Section Menu

5 steps to secure your data

posted by Ben Hayden on Tuesday, October 23, 2018 in SHAZAM Blog

SHAZAM’s mission statement is “strengthening community financial institutions”. The SHAZAM Secure® team — a team tasked with helping community banks and credit unions identify and mitigate risk in their information security — takes that statement quite literally.

The SHAZAM Secure team works with clients across the country in all aspects of risk. We conduct IT, BSA and ACH audits, as well as network penetration testing, vulnerability assessments and social engineering reviews to make our clients’ processes and systems stronger.

Because of our work, we have the advantage of identifying common issues at the institutions we visit. The good news is that most problems can be fixed with simple, common sense solutions. In fact, one of the biggest areas of vulnerability is access — access to hardware, networks and data. Limit access to your systems and you’ve taken a big step toward protecting your data.

Stop attackers in their tracks by addressing these five questions at your institution:

Who has access to what?

The clear majority of our findings have to do with poor access management and failing to restrict who has access to what. These situations include poor control of Microsoft Active Directory and allowing too many people “domain administrator” access, opening many critical systems to attack.

When are systems accessed?

To protect your systems, implement restricted logon hours, especially on nights and weekends.

How are systems accessed?

Most users of technology are guilty of not changing their passwords often enough. If you’re waiting more than 90 days, it’s time for a change. What you should use as a password is a blog for another day — in fact it was! If you missed it, click here.

Who are these people?

Systems typically have unneeded or unused service accounts, or even terminated employees still listed as users. Attackers look for these accounts because no one is watching them. Be sure to remove all unused accounts promptly.

What are we supposed to be doing?

Industry best practices tell us to use configuration standards found in “hardening documents.” These standards are usually provided by firewall, switch and IDS/IPS manufacturers and the documentation outlines how to secure each system effectively. Download your free (most often) copy from the manufacturer’s website. Make it a priority to update system configurations based on these standards.

Data security starts with reviewing access to your information systems. By considering these questions, your institution is one step closer to implementing processes that protect your data.

About the Author

Ben Hayden utilizes his expertise in cyber investigations, financial crimes and digital forensics to assist financial institutions in evaluating their cybersecurity vulnerabilities. He manages SHAZAM’s risk management services, helping member institutions mitigate their risks in information ... read entire bio

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney.