate, but also customer data should a threat actor put a campaign in place to misdirect customers to a rogue website, where logins or personal information could be phished. It could also lead to the exploitation of administrator or employee credentials in certain circumstances.
Here are some practical things to consider:
As you can probably imagine from reading Brian Kreb’s article, the potential consequences of not reviewing security configurations on a regular basis or catching issues in-flight through adequate security monitoring can lead to disastrous and expensive consequences. Even something as simple and seemingly innocuous as set-it-and-forget-it DNS configuration could lead to immeasurable reputational damage and real costs for institutions and customers.
Don’t wait for the benevolence of a stranger or the demands of a threat actor to shore up security. And don’t be like MasterCard. Humble yourself; everybody makes mistakes. That art is stopping the mistakes before they happen and having the integrity to own up to them when they do.
Author: Mike Smith
1/17/2025
Cannabis Landscape Update
A webinar hosted by the Association of Certified Anti-Money Laundering Specialists (ACAMS) last fall shows that interest in cannabis banking is still quite high (pun intended). With another change in political administration coming up shortly, we thought it might be good timing for you to hear some of the interesting facts shared by ACAMS regarding the cannabis industry as we move into 2025.
State cannabis licensing has seen a 2% decrease quarter over quarter for the last six quarters. The peak was Q4 2022, where there were 44,323 active licenses in the U.S. The decrease is due to several factors, one being program maturity and consolidation, where those who rushed into this, thinking they were going to get rich, well they didn’t, and in many cases only the strong have survived. It’s estimated that only 25% of direct retail marijuana businesses are actually profitable.
FinCEN indicates that approximately 800 financial institutions are banking direct marijuana businesses. According to CRB Monitor, increased competition has played a role in banks lowering cannabis banking fees and smaller banks with fewer cannabis customers are exiting cannabis banking as the costs outweigh the benefits.
Although banks can loan to licensed direct marijuana businesses, if it’s true that only 25% are actually profitable and knowing that deposits can be volatile, those may not be the best loan candidates, and depending on the collateral, the bank may not want to end up holding that bag, no pun intended.
Although licensing trends for marijuana businesses are declining, the hemp boom is growing as hemp businesses can benefit from the following, which are not currently allowed for marijuana related businesses:
The 2018 Farm Bill legalized hemp with a broad definition that included derivatives. It’s coming to light that many of these derivative products can be made to have the same effect as marijuana. As a result, several states are trying to figure out creative ways to protect consumers and use their authority to regulate synthetic forms of THC and illicit production of hemp; however, these states are often met with litigation by the cannabis industry citing they do not have authority to limit hemp products under the 2018 Farm Bill.
Just because the Farm Bill offers some protection, it doesn’t mean illicit activity doesn’t occur in the hemp industry. With no seed to sale tracking and no state oversight for hemp, it has drawn a lot of attention and involvement from international drug cartels. The ACAMs speaker provided details that we haven’t heard as much about, such as:
In May 2024, the DOJ proposed transferring marijuana from a schedule I drug of the Controlled Substances Act to a schedule III drug. Even if this is accomplished, rescheduling will not make marijuana legal and state-run programs will still be illegal. In fact, Schedule III drugs are those that require a prescription. The DEA held a preliminary hearing in early December 2024 and full hearings will begin in mid-January and last through early March 2025 on the rescheduling.
If rescheduling were to happen, this could financially benefit marijuana related businesses, as current tax laws do not allow licensed businesses selling schedule I and schedule II drugs to write off operating expenses, which makes tax rates astronomical. Rescheduling would effectively make marijuana businesses more profitable.
While there are happenings in DC and a soon to be change in the US political landscape, it remains to be seen what, if anything will change in 2025. So once again, the more things change, the more they stay the same.
Author: Melanie Fletcher, CRCM, CAMS, CCBIA, CCBP, AAP
12/20/2024
10D, Inc. WSCT Wrapped 2024
As we wrap up 2024, it’s a great time to look back at some of the most popular Weekly Security & Compliance Tips (WSCT) published by 10-D this year. Here are some of the standout topics that captured the attention of many:
Zero-days Are Becoming More Zero
David McCabe made another strong contribution with this January 11th tip that shed light on the increasing frequency of zero-day vulnerabilities. These are flaws that are exploited before a patch is available, making them particularly dangerous. David stressed the importance of proactive vulnerability management and timely patching. https://10dsecurity.com/wst/zero-days-are-becoming-more-zero.html
Ransomware Self-Assessment Tool Version 2
Released on January 26th, this tip from Mike Smith introduced the updated Ransomware Self-Assessment Tool by the Conference of State Bank Supervisors (CSBS). The tool helps organizations evaluate their preparedness against ransomware attacks and implement necessary safeguards. https://10dsecurity.com/wst/ransomware-self-assessment-tool-version-2.html
Event Logging: The Foundation of Security and Compliance
Event logging was the focus on July 25th. This tip, submitted by David McCabe, underscored the importance of comprehensive event logging for security and compliance purposes. Proper logging can help detect anomalies, investigate incidents, and improve customer satisfaction. https://10dsecurity.com/wst/event-logging-essential.html
You have a new (malicious) secure email!
On August 8th, Jeremy Johnson highlighted a threat that continues to resurface from time to time. Customers were reporting that malicious “Secure Email” messages were showing up in their inboxes on a higher-than-normal frequency. Noting that these emails often originate from trusted contacts, making them particularly effective, Jeremy went on to provide tips for spotting these attacks. https://10dsecurity.com/wst/you-have-malicious-secure-email.html
Rise of Cybercrimes and Anti-Fraud Efforts
On August 16th, Joann Lang discussed the increasing prevalence of cybercrimes and the importance of anti-fraud measures. This tip emphasized the need for robust fraud detection systems and continuous monitoring to protect against financial crimes. https://10dsecurity.com/wst/rise-of-cybercrime.html
Please Verify You Are Human: AI-Assisted Phishing
Artificial intelligence can be viewed as a double-edged sword in cybersecurity. While it offers advanced tools for defense, it also equips attackers with sophisticated methods. The August 23rd tip written by Reed Buettner highlighted how AI is being used to craft highly convincing phishing emails, making it crucial for organizations to enhance their phishing detection and response strategies. https://10dsecurity.com/wst/ai-assisted-phishing.html
We think our Weekly Security & Compliance Tips are authored by the best security and compliance professionals in the industry. We are grateful for all our customers and enjoy sharing insightful and practical advice with thousands of recipients to help organizations stay ahead of the ever-evolving cybersecurity and compliance landscape. If you had a favorite WSCT topic this year, let us know!
Authored by: David Edwards
11/14/2024
The Unstoppable Force (Ransomware) Meets the Immovable Object (Immutable Storage)
In today’s cyber threat landscape, the clash between ransomware and immutable storage is similar to the age-old parable of the unstoppable force meeting the immovable object. This metaphor captures the tension between the threat of ransomware attacks and the need to maintain data integrity.
The Unstoppable Force:
Ransomware attacks have surged in recent years, targeting organizations across various sectors, particularly banking and financial services, causing significant disruptions and financial losses. In a ransomware attack, bad actors deploy malicious software to encrypt a victim’s files, rendering them inaccessible until a ransom is paid.
If your organization is the victim of a ransomware attack, it means that several key defense strategies failed. There will be time for a forensic investigation to identify the root cause, but in this moment, the focus is on isolating systems to prevent further damage and recovering as quickly as possible. Your best hope for a smooth recovery is having good backups of your data to recover from.
How Ransomware Operates:
Attackers often use deceptive emails or messages to trick employees into downloading ransomware. Bad actors exploit unpatched software or weak security protocols to gain access to networks. Many ransomware attacks involve stealing sensitive data before encryption, adding pressure on victims to pay the ransom.
Good things come in three’s:
As a last line of defense, good backups should get the attention and resources they deserve. Think in terms of 3-2-1: maintain three copies of your data, backup data should be stored in two separate locations and at least one copy should be immutable.
Merriam-Webster defines immutable as something that is incapable of change.
The Immovable Object:
To counter ransomware threats we have immutable storage, which serves as the immovable object. Immutable storage solutions protect data from alteration or deletion, ensuring its integrity over time. This is crucial in industries where data security and compliance are paramount, such as finance and healthcare. In the fight against ransomware, having a good copy of your data can be the difference between successfully rebuilding systems and negotiating Bitcoin payments to the bad guys.
Key Characteristics of Immutable Storage:
Once data is written, it cannot be changed, providing a reliable record for audits and compliance. Immutable storage protects against ransomware and other cyber threats by preventing unauthorized changes to data. Plus, immutable storage ensures that critical data remains accessible and unchanged for future reference.
Things to consider:
Every organization should have a written incident response plan that identifies key roles and responsibilities as well as a playbook to follow in the event of a security incident.
Tabletop testing should be conducted at least annually and include key personnel identified in your Incident Response Plan, including third parties if necessary. The purpose of this exercise is to not simply practice but also identify gaps in your plan that would impact your efforts in a real-world situation.
Lastly, a backup recovery test ensures you are able to recover and meet your Recovery Time Objectives (RTO).
Conclusion
As ransomware attacks continue to evolve, the stakes are higher than ever. Organizations can navigate this complex landscape, ensuring that they protect their data while maintaining the integrity and security of their systems.
If you have any questions about best practices for keeping your organization secure, the team at 10‑D Security is here to help.
Authored by: David Edwards
9/20/2024
When Warnings Disappear
“WARNING: External Email detected. Do not click links or open attachments unless you know it is safe!”
You have likely seen warning banners like the above on incoming emails to you. It’s always important to note when an email is coming from someone outside your organization, though it’s almost impossible to really know who is behind the keyboard and communicating with you. Companies use warnings like the one above to help remind everyone that a message is from someone outside the organization, and that it’s important to be cautious before responding or clicking any links.
What if you were told that attackers have ways of hiding that warning banner from you so that you never see it? Would you look at an email with the same level of care and suspicion even without a banner reminding you to be safe? Well, you should know that determined attackers can add a little bit of basic CSS code to the email and make that banner completely disappear! With minimal effort, an attacker can make an email look like it is coming from the IT guy sitting down the hall and increase their chances of fooling the victim.
Because of these types of attacks, it is more important than ever to be vigilant and double check emails, even if it looks like it is from a coworker:
Author: Mark Fromme, OSCP, PNPT, eCPPTv2
8/23/2024
Please Verify You Are Human: AI-Assisted Phishing
It’s no secret that artificial intelligence (AI) has been the talk of the town for the last couple of years. With tech giants like Google and Microsoft investing heavily in their applications, it seems this new technology is here to stay. From students outsourcing their assignments to ChatGPT, to businesses generating marketing material featuring employees with a few too many fingers, AI can be a powerful tool to increase the user’s productivity. However, as with any new technology, there will always be those that will utilize it for more harm than good. Just as the mass adoption of email and daily Internet browsing opened the floodgates for new and improved fraud attempts, malicious actors have adopted this technology to enhance their operations with several concerning methods.
Phishing emails, once easily identified by their awkward language and generic messages, can now be crafted by AI to closely imitate legitimate communication styles, making them far more convincing and difficult to detect. Voice cloning technology, powered by AI, allows attackers to replicate the voice of an individual with alarming accuracy, facilitating voice phishing (vishing) schemes that prey on individuals’ trust. Additionally, “deepfake” technology enables the creation of highly realistic video or audio content, which can be used to deceive targets by presenting convincing but false evidence. Together, these AI-driven techniques represent a significant escalation in the complexity and effectiveness of phishing attacks, posing a threat to both individuals and organizations.
Fortunately, no matter how advanced these fraud attempts may get, the principles of security awareness will not fail you:
Keeping up with new technology is a never-ending race. Luckily, staying ahead of this emerging threat is as simple as reinforcing the basics. If you’d like to read more on voice cloning fraud, McAfee Labs conducted a study on the subject: https://www.mcafee.com/blogs/privacy-identity-protection/artificial-imposters-cybercriminals-turn-to-ai-voice-cloning-for-a-new-breed-of-scam/
Author: Reed Buettner, Security+
8/8/2024
You have a new (malicious) secure email!
When attackers find something that works, unfortunately, they will happily keep using it to target your users. Malicious “Secure Email” messages are still a threat, and it is important to continue to remind all email users what to watch out for.
The most dangerous thing about this type of email is that it often comes from a trusted contact who is not aware that their email account has been compromised. So, the person receiving the email may know and commonly send/receive encrypted messages with the sender, which makes it that much more convincing. Additionally, messages can arrive via real secure file sharing services, or using Microsoft’s email encryption, which can confuse spam filters.
Some quick pointers on spotting these types of email attacks:
Bottom line: Don’t wait for your annual security awareness training presentation to cover this threat. Like any good security training, we should continuously send out information, reminders, and tips on how all employees can help keep their organization secure.
Author: Jeremy Johnson, CISSP, OSCP
5/24/2024
What is Zero Trust?
There is a lot of buzz about the term “Zero Trust.” Zero trust is not a single tool, technology, or solution. It is an overarching concept or architecture achieved through implementing a combination of policies and tools.
Zero trust is a security framework intended to make data more secure by making access controls more extensive and granular. The key principles, based on NIST guidelines, are:
At its core, zero trust removes all inherent trust in users, devices, and networks, adhering to the principle of “never trust, always verify.”
Zero trust is often combined with the theory of least privilege. This significant departure from the traditional network security concept of “trust but verify” addresses malicious insider activities and the risk of valid credentials being used by bad actors. Least privilege limits the user, device, or network to the minimal level of access needed and continuously monitors and validates the user and their device.
Still confused? You aren’t alone! Zero trust is complicated and isn’t one simple solution or tool. It is a concept that you can work towards over time. Utilizing zero trust requires a comprehensive strategy that redefines security by assuming threats are both outside and inside the network, operating on the principle of “never trust, always verify.”
Here are some high-level steps towards a zero trust environment:
Implementing zero trust in your organization requires a fundamental shift in your approach to security. It involves securing identity, devices, network, applications, and data through continuous verification and strict access controls. By methodically following the steps outlined above, you can significantly enhance the security posture of your institution and protect against modern cyber threats.
Authored by: David McCabe, MBA, CISSP
4/5/2024
Internet of Things (IoT) – The Risks Can Be Real
As we see an increase in IoT devices in our lives – work and home, we also see more cybersecurity risk. There are already tens of billions of connected devices, and we can anticipate continued explosive growth.
As dumb devices get smarter, there is an increased potential to enlist them in cyberattacks. Recently, cybersecurity researchers found that hackers could exploit vulnerabilities and take complete control of the Bosch Rexroths’ cordless pneumatic torque wrench. This tool has a built-in Wi-Fi module which enables it to transmit data and be remotely reprogrammed. An attacker could use the vulnerabilities to cause the wrench to be disabled or cause it to over/under tighten (not good on an important bolt!).
Another recent and amazing story later turned out to be false but still points out the potential risk of unsecured IoT. As the story told, a Swiss newspaper reported that about three million smart toothbrushes were used by hackers for a Distributed Denial of Service (DDoS) attack against a Swiss company resulted in millions of euros of damages. It may have been an erroneous story, but it can still be a call to action. Could this type of attack be true next time?
Another famous real-life example happened way back in 2017 when hackers compromised a network connected fish tank thermometer in a casino. The hackers were able to pivot from that access to move around into the rest of the casino network and stole 10 gigabytes of data, allegedly including information on high roller gamblers.
These are extreme examples of how IoT is introducing new risks into our lives. We can anticipate that there will be more IoT devices implemented, and we should be proactive to define policies, create procedures, and implement security solutions.
Common instances of IoT in financial institutions include:
What are some of the things we can do to minimize our IoT cybersecurity risk?
IoT devices are often very easy to implement which can make it difficult to control their proliferation. We need to stay vigilant for new devices that connect to our networks and make sure we have the proper security in place before these devices introduce new risks.
Authored by: David McCabe, MBA, ISC2 CC
3/7/2024
Secure Your Institutions Social Media Accounts from Malicious Takeover
There have been several recent compromises to social media accounts for high profile institutions and companies. Specifically, X accounts for the Security Exchange Commission (SEC) and Mandiant, a cyber security subsidiary of Google, have been temporarily taken over by bad actors. Other recent victims include Hyundai, Netgear and CertiK.
When hackers have control of social media accounts, they may publish false information, attempt to distribute malware, seek to gather users’ account and password information, or try to damage the reputation of the compromised company.
A social media account compromise can have several negative impacts including:
For both the SEC and Mandiant compromises, missing or improperly configured multifactor authentication were ascribed as primary issues that allowed the bad actors to complete the account takeovers.
Account takeovers can occur for your institution’s social media accounts, but you should also be aware of other critical online accounts such as those that control your domain name registration, IP address ownership, cloud services and others…
Make sure to follow the best practice recommendations for all your online service providers as well as those of your cybersecurity team. Multifactor authentication, long and complex passwords, layered security measures, and end-user training are all critical to securing your accounts and protecting your customers and your reputation.
Authored by: David McCabe, MBA, ISC2 CC
2/22/2024
Vishing, Quishing, and Smishing
Some of the new forms of social engineering have interesting names and each has different ways of fooling users. Several of the most significant cybersecurity events of 2023 started with social engineering compromises. In 2022, social engineering techniques accounted for 20% of all compromises. We need to continue training our teams in the basics of social engineering while also keeping informed on the new tricks that the bad guys/gals are increasingly using.
Vishing – Voice/Phone call phishing – making phone calls or leaving voice messages to trick individuals to reveal personal information, such as bank details and credit card numbers. Often the people who fall prey to vishing are not tech-savvy. The 2023 MGM compromise started with phone calls to the MGM help desk and cost as much as $8.4 million per day in revenues. The event reportedly started with a vishing social engineering attack. Specifically, the hackers found an employee’s information on LinkedIn and impersonated them in a call to MGMs help desk to obtain credentials. The implication is that the help desk didn’t have sufficient training or tools to definitively identify the end user.
Quishing – QR Code phishing – The word is a combination of the words “QR code” and “phishing,” and it means scamming people with a QR code. Cyber criminals can hide malicious URLs in QR codes. QR codes are not directly readable by users and many email security scans do not evaluate them.
Smishing – Smishing is the term used to describe phishing via the use of SMS text messages. Scammers purchase spoofed phone numbers and blast out messages containing malicious links. According to Proofpoint’s 2023 State of the Phish report, 76 percent of organizations experienced smishing attacks in 2022.
Last June, the Federal Trade Commission reported a nearly twentyfold increase in texts impersonating banks in scams that have a median consumer loss of $3,000.
Whether it is vishing, quishing, or smishing, train your team to be wary of the various types of phishing attacks and to recognize that they come in many forms.
Authored by: Dave McCabe, ISC2 CC
1/11/2024
Zero-days Are Becoming More Zero
Zero-day vulnerabilities are vulnerabilities for which no patch is yet available and therefore the hardware or software manufacturer has had “zero days” to create a fix. Once the vulnerabilities are identified, hardware and software vendors rush to publish patches, fixes, or some other work around. But, at the same time, the bad guys are aware of the vulnerability and are working to exploit it to take advantage of the situation.
Every year hackers get faster at exploiting issues – one study found that zero-day vulnerabilities were exploited 87% faster in 2022 as compared to 2020. This leaves less time for the patches to be developed and released by the vendors, and less time for your team to implement the fix. Therefore, we all need to stay prepared and get faster at responding.
The most dangerous zero-day vulnerabilities may be those that impact network edge devices such as firewalls, web servers, email servers, load balancers, etc.) In 2023 there were several critical zero-day vulnerabilities for edge network devices (Citrix Bleed, FortiOS, and others) that significantly impacted businesses. Always prioritize patching Internet facing systems and devices!
It can be overwhelming when the bad guys always seem to be one step ahead, but having the following plans, processes, and teams in place can help improve your odds of success:
The best thing we can do for Zero-day vulnerabilities is to be like a Boy Scout and “Be Prepared”!
Authored by: David McCabe, MBA, ISC2 CC
12/14/2023
WordPress Vulnerability Fix
If your organization is one of the millions that uses WordPress for hosting its websites, take heed to a recently discovered vulnerability with the Backup Migration WordPress plug-in, which has more than 90,000 installs. This vulnerability lets attackers inject and execute arbitrary PHP code to cause remote control execution (RCE) to completely take over your website. An update to fix the plugin flaw is available at https://wordpress.org/plugins/backup-backup/. You should be using version 1.3.8 or above to address this concern.
This is another reminder to make sure patch and vulnerability management is happening on all fronts for your organization. Vulnerabilities are frequently discovered with WordPress core software and plugins, so make sure you include them! We should also note that it is also possible to enable automatic updates which may make sense for many institutions, and should make the patching process hands off.
Authored by: Brad Goetsch
10/12/2023
10/12/2023
Cybersecurity Awareness Month
In an effort to support Cybersecurity Awareness Month, 10-D Security has developed a quick, online training called, “Spot the Phish” that is available to everyone. Please feel free to share with colleagues, clients, and business associates. A little learning can go a long way in avoiding an attack. The link is https://10dsecurity.com/sharedcourses/PhishingRefresherRiseModule_Web/content/index.html.
(And this link is NOT the first test in “Spot the Phish” – it’s legit!)
Authored by: Brad Goetsch
9/29/2023
Here Comes Passkeys!
The next version of Windows 11 (23H2) due October 2023 adds support for passkeys. Google also added passkey support for Google accounts back in May of this year, and many popular websites allow you to utilize this feature as well. So, what are passkeys? Simply, they eliminate the traditional username and password combination for logging in to things. The are a ton of reasons why using a username and password is broken, and passkeys represent a strong effort to make authentication quick, easy, and more secure. From Microsoft’s description:
Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device’s unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient.
Today, we’re just going to cover some simple advantages and disadvantages of passkeys over passwords.
Advantages
Disadvantages
Like all things, passkeys have benefits as well as shortcomings when it comes to moving to passwordless authentication. And while in theory, passkeys sound like a silver bullet, actual implementation will ultimately determine if passkeys are better for your organization. Look for more discussion of passkeys in our weekly security tips as adoption of use grows, and implementation and management improve.
Authored by: Brad Goetsch, CBISO
9/14/2023
Pig Butchering – What to Know About this Virtual Currency Scam
The Financial Crimes Enforcement Network (FinCEN), on September 8, 2023, issued a critical alert (FIN-2023-Alert005) regarding a prevalent virtual currency investment scam known as “Pig Butchering”. This alert serves as a warning to the public, financial institutions, and cryptocurrency service providers about the growing threat posed by this fraudulent scheme.
What is “Pig Butchering”?
“Pig Butchering” is a deceptive investment scam that primarily targets unsuspecting individuals interested in cryptocurrency investments. Perpetrators of this scheme can employ various tactics to lure victims into parting with their cryptocurrency holdings or funds, though these scams commonly begin as a romance scam. Unlike other types of scams in which smaller and more frequent transactions occur, the butcher’s goal is generally a large, single payday that may drain the life savings of victims.
Key Characteristics of the Scam:
FinCEN’s Warning:
FinCEN’s alert underscores the need for vigilance in the cryptocurrency investment space. They emphasize that investors should conduct thorough due diligence before investing in any cryptocurrency opportunity. Furthermore, individuals and businesses should be cautious of unsolicited investment offers and exercise skepticism when presented with overly promising investment proposals.
Actions to Protect Yourself:
Bottom Line:
Cryptocurrency scams like “Pig Butchering” continue to pose a significant threat to investors. FinCEN’s alert serves as a reminder to exercise caution and due diligence when considering any cryptocurrency investment opportunity. By staying informed and vigilant, individuals can protect themselves from falling victim to such fraudulent schemes.
Press Release: https://www.fincen.gov/news/news-releases/fincen-issues-alert-prevalent-virtual-currency-investment-scam-commonly-known
Alert: https://www.fincen.gov/sites/default/files/shared/FinCEN_Alert_Pig_Butchering_FINAL_508c.pdf
Authored by: Josh Mourning, CCBP
9/7/2023
Standard Password Complexity Rules Just Don’t Cut It Anymore
Microsoft Active Directory has had password complexity requirements built-in for a long time. Most administrators are familiar with the standard settings. You can set a minimum length, and require complexity, which, in Microsoft’s eyes is that the password must contain at least three (3) of the following:
The problem with this is that you can have some terrible passwords that meet or exceed these requirements. Let’s say you work at a fictional financial institution named “Bank of Mordor” and set a minimum length of ten (10) characters and require complexity…you can still (and probably do!) have users that will create passwords such as:
Note that none of those have special characters…they aren’t required based on the standard complexity rules above. Even if your users remember their security awareness training and throw a special character (normally a “!”) on the end, it won’t help much. Many password lists will have variations on the above, and a brute force password cracker would break these within seconds.
So, what can be done? Unfortunately, there isn’t much available out of the box to combat this particular issue. Here are some suggestions:
Authored by: Jeremy Johnson, OSCP, CISSP
8/3/2023
MFA Notification Fatigue Attacks
I can still recall my first horror movie starring a werewolf. The bad news was that a scary monster was coming. The good news, there was a way to definitively stop it – just use a silver bullet!
In real life, we have scary threat actors coming after us as well. These “monsters” are ruthless in their attack methods and are unfortunately successful too many times to count. Though we have many defensive tools in our toolbox, a fan favorite has emerged – multi-factor authentication.
Multi-factor authentication (MFA), aka two-factor authentication, is a security measure that goes beyond the traditional username and password combination by requiring additional authentication factors. These are typically categorized into:
To successfully log in with MFA, users must provide at least two of these factors, not just the “something you know” username and password combo. A best practice is to use out-of-band (OOB) MFA, which means the user must use a separate communication channel or medium to verify a person’s identity. It would be far less effective to have a revolving PIN code on the user’s desktop if a threat actor has established remote command of that workstation. Instead, a push notification to your smart device or biometrics would be far more defensive approaches in comparison.
Your silver bullet is now in the chamber and ready to fire.
But wait, this method isn’t 100% effective? How is that possible because I am using OOB MFA and the threat actors cannot directly access my cell phone, and good luck trying to get into my offline smart watch!
According to CISA, one way to circumvent this protection is an attack method known as MFA push-bombing, a form of MFA fatigue attacks. Push bombing is a targeted MFA fatigue attack that involves threat actors sending excessive push notifications or alerts to users, hoping they will eventually accept or respond to the notifications out of frustration or exhaustion. To initiate a push-bombing attack, the threat actor has already compromised the user’s credentials (username and password). They will then begin a series of login attempts performed in quick succession to attempt to “fatigue” the user into approving the request in hopes of just making the notifications stop. Imagine all that protection at your back door only to let the werewolf simply walk in the front door! Though CISA and regulatory agencies encourage all organizations to consider implementing fatigue attack resistant MFA, many of us are just not there, yet.
In the interim, education can be your best defense when used in conjunction with your active authentication practices. Train your users about phishing and MFA fatigue attacks along with your traditional social engineering campaign. Teach them that the only time they should click accept is when they have sent the request during an actual login attempt initiated by them – with zero exceptions. Failing to accept a suspicious MFA prompt is the first goal. Then, to report these attempts to those in charge of IT infrastructure immediately.
Striking the right balance between security and usability is important. Consider implementing user-friendly MFA solutions in conjunction with robust Information Security Awareness education to help your organization mitigate MFA fatigue and ensure the protection of sensitive information without compromising user experience.
Authored by: Benjamin Caruso, CBISO
7/27/2023
Cybersafe Travel
Whether you are traveling for business or going on vacation, information security should always be part of the itinerary. Here are several tips to ensure you have a cybersafe journey.
Be cautious when connecting to public Wi-Fi networks. Whether you are at the airport, a coffee shop, or any other public place, there are usually multiple public Wi-Fi options available. However, attackers can take advantage of this by creating fake networks that look like legitimate ones. To stay safe, always verify that you are connecting to the intended network’s SSID (Service Set Identifier). For example, at Atlanta Airport, there may be an imposter network called “Atlanta Airport Wi-Fi” instead of the legitimate “Atlanta International Wi-Fi.” If possible, confirm the correct network with the on-site staff.
Whenever possible, use a VPN while on an unfamiliar network. VPNs will encrypt your data and make it difficult for any bad actor on the network to steal. Especially if you must access sensitive information, be it your own or your company’s, it is always best to do so over a VPN.
Bluetooth headphones have become more commonplace as fewer devices include a 3.5mm audio port. However, it is important to treat Bluetooth as you would any other potential avenue for attackers to exploit. To minimize risks, disable Bluetooth when it is not in use, especially in crowded environments where the likelihood of unauthorized connections is higher. If you are renting a car and wish to pair your phone with the car’s Bluetooth for navigation and audio purposes, consider waiting until you are out of range from other cars to ensure you select the correct device. In crowded areas, many devices may appear similar, making it easy to inadvertently connect to the wrong one. Also, avoid synchronizing your contacts or messages, even if you plan to remove them later.
Take steps to secure your devices before and during your travels. It is always a best practice to keep your devices up to date with the latest security software, but when you are traveling, this becomes even more important. Double-check you have completed any pending software updates and restart your devices before embarking on your journey. Additionally, back up any critical data from your devices to a secure location, such as cloud storage or an external hard drive, in case your device gets lost or damaged.
If possible, consider limiting the number of devices you bring with you. Carrying fewer devices reduces the potential points of vulnerability. For instance, avoid using unencrypted USB thumb drives to store or transfer sensitive data, as they can easily get lost or accessed by unauthorized individuals. Similarly, if you happen to find a USB drive in a public place, never plug it into your computer. Cyber attackers sometimes intentionally drop USB drives containing malicious software, hoping unsuspecting people will connect them to their devices.
Authored by: John Stephens, Security+
6/1/2023
Importance of Disabling Legacy applications such as Internet Explorer
“Legacy” applications are products that are no longer being supported and therefore are not releasing any updates. When an application is no longer being supported and managed, it allows bad actors to try and find vulnerabilities that lead to access of your network or data theft. It may not always seem like the ideal, or easiest, task getting employees on board with using the latest and greatest but when it comes to security it is the most important.
Internet Explorer 11 (IE11) is one of the most utilized applications around which has made it the most difficult for people to let go. As web browsers are applications used for a wide variety of tasks, it is important to stay current. For security purposes, IE11 has been disabled by Microsoft through an update to help guide users over to Microsoft Edge. The update has only been pushed out on certain versions of Windows 10 (20H2 and newer.) However, Microsoft is also working on updates that will remove the IE11 desktop icons, as well as from the start menu and the task bar. To try and help the transition, Microsoft has released an IE mode which gives users the ability to utilize web applications that operate only with IE, within Microsoft Edge (great for environments that have kept IE around for compatibility reasons). Unfortunately, older versions of Windows (Windows 10 prior to 20H2, Windows 7, Window Server 2008 R2, etc.) will not be updated and can still use IE11. This will leave those hosts vulnerable to current and future exploits of the deprecated application. The best policy is to keep Windows patching up to date after updating and testing within dev and test environments first. For further detail and to stay current on updates about the matter: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/internet-explorer-11-desktop-app-retirement-faq/ba-p/2366549.
Wherever possible, get “Legacy” applications out of your environment and help keep your network up to date and secure!
Authored by: Taylor Conder, Sec+
3/16/2023
Exploiting the Silicon Valley Bank (SVB) Failure
The recent high-profile failures of SVB, Signature, and Silvergate Bank have been at the forefront of our news cycle. Unfortunately, this has given threat actors the chance to seize the moment and exploit the fear and panic associated with these events. Be aware of anything related to these events. Specifically, but not limited to emails with attachments/links, social media posts, or even texts or phone calls conveying an urgent call to action or disclosure of sensitive data. Below are some scenarios that are being used to manipulate people and/or steal information.
Risk #1: Fraudulent Transfers
Sample Scenario:
The most typical attack vector is the impersonation of a trusted contact. For example, the threat actor will impersonate one of your suppliers or vendors via email, text, or phone call claiming that they have moved from SVB to another bank and urgently need you to wire payment to this new account.
Mitigation Steps:
Remind your employees to avoid performing transactions to accounts whose details they received via unofficial channels. Any change in existing processes must be explicitly verified. This verification should involve reaching out to the actual vendor the email claims to be coming from and validating they actually sent the request. Use existing points of contact and do not reply to the email or call any numbers provided to you to verify these changes.
Risk #2: Phishing for Bank Account Credential
Sample Scenario:
A threat actor sends an email, claiming to be the FDIC, SVB, or another government agency providing instructions on how to access funds. You will be asked to immediately login to your new account using your old credentials by accessing a link provided in the email. This link, needless to say, leads to a credential harvesting web page.
Mitigation Steps:
Remind your employees and customers that they should never provide credentials to sites that are accessed via links incorporated in email messages, phone calls, or SMS. Use only trusted sources such as the FDIC web site or SVB banking site to identify how to access your funds.
Risk #3: Spreading Panic and Misinformation
Sample Scenario:
In addition to the above direct risks, attackers and hacktivists may also attempt to leverage existing tensions to accelerate panic and uncertainty by spreading disinformation on the alleged collapse of additional banks. You may see social media messages informing you that the banks you’re working with are at risk, urging you to withdraw your funds before it’s too late.
Mitigation Steps:
Only trust official communication channels from your banks and trusted government sources and avoid forwarding uncorroborated messages via social media or other communication channels.
Additional Steps:
Utilize Security Awareness Training to heighten understanding of social engineering risks.
Harden email security by:
Authored by: CalTech Information Security Team
2/2/2023
Think before you click….
Phishing emails are becoming more realistic, and it is important to know what to look for and to be on the lookout. Certain things to review in emails to confirm legitimacy can be:
• Review sender information thoroughly in the header, as that can help provide a red flag that it is not a legit email. In other words, the boss isn’t going to email you from randoemailaddress@anflkwnero.ru.
• Before clicking on any hyper-links within emails, be sure to hover over and check to see if the URL looks suspicious.
• Do not open any attachments if not expected, especially zip files and macro enabled files, as they can contain hidden malicious code. If there is any question whether the attachments are legit or not, be sure to reach out to the contact directly by phone and ask them “Did you send this?”
• Be careful when downloading any images within the email, as it’s possible, though very rare, that images could contain hidden malicious code.
• When checking emails on a mobile device, be careful as it can be more difficult to review and confirm if the email is legit. If in question, hold off and review the email more thoroughly on desktop.
Authored by: Taylor Conder, Sec+
1/26/2023
Lock It Down!
Whether it’s our homes, our cars, or our bicycles, we know if we truly want to keep our valuables, we need to lock them up. Leaving ourselves exposed may not always lead to problems, but we know we’re secure when we keep our items locked.
In the same way, we need to lock our digital items when we’re away. It’s far too common to see smartphones, tablets, and computers left unlocked with no one in sight. With one quick move, a malicious attacker could snag your device and take all your information along with that expensive piece of technology.
However, a long-gone device is not the only threat. An attacker could leave the device but take important information from it: usernames, passwords, banking details, or other personally identifiable information. Furthermore, an attacker could extract proprietary information from your place of business, jeopardizing not only yourself but the company you work for.
To combat this, 10-D Security recommends considering the following steps to secure your systems:
• Set a password or passcode on your devices.
• Lock your device when you need to leave it unattended.
• Implement a policy for screen locking after periods of inactivity.
• Configure the device to encrypt data.
For organizations looking to protect company applications and data on mobile phones and tablets, a Mobile Device Management (MDM) system can be implemented to enable your organization to configure and manage these security measures across all devices. There are a lot of choices out there for MDM systems, and like most things IT, they all generally work well so long as their management and oversight are consistent.
With the above steps, you can better protect your digital world from attackers waiting for the moment you’re not looking.
Authored by: Scott Schook, PenTest+, eJPT
10/17/2022
Healthcare Reimbursement Phishing Scams
When you request a reimbursement from your healthcare provider, it may be completed through a third-party payment processor. These payment processors often offer direct deposit payments so you can get reimbursed as soon as possible. Unfortunately, cybercriminals can use social engineering to try to steal your reimbursement.
In a recent scam, cybercriminals are sending phishing emails that appear to be related to an active reimbursement request. The emails ask you to verify your request number and other identifying information to finish processing your request. If you provide this information, cybercriminals can use it to gain access to your account by verifying your identity. Then, they can update your direct deposit information to redirect payments to their own bank accounts.
Follow these tips to stay safe from healthcare claim scams:
Always enable multi-factor authentication (MFA) on your accounts when available. MFA adds a layer of security by requiring that you provide additional verification to log in to your account.
9/15/2022
Malicious Monkeypox Scams
As health-related anxiety continues to be high from the COVID-19 pandemic, cybercriminals are creating scams to target a different health concern. Cybercriminals are using fear about monkeypox outbreaks to scare you into sharing sensitive information.
In one scam, cybercriminals send you an email about the latest monkeypox outbreaks and provide a link to mandatory safety awareness training. When you click this link, you’ll be taken to a fake Microsoft login page. If you enter your login credentials, you won’t get access to monkeypox safety awareness training. Instead, cybercriminals will get access to your credentials and account.
To stay safe from similar scams, remember the following tips:
8/18/2022
Zero-Day Chrome Vulnerability No. 5 for 2022
The fifth Google Chrome zero-day vulnerability of 2022 has been disclosed. Automatic update patches are being pushed out in stages, but anyone can manually update now. The vulnerability, CVE-2022-2856 has a ‘high severity’ rating, and follows, CVE-2022-0609 in February, CVE-2022-1096 in March, CVE-2022-1364 in April, and CVE-2022-2294 in July.
Google Chrome is the most popular browser in the world, owning almost 65% of the market. For more details about this zero-day vulnerability go to, https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html.
Authored by: Brad Goetsch
8/15/2022
Scam of the month – Using QuickBooks to make a quick buck
QuickBooks is a popular accounting software that offers free accounts to its users. While many individuals and organizations use QuickBooks to track their finances, cybercriminals have been using it to run a “business” of their own. In a new scam, cybercriminals create a free QuickBooks account and use the associated email address to send you malicious emails.
To start, cybercriminals send you a phishing email that appears to be an invoice from a reputable organization, such as Norton or Microsoft. The email includes a phone number and directs you to call if the invoice seems suspicious. If you call the phone number, you’ll be asked to confirm your credit card information to cancel the fake transaction. Unfortunately, if you share this information, the cybercriminals can use it to make their own purchases.
To protect yourself from this malicious scam, follow the tips below:
Cybercriminals can use fake invoices to alarm you and trick you into clicking impulsively. Always think before you click!
Authored by: CalTech
8/4/2022
Don’t Post That Pic!
A little advice on oversharing sensitive personal information this week. Ah, summertime. It’s a time for relaxation and fun, but for some, it is that time of year their teenage driver FINALLY gets their learner’s permit or restricted driver’s license. There were likely many stressful hours in the car earning this coveted piece of freedom, not to mention the countless brake checks, the thumping of a parent’s foot on the imaginary brake pedal in the passenger floorboard, or maybe just the sheer number of times that little handle above the passenger’s seat was grabbed.
But now the young driver has their license! Not only does this open a new world of possibilities to them, but the parent also unlocked a parenting achievement, someone to run errands for them! This achievement can make a parent (or kid!) want to boast proudly with a a picture of a young driver with their newly acquired driver’s license on social media.
There is some risk here! Phone cameras are pretty good today, and it’s not hard at all to zoom in and clearly see the driver’s license number, legal name, date of birth, and signature! If you want to post that picture, do the responsible thing, and blur or obfuscate that info before you post it. It is obvious what they are holding (with the DMV in the background), don’t give the bad actors of the world that personal information so easily.
Authored by: Dave Kelly, PenTest+, CEH
6/30/2022
Top 8 ways to have a safe and happy Independence Day!
While you are out enjoying your 4th of July holiday, here are a few tips to keep in mind:
6/23/2022
ELDER FINANCIAL EXPLOITATION – ENOUGH IS ENOUGH
Sadly, we’ve all seen, heard, or read articles regarding the proliferation of scams during the past two years. I would venture to guess that most of you are like me … nothing gets my blood boiling more than hearing about those schmucks out there who have scammed and defrauded an elderly person. I remember my own parents and grandparents and how hard they worked for every dime they earned, and I can’t understand how anyone would think it’s acceptable to exploit the elderly population.
On June 15, 2022, FinCEN issued an advisory which highlights behavioral and financial red flags to help financial institutions identify, prevent, and report suspected elder financial exploitation (EFE). EFE is defined as the illegal or improper use of an older adult’s funds, property, or assets. The advisory points out that elder abuse, including EFE, affects at least 10% of older Americans each year and that the estimated dollar value of suspicious transactions linked to EFE exceeded $3.4 billion in 2020. What’s even more upsetting is that many of the perpetrators are known and trusted persons of the older adults, but there is a rising trend of scams that originate outside of the U.S. by individuals that have no relationship with the victim.
Many years ago, FinCEN added a specific category for EFE to the suspicious activity report (SAR). But in addition to filing a SAR, financial institutions should refer their older customers who may be a victim of EFE to the Department of Justice’s National Elder Fraud Hotline (833-FRAUD-11). Many states also have requirements that financial institutions contact local law enforcement or the applicable state’s Department of Aging or similar agency to report such activity. If you aren’t filing EFE SARs, you may need to beef up your controls – keep in mind that according to FinCEN the MAJORITY of EFE incidents go unidentified and unreported.
The newest advisory is linked here for your convenience. Even if you think, “Oh, that’s a Compliance or BSA matter” – think again. We all have elderly loved ones who can fall victim to a scam, so educate yourself and help protect them! https://www.fincen.gov/sites/default/files/advisory/2022-06-15/FinCEN Advisory Elder Financial Exploitation FINAL 508.pdf
Authored by: Joann Lang, CAMS, CIA, CCBP
6/16/2022
Memory Lane
As 10-D is approaching our 18th year and it has fallen to me to write the WST this week, it got me wondering what some of our first weekly security tips were about. So, I dug around in the archives and found some classic topics from our first year of tips; Java, Vishing & Smishing, Remote Access & Multi-Factor Authentication, ATM skimming, and password management, just to name a few.
One in particular caught my eye regarding password length. Remember when the password length recommendation was 8 or more characters? That was the message of this early WST. It even included a chart noting it would take a hacker 115 days to crack an 8-character password. Today, the bad guys will crack your 8-character password in 8 hours. Yes, the bad guys are getting better, too.
Currently, 10-D recommends 10 or more characters using numbers, symbols, and upper- and lower-case letters. Make it a passphrase so it is easier to remember and save yourself some reset headaches. These changes will bump up hack time to about 5 years, so you should be well on to a new password by the time they crack this one!
Authored by: Brad Goetsch
6/2/2022
New Zero-Day Vulnerability Affecting Microsoft Products
On May 30, Microsoft reported a zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT). Dubbed “Follina,” this vulnerability could be exploited by a malicious attacker to execute arbitrary code on a Windows system using the MSDT URL protocol via Microsoft Office applications (such as Microsoft Word). Microsoft is reporting that an attacker that successfully exploits this vulnerability could install unauthorized programs, impact data, or conduct other unauthorized activity on an impacted system, including running arbitrary code.
At this time, no patch is available for this vulnerability. Microsoft has provided workarounds for this issue, listed in the link below. Basically, the workaround uses the Windows registry to disable the MSDT URL protocol. For people and organizations using Microsoft Defender products for antivirus, Microsoft also provides additional guidance in the same article: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
As always, testing is important! Consider working with your technical resources to test system changes before rolling them out to your whole organization.
We are also seeing that many antivirus vendors are pushing antivirus definition updates that can detect and block this vulnerability. Organizations may want to check with their antivirus vendors to understand any recommended actions specific to their product.
Authored by David Bentley, CISSP
5/19/2022
Do your backups match your expectations?
A previous WST (https://10dsecurity.com/wst/building-blocks-of-a-business-impact-analysis.html) described what a business impact analysis (BIA) is and how it’s a key component of your business continuity program and disaster recovery success. If you’ve done the work to define recovery point objectives, have you also made sure that your backups actually match your needs? For instance, if a server has a recovery point objective of eight hours but you are only backing it up every twenty-four hours, your backups are misaligned! Should system recovery be necessary, data loss beyond eight hours may be experienced. When updating and reviewing the BIA, we recommend that you include a review of your backup retention schedule to ensure that all backups meet the institution’s BIA requirements for recovery point objectives. You may find systems that you need to expand backup frequency. Or, you may find BIA requirements that are unrealistic or unattainable. In those instances, it may be wise for the institution to adjust expectations or develop other processes to resolve the planning gaps.
Authored by: David Matt, CISSP, CEH
5/12/2022
Are You Sure That Laptop is Secured?
One of the many areas we look at when conducting an IT audit is the security of portable devices, including laptops. With the proliferation of laptops that are now enabling so many remote workers, it seems obvious to inquire about the security of the information that might be found on devices that are sometimes outside the institution’s normal physical controls. Laptops are at a higher risk of being lost, stolen, or accessed by unauthorized persons.
When discussing laptop security, we sometimes hear, “Our policy is not to let employees store any customer information on the laptop, so we don’t feel there is any value in encrypting the laptop’s storage.” While this is probably a well-intentioned belief, this overlooks several ways sensitive information may be stored locally.
Application data – Many applications will keep working copies of files, at least in temporary storage. For example, when you open a Word or Excel file, the application may open temporary storage locally on the laptop or workstation while you are editing files. Think of it as a scratch pad the application uses, which could include almost any content from the file being edited. If the application ends abnormally, that temporary data may accumulate instead of being deleted normally. Other application data may be more permanent, such as personal archive files that Outlook may be saving locally (i.e., .pst files) that may contain massive amounts of personal or sensitive information.
Windows temporary data – Much like the application-specific temporary storage discussed above, Windows creates temporary files as well. These files are usually hidden from the end user seeing them, but they also can contain some sensitive information. Not as likely to include customer data, but these temporary files could provide useful information for a potential attacker as there may be user IDs, network topology data, configurations, recovery files, and other infrastructure information that shouldn’t be disclosed.
Deleted files – Wait, how are deleted files a risk? Often, when files or folders are deleted, Windows won’t truly delete all the data from storage and will instead only erase the listing (or index) of that information. An analogy would be a library where the index listing for a book is deleted but the book is left on the shelf. Deleting the index listing will make it harder to locate the book, but it will still be there. That is essentially how Windows works when a file is deleted, only the index is deleted, and the actual file contents will often stay on the local drive until the space is needed for a new file object. There are special applications made for discovering the data from “deleted” files, available to any motivated person.
Cloud storage – If an institution is using a cloud storage solution, such as Google Drive or Microsoft OneDrive, and it is configured to synchronize data locally, then it will retain copies of files on the laptop or workstation. As an example, OneDrive will usually keep local copies in C:\Users\[username]\OneDrive.
Intentional – Even when the institution is operating with the best of intentions, it is not uncommon for a rogue individual to intentionally circumvent the rules or inadvertently save files to their desktop. They may only be taking home a file to work on over the weekend, but it is a potential risk, nonetheless.
There is a simple solution, and that is whole disk encryption. Most versions of Microsoft Windows have the functionality built in (BitLocker) and only need it to be configured (by a qualified IT administrator). Whether built-in encryption or another readily available commercial solution is used, implementation will result in well-protected storage on the laptop (this functionality also exists for desktops). If a laptop with encrypted storage is lost or stolen, the institution will be out the value of the device but will have a substantially lower risk of information disclosure.
Authored by: Jim Baird, CBCP, TCNA
NOTICE OF EXPIRATION OF THE TEMPORARY FULL FDIC INSURANCE COVERAGE FOR NON-INTEREST-BEARING TRANSACTION ACCOUNTS: By operation of federal law, beginning January 1, 2013 funds deposited in a noninterest-bearing transaction account (including an Interest on Lawyer Trust Account) no longer will receive unlimited deposit insurance coverage by the Federal Deposit Insurance Corporation (FDIC). Beginning January 1, 2013, all of a depositor’s accounts at an insured depository institution, including all noninterest-bearing transaction accounts, will be insured by the FDIC up to the standard maximum deposit insurance amount ($250,000), for each deposit insurance ownership category. For more information, visit www.fdic.gov.