“Financial Industry Threats Evolve.” said John Verry, Security Sherpa for Pivot Point Security. This has been made clear with the growth of ZueS malware. In fact, perhaps no industry is subject to more regulations or holds more sensitive Personally Identifiable Information (PII).
Pivot Point Security recently informed its customers about information security trends for the financial industry. As banks undergo their annual FDIC audits, they should be aware that an auditor is likely going to ask about wireless (WLAN) security.
“Do you have any wireless access points? If so, specify the number of Wireless Access Points, security controls in effect and your procedures for detecting rogue access points”
To address this change, financial services should consider WLAN security testing. One option is a WLAN Configuration Audit, which validates that the WLAN is designed and configured in accordance with good practices. Another option is a WLAN Survey, which confirms that the WLAN is restricted to authorized individuals, does not extend beyond intended boundaries, that no Rogue Access Points have been deployed, and that other organizations’ WLANS are not extending into the workspace and putting the business at risk.
Banks working with third-party vendors should also be looking closely at their information security. In an interview, Donald Saxinger, Senior Examination Specialist for the FDIC, said that auditors are closely monitoring service level agreements and contracts with third-party vendors in areas such as cloud computing, mobile banking and mobile payments. “The same technology that can be used to improve security is also a security risk,” said Saxinger.
Many Pivot Point Security customers using third-party vendors have been asked to prove compliance (attestation). With that in mind, Pivot Point Security has created a Third-Party Vendor Risk Management Presentation and Information Security Guide – both available as a free download.
Another trend discovered is the volume of phishing attacks reaching financial industry emails. Phishing emails come in all shapes, sizes and forms. The key is to be aware of suspicious emails that arrive in your email boxes. Attachments and linked files are common in these emails, and they often contain an embedded version of theZeuS malware.
Pivot Point Security recommends for financial institutions are undergoing their annual security testing, to consider the following:
- FDIC / FFIEC / OTS / SEC Controls Audits
- Network / Online Banking Systems Penetration Testing
- Zeus Malware Detection / Protection
- Social Engineering (e.g., Phishing)
- Security Log Monitoring & Retention
To learn more about these services, download your free copy of the Third-Party Vendor Risk Management Presentation and Information Security Guide.