Financial Institution Services
Solutions for Community Banks
Internal Vs. External
Statistics indicate 60 to 80% of attacks reported on networks come from internal and not external sources and the amount of damage can be significant in terms of lost man-hours, equipment, records and even an institution’s reputation. In fact, the most significant security issues may be on the inside of your network.
External testing (penetration or port scanning) searches for open ports and running services, attempting to determine the operating system and versions of services supported on the system. Many vulnerabilities can be seen this way, but far from all of them. To get a true reflection of a network’s vulnerability we recommend internal testing (inside scanning) be completed in addition to external.
Even the best firewall will keep out many penetration attempts, but none of the insiders. Increased vigilance is necessary to identify exploitable vulnerabilities on the inside of the network. Both local and remote attackers have the potential to take advantage of these vulnerabilities. An external approach penetration scan is easy to set up and implement, but does not reflect the whole picture of a network’s true vulnerability. Closing security holes is only the first step in securing a network. An internal approach identifies all known vulnerabilities including those on services that are not active at the time of the scan.
We believe examiners are increasingly interested in ensuring that banks have “a continuous process of looking for vulnerabilities.” For this reason, we generally recommend, as a part of your ongoing IT audit activities and as time and funds permit, an internal security controls review. We would welcome the opportunity to discuss this topic with you.
All security work is completed by a team of senior security engineers holding the industry’s most respected professional certifications including:
|Certified Information Systems Security Professional (CISSP)|
|Information Systems Security (INFOSEC) Professional|
|Cisco Security Specialist (CSS1)|
Mutual non-disclosure documents are established prior to the start of work and our security team carries $1,000,000 in Professional Errors and Omissions Insurance.
Discovery: Our certified security professionals scan, review, test and assess the operational security characteristics of the systems you request. Discovery tasks include:
Scanning: The security team utilizes specialized software to perform automated and manual probes of the institution's Internet-exposed systems to identify existing vulnerabilities.
Review and Testing: Network security appliances (firewalls and routers) are reviewed and tested to determine if they are configured in accordance with corporate policies, National Security Agency (NSA) guidelines and industry best practices to ensure network resources are secured from unauthorized access.
Assessment: The security posture of the network is examined from a data flow and security controls perspective. The logical architecture of network borders and interconnections is mapped, analyzed and reviewed. Recommendations are made as necessary to improve security architecture.
Documentation: A comprehensive written report, addressing both technical and management concerns, outlines current security risks and includes specific recommendations to mitigate those risks. A network diagram is usually developed to illustrate the network’s borders and interconnections.
Peer Review: All security results are validated by a rigorous Peer Review process to insure the best product possible.
For more information about any of these services, please contact:
ROMNEY & ASSOCIATES
1516 W. Riverside
Spokane, WA 99201
(509) 455-8173 Tel
(509) 455-5442 Fax