RedRock Information Security Blog

Vendor management policies are documented procedures for handling the activities of a company’s vendors. They are important for businesses within many industries, but they are especially critical for financial institutions. Increasingly, technology and other services are being outsourced by today’s financial institutions. Every time a form of technology or another service is outsourced to a vendor, the risk of security problems and other issues is significantly heightened. In order to mitigate that risk, it is imperative that a financial institution has a sound vendor management policy in place.

Creating an Effective Vendor Management Policy

Several very credible sources have outlined the appropriate process for creating an effective vendor management policy. NCUA’s Guidance for Evaluating Third Party Relationship Risk (NCUA Letter 07-CU-13), in particular, is a valuable resource for financial institutions that need to create a policy of their own. A four step process is generally agreed to be the best way of arriving at an appropriate vendor management solution; an overview of those steps is highlighted below.

1. Analyzing Risk – Vendors must be assessed for their risk on a case-by-case basis. This risk assessment or analysis should take several different points into consideration. The importance of the function that the vendor will be charged with accomplishing must be assessed. The inherent risks that are involved in the activities that they will be performing for the financial institution should be considered. The risk assessment process should be documented, and should cover concerns like whether or not backup will be available and whether or not the vendor’s activities will be easy to oversee. Ultimately, the higher the risk, the greater the diligence that will need to be used in selecting a vendor. The results of the risk analysis will color all of the other steps in the process.

2. Selecting a Vendor – The intensity of the scrutiny that will be needed in selecting a vendor will depend on the results of the preceding risk analysis. Inquiries need to be made into a vendor’s financial abilities, as well as their abilities to meet the vendor’s requirements. Careful examinations of a prospective vendor’s industry expertise, staffing, internal controls like internal audits, contingency plans and security must be undertaken. Finally, a prospective vendor should be able to produce financial statements; if not, they should not be considered as this is indicative of high risk.

3. Preparing a Contract – A simple, written form contract should be prepared and reviewed by legal counsel. The expectations and responsibilities of both parties should be clearly communicated within it. Specific details concerning fees, time frames and implementation procedures should be addressed. In the case of a technology contract, a service level agreement – or SLA – should be prepared. Finally, long-term contracts are generally bad ideas.

4. Ongoing Supervision and Monitoring – The financial institution should assign an officer to oversee the vendor’s performance. The level of supervision required will depend on the results of the initial risk assessment. Period reviews of the vendor’s financial and insurance condition, along with their security and internal controls, should be conducted. An assessment of whether or not they’ve been meeting the terms of the agreement should be made at least once a year.

For more information about Vendor Management or other IT related policies find RedRock Information Security on the web at www.redrockis.com or call us toll free at 877-258-8065

These days, more companies are choosing to sign up with managed service providers than ever. If you’re one of them, the many advantages of using an MSP – including cost savings, preventive maintenance and less downtime – have probably convinced you that it’s the right move to make. Making the decision to sign up with an MSP is one thing; finding the right one is another. Look below for a few simple tips for finding the managed service provider that’s right for you.

Here’s What to Look For:
- Certifications – The ideal MSP will carry several vendor and industry certifications. This is important, because such certifications demonstrate a managed service provider’s proficiency in the areas that matter the most to you.
- 24/7/365 Monitoring – Your computer network isn’t supposed to experience downtime; neither should your managed service provider. Look for an MSP that offers round-the-clock monitoring.
- Technical Support – Look closely at the technical support that any prospective MSP has to offer. Ideally, it should mesh well with your existing business model; you shouldn’t have to change your way of doing things in order to accommodate it.
- An Exceptional Reputation – Any decent MSP should be more than willing to refer you to their existing clients; obtain those references, then contact them to find out what they have to say.
- The Right Tools – The technologies and tools that a managed service provider uses are critically important. Dig deep and get a good feel for how they do what they do, in order to ensure that they’ve got what it takes to handle your IT support needs.

Characteristics of an Ideal MSP
The ideal managed service provider will have topnotch remote access capabilities. They’ll also have the ability to:
- remotely install software;
- automatically patch and update your company’s software as needed, including Microsoft and third party products;
- monitor and inventory your organization’s hardware and software; and
- control endpoint security.

The final point is especially important; you should always feel that your network security is in capable hands. When considering various MSPs, find out the specific methods they’ll use to control endpoint security. The best prospects will have several strategies at their disposal. They’ll be able to manage and control Internet Explorer and firewall settings; the ability to disable access to critical system functions – and the ability to disable USB drives – should also be included.

Although there’s a lot to consider when looking for an MSP, in the end you’ll be glad that you took your time to find the right one. 

 For more information find us on the web.

RedRock Information Security at www.redrockis.com or call us toll free at 877-258-8065

From 2008 to 2009, the number of Web based attacks targeting Adobe PDF files has risen from 1 in 10 to now half of all attacks according to this article.  The article goes on to explain the changing origins of attacks, including the top originating countries.

Due to recent vulnerability and exploit trends, many information security experts are predicting Adobe will surpass Microsoft as hacker targets in 2010.  You can read more about it here.

So we get this very nice email….

In recognition of your achievement, a 2009 Best of Grand Rapids Award has been designed for display at your place of business. You may arrange to have your award sent directly to Red Rock Information Secu by following the simple steps on the 2009 Best of Grand Rapids Award order form. Simply copy and paste this link into your browser to receive your award:
http://www.uscaaward.com/AYRJ-T9L

Each year, the US Commerce Association (USCA) identifies companies that we believe have achieved exceptional marketing success in their local community and business category. These are local companies that enhance the positive image of small business through service to their customers and community.

Also, a copy of the press release publicizing the selection of Red Rock Information Secu has been posted on our website. The USCA hereby grants Red Rock Information Secu a non-exclusive, royalty-free license to use, reproduce, distribute, and display this press release in any media formats and through any media channels.

An Award Code has been assigned to your company that can be used on our website for quick access to your award information and press release.

Your Award Code is: YRJ-T9L

Sincerely,

Ashley Carter
Selection Committee Chair
US Commerce Association

The intended recipient of this notification is the Marketing Director for Red Rock Information Secu. If you have received this email in error please forward it to the intended recipient. If you do not wish to receive further advertisements from Best of Grand Rapids Award Program, please mail a written request to: USCA, 2020 Pennsylvania Ave, Washington, DC 20006 or simply click to opt-out.

There are a few dead giveaways that this isn’t a competitive award.  The first is the truncation of our company name…”RedRock Information Secu”.  Also, there’s also no published criteria for winning, just a link in the email to purchase the award. Finally, we would have to actually buy the ‘award’.  By definition, awards are not purchased, they’re given…not this one.

So, we could buy this award from USCA for $180 and set it on the shelf, issue a press release about the great job we’re doing and hope no clients or potential clients figure it out. Or we could contract with a trophy company to make one for us and lie about what we’ve accomplished.  Why not make three or four?  Fake the organizations, put some ‘Best Of Whatever’ on the front.  You get the picture.  It’s our responsibility to not blindly accept something at face value .  It’s a great marketing stunt, but the ethics of making false representations is inarguable.

Performing a Google search will uncover numerous instances of the US Commerce Association giving away ‘awards’ to businesses which are no longer in existence, in what appears an effort to sell trophies.  You can see some examples here, here and here.  So when you see a press release or award of this type hanging on the wall in a restaurant or proudly displayed in a board room, give it, and the company displaying it, the appropriate credit for blindly accepting a meaningless award.

To find our more about this ‘award’, read about it on these Better Business Bureau websites here and here.

This is just sloppy systems administration and/or lack of OS hardening.  Basic precautions would limit the ability to get malware on an ATM in the first place.  Antivirus, locking down physical access, patch management, host intrusion prevention…vendors should at least cover the basics.

From an eEweek article;

…roughly 20 ATMs were infected with malware that captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on the compromised ATM.

I wonder how many are actually infected?  The article mentions they found 20, however security researchers usually discover only a small sample.  Regardless, we’ll likely never know the real number, vendors don’t run around touting their inability to secure systems.

An interesting lawsuit is currently underway regarding a card processor who was certified as secure, then suffered a massive breach and subsequent compromise of more than 40 million credit card numbers.

In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

Read more at Wired

A recent study presented at the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks sustained that hackers attack every 39 seconds, looking for computers with weak passwords or vulnerable applications. The research was based on four Linux based systems with weak protections and powerful Internet connection, the authors monitoring all the hacker attempts.

The authors mentioned hackers were using automated scripts that were trying to find the usernames and passwords using a large dictionary with millions of words and other combinations. After the program identified these two elements, hackers quickly changed the password, ran malicious programs or modified the configuration of the system. MSNBC News reported the most commonly used usernames were admin, guest, user, root and test while the most popular passwords were 123, password or 123456.

“Most of these attacks employ automated scripts that indiscriminately seek out thousands of computers at a time, looking for vulnerabilities. Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections. Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections,” study author Michel Cukier of the University of Maryland sustained according to MSNBC News.

So, if you want to be more secure while your computer is connected to the Internet, you should use strong and long passwords containing both letters and numbers.

Joseph F. Couture
RedRock Information Security
Grand Rapids MI 49503

From Wired;

On the night of March 8, cruising 22,000 miles above the Earth, U.S. Navy communications satellite FLTSAT-8 suddenly erupted with illicit activity. Jubilant voices and anthems crowded the channel on a junkyard’s worth of homemade gear from across vast and silent stretches of the Amazon: Ronaldo, a Brazilian soccer idol, had just scored his first goal with the Corinthians.

I find it hard to believe the US Military would unintentionally allow anyone to relay through military satellites with $500 worth of radio equipment.  An interesting read.

Welcome to the new RedRock Information Security Blog.  We’re excited to finally have a place other than our corporate website to jot down our thoughts.  The goal of this site is to create a dialog and communicate our philosophy on everything from network security to spam filtering to business processes.  It’s here you will learn why we do the things we do, the logic behind the decisions we make and maybe, just maybe increase your network security.

If you wish to communicate with us directly, please feel free to contact us via email or phone anytime.