This past December, the Office of the Comptroller of Currency (OCC) released the fall edition of its Semiannual Risk Perspective, a report that addresses key issues facing Financial Institutions, focusing on those that pose threats to the safety and soundness of banks and their compliance with applicable laws and regulations. This report presents data in four main areas: the operating environment, bank performance, trends in key risks, and supervisory actions.
Included in the report is the topic of cybersecurity. The report has deemed the cybersecurity practice as an emerging risk. While the OCC reports that Financial Institutions’ cybersecurity programs have been improving and have grown stable and more mature over recent quarters, there remain opportunities for further improvement to mitigate cybersecurity risks. Among others, one of the most common control deficiencies that examiners note is patch management.
Implementation of an effective patch management program continues to be a battle for both large and small Financial Institutions for various reasons. As larger Financial Institutions grapple with more complex environments and technologies, identifying and delivering a high volume of patches to critical assets on a timely basis is a consistent struggle. On the other hand, the OCC reports that smaller institutions “face challenges with retaining the technical resources needed to identify and implement patches required to manage changing threats and vulnerabilities on an ongoing basis.”
What’s the big deal? Why Patch Management Matters
When an organization’s critical systems go unpatched, the door is propped open for malicious users both internally and externally to exploit vulnerabilities across the network. Unpatched assets such as servers or endpoints can allow unauthorized access onto an organization’s network as well as the potential for devastating viruses and malware infections on critical systems. Because of poor patch management practices, the OCC has deemed a specific Financial Institution staple, the Automated Teller Machine (ATM), a high vulnerability. The report states that “malicious actors have continued to focus on card skimming and cash-out attacks on ATMs. ATMs that were successfully compromised typically had not been updated or patched.”
A Proactive Approach to Patch Management
An effective patch management program starts with having an understanding of your own environment. Having a documented and defined inventory of critical assets with operating systems and OS versions is important. Categorizing your institution’s most critical assets will allow you to create more granular patching policies instead of taking a one-policy-fits-all approach.
Speaking of a policy, a well-designed patch management policy will enable a concise and agreed upon strategy for tackling critical vulnerabilities and patches. Asking the difficult but necessary questions up front will aid in the policy crafting process. Do you want to patch vulnerabilities in-house? Should you outsource to a vendor? Relying on identifying, evaluating, and deploying patches manually is a difficult task, especially for smaller institutions. Therefore, it is vital that organizations state, in writing, how they wish to proceed.
Outsourcing to a vendor for patch management can be very beneficial to a Financial Institution, as it can take some of the burden off of your already busy team. Selecting a vendor with automated patch management software allows the vendor to schedule regular update scans, and ensure that patches are applied under specific conditions or automatically. If an institution chooses to apply patches manually, it will have to ensure that regular internal and external vulnerability scans are conducted to identify where patches are needed. A secure testing environment must be created for patches, and a defined roll-out strategy and review process should be put in place.
A Fallback Plan – Cyber Security Incident Response
Even with a strong patch management program in place, cybersecurity breaches and exploits can occur, especially given the constant growth of malicious vulnerabilities and hacking tactics. In the event that your institution’s patch management program does not stop an exploitation of a critical system, your organization’s Cyber Security Incident Response Plan can help save the day. An incident response program, along with a business impact analysis, is a good preventive control that addresses the probability and impact of such attacks. A plan that is current, comprehensive, and tested frequently to reflect real-world incidents gives an organization the ability to prepare for and respond to a multitude of exploits.
For more information about this topic and the Semiannual Risk Perspective: Fall 2019 Report, click here.
This article was written and produced by Christopher Salone, CCSFP, MBA, FoxPointe Solutions. Looking to get in touch with Christopher? Reach out today: csalone@foxpointesolutions.com.
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.