Pub. 9 2018 Issue 4

Winter 2018 19 West Virginia Banker W ith such emphasis being placed on cyber security and protection of systems and customer informa- tion, it is critical nowadays for executive manage- ment teams, boards of directors, audit committees, and tech- nology steering committees to understand the significance and role of both penetration testing and vulnerability scans in order to adequately protect your institution’s networked systems. Vulnerability scans and penetration tests are very different from each other; however, both are beneficial and complimentary system scanning techniques used to identify security weaknesses. If you aren’t performing vulnerabil- ity scans and penetration testing in conjunction with one another, security weaknesses in your bank can go unnoticed and not be appropriately addressed, exposing your systems, information, and customers’ funds. Vulnerability scans search systems for known vulnerabil- ities. These types of scans work by rapidly interrogating systems and services to determine types and versions of software and related services as compared against data- bases of known security and other systemic vulnerabilities. Mis-matches between system and software configurations within your system are compared revealing what system patches, changes, or replacements need to be made. Vul- nerability scans are limited, because they merely identify vulnerabilities and their severity but do not attempt to exploit them. Penetration testing takes vulnerability scans much further. This technique simulates what an intruder is able to do by exploiting flaws and configuration issues within your sys- tems. Penetration tests actually confirm whether identified vulnerabilities and flawed configurations, reflected primarily in vulnerability scans, are actually exploitable and threaten- ing. Additionally, properly conducted penetration tests also check for other poor security practices, such as inadequate administration of passwords and system credentialing pro- cesses. Penetration tests are the best indicator of what dam- age could result from unwelcomed intrusions and inadequate vulnerability management. Vulnerability scans and penetration tests go hand-in-hand in assessing your organization’s entire network security posture. According to FFIEC Information Security Book- let, results from both vulnerability scans and penetration tests need to be tracked and reported regularly to IT and executive management regardless of whether systems are operated internally or outsourced. The reporting should prioritize risks and findings in the order of importance, sug- gest options for remediation and mitigation, and highlight repeated issues. Additionally, reports should address root causes for identified vulnerabilities or weak security prac- tices. The reporting should be directed to individuals with authority and responsibility to act on identified vulnerabil- ities and to those accountable for the outcomes, as well as those responsible for advising or influencing risk assessment decisions. Reporting should trigger appropriate, timely, and reliable escalation and response to vulnerabilities exceed- ing the bank’s risk appetite or thresholds. Summary reports should be made available to the board of directors or its designated committees as appropriate to reflect the IT se- curity risk profile and the adequacy of the bank’s vulnerabili- ty management processes. If your executive management team, board of directors, or a designated committee of the board of directors are not regularly assessing and evaluating network vulnerabilities and associated risks, you can expect harsh IT audit and regulatory criticisms. Formalized vulnerability manage- ment programs are now expected regardless of how much outsourcing you have achieved with your bank’s IT network. Refer to the FFIEC IT Examination Handbook’s Information Security Booklet for general guidance on how to improve your vulnerability management program. Due to the technical complexity of this area, relying on outside consultation is also a consideration your management team should evaluate. Many banks, even larger ones, do not have the technical expertise on staff to execute and fulfill minimal regulatory guidance. Obtaining a qualified third party to help you construct a reasonable and suit- able vulnerability management framework will go a long way toward assuring your management team and board of directors that the proper things are being done to ade- quately protect customer data and the bank’s systems.  Vulnerability scans search systems for known vulnerabilities. These types of scans work by rapidly interrogating systems and services to determine types and versions of software and related services as compared against databases of known security and other systemic vulnerabilities. Why You Should Know the Difference Between Penetration Testing and Vulnerability Scans? By E. Stephen Lilly, First Community Bank