As published in Pennsylvania Association of Community Bankers\’ April 2020 issue of Hometown Banker
The recent COVID-19 outbreak has forced banking executives and information security personnel to confront their institution’s capabilities to function in times of a prolonged health crisis. One of the primary measures relayed to the public on how to combat this emergency is social distancing. Banks with proven remote access capabilities are ahead of the curve when it comes to operating during these times. Whether your institution previously allowed remote access into its network or if the pandemic is causing a first-time allowance for this type of access, security considerations cannot be overlooked.
In unison with permitting remote access, institutions need to consider the volume of users, including employees and vendors. Maybe this is the first time your bank’s remote capabilities for dozens of people is being tested. Just as the number of phishing attacks targeting financial institutions has increased over the years, attacks against remote access solutions are next. Hackers know institutions are implementing new capabilities and/or increasing remote access. If your bank is one of them, ensure that the following key questions have been asked and addressed appropriately.
- When was the last time your remote access system was tested by a security professional? These circuits should be included within the required annual penetration test. However, if configuration changes have been made due to a pandemic, you should consider a second test to verify the security and proper configuration.
- Does your remote access system have dual or multifactor authentication? Remote access systems should be (at a minimum) dually authenticated. This is often accomplished with a pre-shared key that needs to be entered into the remote access software on both ends of the connection coupled with the user’s login ID and password. Otherwise, an attacker knowing the IP address or URL of your remote access system can download the software to access those systems and immediately try login IDs and passwords that may have been captured from a phishing attack. While dual authentication can be acceptable in some cases, multifactor authentication is preferred by regulators and is a much stronger security control. Typical multifactor solutions for remote access solutions are out-of-band verification (unique numbers sent to a cell phone, email address, or token), but other types of multifactor authentication do exist.
- How is the security of the devices accessing the network remotely being addressed? Are only bank-issued machines allowed for use with the remote access solution, or can users utilize their own home-managed devices? If your answer is the latter, how is your institution ensuring antivirus, antispyware, personal firewalls, and patching health are covered on these devices?
- What password requirements are in place for the remote access system? Do your employees use the same passwords for remote access as they do for the network? Password reuse creates vast security risks with remote access systems. A compromise of one password grants access to any resources for which that password is used. Further, has your institution implemented stronger password requirements for remote access systems than for the internal network?
- Should logon time restrictions be put into place? Often overlooked, but an excellent security control for remote access systems, is the use of logon time restrictions. Allowing employees and especially vendors to only access the institution’s network during specific times of the day can reduce fraud and the odds that an attacker can successfully access the network during times when logs are not often reviewed.
- Should there be a more regular review of remote access logs? If your bank typically allows remote access and limits it to only a few key vendors and employees, logging may not be as regular as it should be if the number of people using the remote access system greatly increases due to a pandemic. Not only is an increase in log review key from a security standpoint as attackers may take advantage of newly implemented remote access systems or an increase in usage, but a more frequent review of remote access logs is also vital for ensuring accountability for those employees suddenly permitted to work from home.
- Are approvals for remote access logged? A common audit finding, and usually minor security concern, is a lack of logging or tracking of authorizations for remote access systems. Any remote access granted for an employee or vendor should be authorized by a designated individual or committee and should be tracked. In times of a pandemic when approvals cannot be made promptly, future documentation of approvals should be completed.
Addressing these questions should safeguard your financial institution from remote access solutions attacks, giving you confidence that your bank can continue its mission on site or remotely.