What the FFIEC Cybersecurity Assessment Tool tells you about vulnerabilities and penetration testing
As you probably already know, the FFIEC released its Cybersecurity Assessment Tool (CAT) on June 15, 2015. The tool is intended to be a self-study by the organization, to determine if their maturity level matches the level of inherent risk in the organization. But you can learn a lot by reading and analyzing the declarative statements in the maturity assessment portion of the CAT. In this article I’ll discuss the declarative statements in the Maturity Level of Baseline, as they relates to vulnerability detection.
BASELINE MATURITY
D3.DC.Th.B.1 – Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external facing systems and the internal network. (FFIEC Information Security Booklet, page 61)
This of course means you need to have a third party who will be impartial, conduct penetration testing and vulnerability scanning on BOTH your external facing systems and your internal network. Vulnerability management is the first line of defense against vulnerabilities. This means you should be scanning for vulnerabilities on a schedule appropriate for your organization’s maturity, generating reports, and turning the reports over to the individuals responsible for remediating your found vulnerabilities. Many organizations scan on a monthly basis as a rule of thumb, but organizations with different maturity levels scan either more or less frequently. It’s important to gauge how soon you can make an impact on remediating vulnerabilities prior to running the next scan. For example, you probably shouldn’t run scans weekly if you aren’t planning to fix anything for a month. But you could run scans weekly and decide to remediate all the high risk vulnerabilities on critical assets. Whatever you decide to do, it’s important to have a planned and documented vulnerability management process. Of course, this may be largely dependent on available personnel.
Scanning is an automated process, and many organizations (and vendors) confuse vulnerability scanning with penetration testing, which are two entirely separate services with different goals. According to the FFIEC, “A vulnerability assessment is a process that defines, identifies, and classifies the vulnerabilities in a computer, network, or communications infrastructure… A penetration test subjects a system to real-world attacks selected and conducted by the testers. A penetration test targets systems and users to identify weaknesses in business processes and technical controls. The test mimics a threat source’s search for and exploitation of vulnerabilities to demonstrate a potential for loss.”
Some organizations believe vulnerability scanning covers them for penetration testing too, which is not true. A true penetration test may begin with a scan, but the automation ends there. A penetration test is typically a manual process where someone attempts to breach your system simulating real-world attacks, as a hacker would.
Additionally, many institutions fail to conduct internal testing which can be dangerous, since insiders have the ability to create problems in your system whether intentionally or unintentionally. This is likely because the internal tests are often overlooked, or left out of the budget to reduce cost. (See Accounting for Internal Threats to Your Network.) So not only should External Penetration Tests be done on a regular basis, but Internal Penetration Tests should be done as well.
This baseline declarative statement also mentions a Risk Assessment. Many organizations start their IT Security program with an IT Risk Assessment which is good practice. This allows the organization to determine potential problem areas, probability of a threat, and the resulting financial consequences should appropriate controls not be in place. This also helps the organization budget monies on the most effective protection appropriate for the organization.
D3.DX.TH.B.2 – Antivirus and anti-malware tools are used to detect attacks. (FFIEC Information Security Booklet, page 55)
Antivirus and anti-malware tools are not the same as vulnerability scanning, but both are important. The vulnerability scans looks for improperly configured services and settings on your network, out-of-date software, etc., and is intended to help you find places in your system where vulnerabilities may accommodate threats to compromise your system. Antivirus and anti-malware tools try to prevent threats from making it onto your network. You need to have all of these in place, as they all play a role in your overall IT security program. It’s important to keep these services in place and not allow a lapse in service.
D3.DC.Th.B.2 – Firewall rules are audited or verified at least quarterly. (FFIEC Information Security Booklet, page 82)
Amazingly, this is an often overlooked, but important activity in your IT Security program. Conditions change often and so too will your need to review your firewall rules to make sure they are still valid and will protect your system from unwanted consequences. The hackers are getting smarter and smarter, and you really need to audit your firewall rules on a regular basis. As indicated here, the FFIEC CSAT recommends a minimum of quarterly.
D3.DC.Th.B.4 – E-mail protection mechanisms are used to filter for common cyber threats (e.g., attached malware or malicious links). (FFIEC Information Security Booklet, page 39)
This is perhaps one of the most effective ways of preventing your employees and vendors who share your system, from opening up email attachments or clicking on links. This takes the antivirus/antimalware protection to the next level. The idea here is to isolate and scan anytime an attachment is opened or a link clicked inside an email. There are ways to prevent employees from doing this altogether but the difficulty often outweighs the benefit. Again, it depends a lot on the organization and the risk appetite involved. There are many organization who block the use of thumb drives on their devices as well.
If you have achieved all of the maturity levels listed in this article, you have probably reached the Baseline level. That may or may not be appropriate for your organization. It’s up to your executive group to determine what level of maturity you want to achieve. And remember, it’s an ongoing process. If you haven’t yet achieved Baseline Maturity, then you are at risk of possibly being out of compliance.
