Category: From the Field

05 Apr 2013

The Problem with PEN Tests

This is a true story, the names have been changed to protect the guilty.  Al Akazam (not his real name) is an IT consultant with a solid background in technology, and wants to expand his practice into network penetration (PEN) testing.  So he downloaded a copy of Nessus, which is a powerful, open source, vulnerability scanner…and just like that Al Akazam was a PEN tester!  Armed with this new tool, Al secured his first client, a financial institution.  The institution was aware of the FFIEC guidance to periodically validate the effectiveness of their security controls through testing, and although Al didn’t possess audit credentials, nor vast experience with financial institutions, he seemed to know what he was talking about, and the institution engaged him.

Al got the institution to allow him to connect to the internal trusted network, where he activated his scanner and sat back to let it do its magic.  An hour or 2 later the scan was complete, and Al had a couple hundred pages of results, some of which (according to his magic scanning tool) were very severe indeed.  Confident that he had uncovered serious and immediate threats to the network, Al rushed the 200 page report to management, who were understandably very alarmed.  Al completed the engagement secure in his belief that he had performed a valuable service…but in fact he had done just the opposite.  He had done the institution a disservice.  By not evaluating the threats in the context of the institutions’ entire security environment, Al misrepresented the actual severity of the threats, and unnecessarily alarmed management.

A vulnerability’s true threat impact, its exploitation factor, is best expressed in a formula:

Threat impact = (vulnerability * exploitation probability) – mitigating controls

Al simply took the list of potential vulnerabilities the scanner spit out, and without factoring in the exploitation probability, or factoring out the existing controls, changed the equation to:

Threat = vulnerability

What he should have done was take the threats he found, and evaluate them in the context of the institutions’ specific environment by ascertaining what preventive measures were in place, and how effective are they…i.e. the likelihood that the vulnerability would be exploited, and if preventive measures failed, what detective and corrective measures are in place to minimize the impact?  The question Al should be addressing is not “what does my magic scanner say about the risk”, but “what is the actual risk”.  Simply put, Al got lazy (more on that later).

What else did Al do wrong?:

  • He didn’t start with an external scan.  Since the external interface(s) are the ones getting the most attention from the hackers, they should also get more preventive, detective and corrective resources directed towards them.  A risk-based approach demands that testing should always start at the outside, and work its way in.
  • The institution gave him privileged access to the internal network, which is not realistic and does not simulate a real attack.  Sure it’s possible that malware could allow an attacker access, and privilege elevation exploits can theoretically allow the attacker to gain privileged access, but is it likely?  How many layers of controls would have to fail for that to happen?
  • Again, he got lazy.  He should have gone further in his testing by taking one of the most severe vulnerabilities, and tying to exploit it.  Only then would management understand the true risk to the institution, and cost justify the allocation of resources to address it.
  • He didn’t understand financial institutions.  Bankers understand the concept of “layered security”, and how having multiple controls at various control points reduces the risk that any one failed control will result in an exploit.  The vast majority of today’s financial institution networks are built using a layered security concept, and have been for some time.  Shame on Al for not recognizing that.
  • He presented management with a meaningless report.  Instead of simply regurgitating the scanner severity ratings in the management report, he should have adjusted them for the control environment.  In other words, if the scanner said a particular vulnerability was a 10 on a scale of 1 – 10, but the probability of exploit was 50%, and other overlapping and compensating controls are present, the actual threat might be closer to 3 or 4.

I’ve seen this scenario several times over the last few years, and in most (but not all) cases when the PEN tester is presented with the flaws in their methodology, they adjust accordingly.  This is important, because a bad PEN test result has a ripple effect…you now have to expend resources to address issues that may not actually need addressing when placed in proper context.  You have to present the report to management, with an explanation of why it’s really not as bad as it looks, and you have to make the report available to your examiner during your next safety and soundness examination.  So for all these reasons, if you are a banker facing a similar situation, push back as hard as you can.  And get outside help from an auditor or IT consultant to help make your case if necessary.

Are you a PEN tester or auditor?  What is your approach to automated scanners and test results, do you adjust for the overall controls environment?

25 Feb 2013

Examination Downgrades Correlated with Poor Vendor Management

According to Donald Saxinger (senior examination specialist in FDIC’s Technology Supervision Branch) in a telephone briefing given to the ABA in December of last year, almost half of all CAMELS score downgrades in 2012 were related to poor vendor management.  The briefing was titled “Vendor Management: Unlocking the Value beyond Regulatory Compliance“, and in it Mr. Saxinger noted that in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor.  He went on to say that although poor vendor management may not have been the prime cause, it was frequently cited as a factor in the downgrade.

Mr. Saxinger recommends that banks request, receive, and review not just financials and third-party audits such as SOC reports and validation of disaster recovery capabilities, but also any examination reports on the provider.  Federal examiners have an obligation and a responsibility to monitor financial institution service providers using the same set of standards required of the institutions themselves, and they are doing so with increasing frequency.

In addition, consider that all of the FFIEC regulatory updates and releases issued last year were either directly or indirectly related to vendor management:

  • Changes to the Outsourcing Handbook to add references to cloud computing vendors, and managed security service providers.
  • Updates to the Information Security Handbook to accommodate the recently released Internet Authentication Guidance (with its strong reliance on third-parties).
  • Changes to all Handbooks to accommodate the phase-out of the SAS 70, and  replace with the term “third-party review”.
  • Updated guidance on the URSIT programs for the supervision and scoring of Technology Service Providers.
  • Completely revised and updated  Supervision of Technology Service Providers Handbook.

So regulators see inadequate vendor management as a contributing factor in examination downgrades, and virtually all new regulations issued by the FFIEC are related to it as well.  As a service provider to financial institutions we are prepared for, and expecting, added scrutiny.  As a financial institution looking to optimize examination results and stay ahead of the regulators, you should be too.

Here is a link to all vendor management related blog posts.

05 Feb 2013

Implementing the CFPB-required Compliance Management System (Part 2)

CFPB compliance examinations have only just started and the agency has already identified deficiencies in some institutions:

“The CFPB has found one or more situations in which an effective CMS was lacking across the financial institution’s entire consumer financial portfolio, or in which the financial institution failed to adopt and follow comprehensive internal policies and procedures, resulting in a significant breakdown in compliance and numerous violations of Federal consumer financial law.”

By the way, if you were under the impression that the CFPB would only examine institutions above $10B in assets, Section 1026 of the Dodd-Frank Act provides that the agency does have regulatory authority for institutions under $10B as well.  They will likely coordinate the consumer compliance examination through your current primary federal examiner, or they may “spot-check” smaller institutions on their own.  Either way, you’ll have to meet their guidelines.  “…the CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system…”.

So the agency clearly considers the Compliance Management System (CMS) a key component, and it is already an area of focus for regulators.  In fact if you read a bit further in the guidance they state that if a formal CMS is not in place, “…the financial institution has no ability to address risks presented by its lines of business.”

What is interesting about this statement is that although the focus of the CFPB is consumer compliance, they don’t seem to limit the applicability of a CMS to only consumer-oriented lines of business.  This leads me to believe that they believe that a CMS is not just a CFPB requirement, but they consider it a general compliance best-practice.  Furthermore, any attempt to implement a CMS using a “compliance response” approach (i.e. one that address the letter, but not necessarily the spirit, of the regulation) will likely be inadequate.  In a typical CMS examination, the CFPB will evaluate both the understanding and the application of the financial institution’s compliance efforts. The “compliance -response” approach will not work.  Indeed as the earlier quote indicates, the CFPB has already found several institutions that had the correct policies and procedures in place, but they were not being followed.  In other words, while it is important to have the right policies in place, compliance will be determined by how well management understands the policies, and how well the policies are actually being followed.   Simply put…

Compliance = Policies + Procedures + Actual Practices

So how do you implement an effective and compliant CMS?  And more importantly, how do you do it in a cost effective way?  While the exact elements of your CMS will vary according to the scope and complexity of your consumer financial products and services, there will be 6 broad areas of focus for the examiners:

  1. Board of Directors and Management Oversight
  2. Policies and Procedures
  3. Training
  4. Monitoring and Corrective Action
  5. Consumer Complaint Response
  6. Compliance Audit

With the possible exception of #5, you already have a formal process in place to address all of these elements for information security, it’s called your information security program.  Consider this…

  1. You have an IT strategic plan, which integrates with your overall strategic plan, and establishes the business case for technology.  It  assigns overall responsibility to the Board for managing the plan, and requires periodic progress updates back to the Board.  Day-to-day management has been assigned to an IT Steering Committee.
  2. You have a set of policies and procedures, and you update them at least annually.
  3. You train your employees on information security best practices at least annually.
  4. You have periodic meetings of the IT Steering Committee, structured as a control self-assessment, where control adequacy and effectiveness is evaluated.
  5. You conduct periodic independent audits of the process.

So whether you realize it or not, you already have a “compliance management system” in place!  Simply take what you are already doing for information security, add a complaint response capability, and apply it to consumer compliance.  The CFPB Supervision and Examination Manual lists the specific procedures that examiners will use starting on page 36.  Just as Appendix A of the FFIEC Handbooks guided your information security program, you should use this to define the specifics of your CFPB compliance program.*

One final thought…the CFPB has adopted the same 5 point rating system used by the FFIEC to “grade” your adherence to the guidance, wherein a rating of 1 or 2 represents a strong compliance position, and anything less than a 2 is considered sub-optimal.  This is how the CFPB defines an institution rated “1” (bulletized for easier reading), use it as your guide:

  • Management is capable of and staff is sufficient for effectuating compliance.
  • An effective compliance program, including an efficient system of internal procedures and controls, has been established.
  • Changes in consumer statutes and regulations are promptly reflected in the institution’s policies, procedures, and compliance training.
  • The institution provides adequate training for its employees.
  • If any violations are noted they relate to relatively minor deficiencies in forms or practices that are easily corrected.
  • There is no evidence of discriminatory acts or practices,  reimbursable violations, or practices resulting in repeat violations.
  • Violations and deficiencies are promptly corrected by management. As a result, the institution gives no cause for supervisory concern.

*I’ve converted the examination procedures section into an easy-to-follow checklist.  For Safe Systems customers, your account manager has a copy and will walk through it with you.

15 Jan 2013

CFPB Examinations To Require “Compliance Management Systems” (Part 1)

We have known for some time that CFPB examinations are coming, and late last year the CFPB released their Supervision and Examination Manual…all 924 pages of it!    There is much to comment on in there, but I want to focus on 2 things that will impact financial institutions right away.

The first is the actual approach the CFPB will take towards examining your institution, and anyone familiar with the risk management process (or who regularly reads this blog) will instantly recognize it.  Before they begin the examination process, they will conduct a risk assessment of your institution.  Of course the concept is nothing new, regulators have been expecting FI’s to conduct risk assessments for years, and for everything they do, so I guess it’s good to see them finally practice what they preach.  However this the first time the concept has been applied to the pre-examination process, and since the depth and breadth of the examination will depend on the result of their assessment, you should definitely be proactive about this.  If their pre-exam assessment determines that your overall inherent risk is low or moderate and likely to remain steady or decrease in the future, and your controls are strong or adequate, the focus and intensity of the exam is likely to be relatively mild.  On the other hand, if inherent risk is high and/or increasing, and controls are judged as weak, I think you can expect a more vigorous examination experience.

So how can you prepare?  In the past, one common approach to new regulations has been to make at least a token effort to comply, then see what the examiner had to say.  Because past regulatory changes have been notoriously non-prescriptive (and as such, open to interpretation), you wait for the examiner to take a look at what you’ve done, and let them suggest changes.  In other words, you would accept examination findings rather than risk misinterpreting examiner expectations.  This has been a common, and frankly rational, approach to compliance.  However this approach may not be optimal with CFPB examinations, because a token compliance effort may actually result in a higher risk rating.

This brings me to the the second big take-away from the examination manual, and the only way to avoid a sub-optimal risk assessment; the implementation of a “Compliance Management System”, or CMS.  According to the CFPB:

“A critical component of a well-run financial institution is a robust and effective compliance management system (CMS), designed to ensure that the financial institution’s policies and practices are in full compliance with the requirements of Federal consumer financial law.  Consequently, one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the compliance management systems employed by the financial institutions.  …Without such a system, serious and systemic violations of Federal consumer financial law are likely to occur.”

The system should be designed to address the following elements:

  • Internal controls and oversight
  • Training
  • Internal monitoring
  • Consumer complaint response
  • Independent testing and audit
  • Third-party service provider oversight
  • Record-keeping
  • Product development and business acquisition, and
  • Marketing practices

At first glance this appears to be a whole new set of potentially burdensome requirements for financial institutions.  The “CMS” term is new, no other regulatory agency specifically requires this.  And they make it clear that having the system in place is not just a best practice, it is a “critical component” of a well-run institution (strongly implying that if you don’t have one in place, you aren’t well-run).  Furthermore, if you don’t have a CMS in place you are likely to incur “serious and systemic violations” of law.

So a CMS is both a requirement in and of itself, and a good way to avoid a sub-optimal CFPB pre-examination risk assessment. The question at this point is not whether you should do it (you should), or when you should do it (ASAP, prior to your first CFPB examination), but rather how can you implement one with minimal internal resource impact?

I mentioned earlier that it may appear at first glance to be an entirely new system, but in my next post I’ll discuss how you can implement a comprehensive CMS that meets regulatory expectations and doesn’t impose an unreasonable burden by utilizing the risk assessment and reporting structure you probably already have in place within your institution.

(Spoiler alert:  The fundamentals of a CMS are nothing we haven’t seen before…understanding the difference between polices, procedures, and practices….utilizing a management committee with a standard agenda…implementing a control self-assessment process…documenting the management reporting process…sound familiar?)

12 Nov 2012

The Financial Institutions Examination Fairness and Reform Act (and why you should care)

Although it’s currently stuck in committee, financial institutions should be aware of this bill and track it closely in the next congressional session.  There are actually 2 bills, a House (H.R. 3461) and a Senate (S. 2160) version, both  containing similar provisions.  The House bill has 192 sponsors and the Senate version has 14 sponsors, and both bills have supporters from both political parties.  Here is a summary of the bill, and why you might want to support it as well:

What it does:

  • Amends the Federal Financial Institutions Examination Council (FFIEC) Act of 1978 to require a federal financial institutions regulatory agency to make a final examination report to a financial institution within 60 days of the later of:
(1) the exit interview for an examination of the institution, or
(2) the provision of additional information by the institution relating to the examination.
  • Sets a deadline for the exit interview if a financial institution is not subject to a resident examiner program.
  • Sets forth examination standards for financial institutions.
  • Prohibits federal financial institutions regulatory agencies from requiring a well capitalized financial institution to raise additional capital in lieu of an action prohibited by the examination standards.
  • Establishes in the Federal Financial Institutions Examination Council an Office of Examination Ombudsman. Grants a financial institution the right to appeal a material supervisory determination contained in a final report of examination.
  • Requires the Ombudsman to determine the merits of the appeal on the record, after an opportunity for a hearing before an independent administrative law judge.
  • Declares the decision by the Ombudsman on an appeal to:
(1) be the final agency action, and
(2) bind the agency whose supervisory determination was the subject of the appeal and the financial institution making the appeal.
  • Amends the Riegle Community Development and Regulatory Improvement Act of 1994 to require:
(1) the Consumer Financial Protection Bureau (CFPB) to establish an independent intra-agency appellate process in connection with the regulatory appeals process; and
(2) appropriate safeguards to protect an insured depository institution or insured credit union from retaliation by the CFPB, the National Credit Union Administration (NCUA) Board, or any other federal banking agency for exercising its rights.

Why you should care:

In addition to the provisions for more expeditious exit interviews and final reports, the Bills provide for certain changes to “examination standards”.   The standards pertain primarily to the non-accrual treatment of commercial loans and their effect on capital, and they also redefine “Material Supervisory Determination” as “any matter requiring attention by the institution’s management or board of directors”.  These are all generally good things for financial institutions, but I think the most significant provisions (and the ones with the biggest positive impact) are the provisions that establish the Office of Examination Ombudsman within the FFIEC.

The current appeal process for contested examination findings was recently re-addressed by the FDIC here (and I reacted to it here).  In summary, if you currently have a disagreement with the FDIC about any “material supervisory determination”, which includes anything that affects CAMELS ratings and IT ratings (the full list is here, search for “D. Determinations Subject to Appeal”) you must stay within the FDIC for resolution.  And this includes the current Office of the Ombudsman, which is also a part of the FDIC.

The agency makes it clear that they believe the appeals process is “independent of the examination function and free of retribution or other retaliation”, but whether it is or isn’t, the fact that the process never leaves the FDIC deters many financial institutions from pursuing the appeals process in the first place.  I believe moving the process to the FFIEC at least improves the perception of independence and objectivity, which may encourage more institutions to be more inclined to challenge examination findings.  What are your thoughts?

[poll id=”6″]

Again, I encourage you to learn about these bills for yourself and take a position. To support the Senate bill, go HERE.  To support the House bill, go HERE.  And feel free to share this post.  If enough people support it perhaps we’ll see some progress in the next congressional session!

18 Oct 2012

“2 is the new 1″…or is it? (with poll)

UPDATED – October, 2012 – Two institutions in the past ten days have told me that they have been assigned a CAMELS score of “1” in their latest examination.  One institution regained their 1 after slipping to a 2 in their last exam cycle, and the other went up to a 1 for the first time.  The FDIC is the primary federal regulator for both institutions.  What is your experience?  (Original post below the polls)

[poll id=”4″]

And while we’re asking for your input…

[poll id=”5″]

During a panel discussion recently at our annual user conference, we heard this from a banker who was quoting an examiner during their last examination.  They had slipped from a CAMELS 1 rating to a 2, and in discussing the reasoning with the Examiner in Charge they said that they should be satisfied with a 2, because “2 is the new 1”.

Just 3 years ago Tony Plath, a finance professor at the University of North Carolina Charlotte, said that (at least for large banks) a CAMELS score of anything less than “1” was cause for concern.  These days it almost seems that examiners are digging for anything they can find to justify NOT assigning the highest rating.  Indeed I had a recent conversation with an FDIC examiner who said (off the record) “if we find anything at all to document during our examination, that is enough to disqualify them for a “1” rating”.

Unlike the comparatively significant difference between a “2” and a “3”, the differences between a “1”, defined as “Sound in every respect” and a “2”, defined as “Fundamentally sound” are extremely subtle, and there is no clear line of demarcation between them.  Often it comes down to examiner opinion.

So pick your battles and push back where you can, but understand that although you should be familiar with the criteria for a “1” rating, and strive to achieve it, you should be quite satisfied with a “2”…at least for now.