What are the Best Security Configurations for Financial Institutions?

February 25, 2019

Financial institutions are an evergreen target for cyberattacks. Every day, banks, investment firms, and other financial institutions handle major transactions representing millions of dollars. For malicious actors motivated by monetary gain, financial institutions are some of the biggest, juiciest targets out there. This naturally leads to near-constant attempts to crack bank security.

In response, financial institutions need to have extremely strong security and meet strict, federally-mandated cybersecurity standards. The question is: “What are the best security configurations for financial institutions to meet compliance standards while keeping their customers safe from fraud?”

Before highlighting some of the best security configurations for banks and other finance-oriented organizations, it’s important to know the compliance standards financial organizations need to adhere to and the most common risks that they face.

FINRA Compliance and Security Configurations

FINRA is not a government-mandated organization. Instead, as noted on the FINRA.org About Us page, FINRA is “a not-for-profit organization authorized by Congress to protect America’s investors by making sure the broker-dealer industry operates fairly and honestly.” Part of their mandate is to write and enforce rules governing investment organizations. While most of the rules FINRA posits are designed for consumer protection from a business ethics standpoint, security configurations do play a role in FINRA compliance.

For example, as stated by FINRA, they review “a firm’s ability to protect the confidentiality, integrity and availability of sensitive customer information. This includes reviewing each firm’s compliance with SEC regulations.” The specific regulations that FINRA checks for include:

  1. Regulation S-P (17 CFR §248.30). This regulation states that “Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” In other words, financial organizations need to have a written set of standards that they follow to protect sensitive information.
  2. Regulation S-ID (17 CFR §248.201-202(d)). This regulation requires “Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program… The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.”
  3. The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)). This part of the regulation states that “Every member, broker and dealer subject to §240.17a-3 shall preserve for a period of not less than six years, the first two years in an easily accessible place, all records required to be made pursuant to paragraphs §240.17a-3(a)(1), (a)(2), (a)(3), (a)(5), (a)(21), (a)(22), and analogous records created pursuant to paragraph §240.17a-3(f).” In other words, financial institutions must hold onto a copy of their records for at least six years—records that may need strong security settings to prevent a breach.

You may have noticed that none of these rules laid out specific security configurations or cybersecurity tools that financial organizations should use. Instead, they outlined desired outcomes and a need for consistent, documented procedures. This highlights the need for financial organizations to think beyond security settings to create robust rules to document and enforce their plans for improving security.

While specific security settings might not be detailed by FINRA, there are a few that financial organizations can use to enhance their FINRA compliance:

Strong Password Enforcement

One of the best security configurations to apply in any organization is the requirement to use strong, complex passwords that include uppercase and lowercase letters, numbers, special characters, and even spaces. The longer the password, and the more character types there are in it, the harder it is to guess or to crack using brute force password entry methods.

Multifactor Authentication for User Accounts

In addition to creating stronger passwords, another top-tier security setting to use is to enable dual or multifactor authentication (DFA or MFA) for user accounts. These authentication methods use a combination of:

  1. Something the user knows,
  2. Something the user has, and/or
  3. Something the user is (passwords, authentication tokens, or biometric data).

Disabling the Ability to Log into Another User’s Active Sessions

On macOS devices, there is a privilege that can be set to allow users to unlock another user’s active session, potentially allowing unauthorized persons to view sensitive or personal information. Disabling this privilege is strongly recommended.

Enabling “Stealth Mode” for Computers

Stealth mode is a security configuration that keeps computers from responding to unsolicited probes—helping to stop certain types of cyberattacks that attempt to steal authentication data by querying assets on the network.

Restricting App Stores to Updates Only

Many mobile devices used in financial organizations have a built-in “app store” to allow users to download new software. Some app, unfortunately, may have vulnerabilities (either intentional or accidental) that can be used to compromise the security of the device they’re installed on. Restricting app stores to only allowing updates minimizes the risk of downloading insecure software—making this one of the best security configurations to apply to mobile devices.

Log Retention Security Settings

Archiving and retaining system, firewall, authorization, and installation logs can help users track important events that may impact network security. Additionally, changing security settings to ensure these logs are not deleted can be crucial for FINRA document retention.

FISMA and Security Settings

FISMA, or the Federal Information Security Management Act, as noted by TechTarget, “defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats.” According to TechTarget, the nine steps of FISMA compliance are:

  1. Categorize the information to be protected.
  2. Select minimum baseline controls.
  3. Refine controls using a risk assessment procedure.
  4. Document the controls in the system security plan.
  5. Implement security controls in the appropriate information systems.
  6. Assess the effectiveness of the security controls once they have been implemented.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls on a continuous basis.

Setting specific security configurations can help to address a few of these steps. Some examples of the best security configurations to apply for FISMA compliance include:

Enabling Security Auditing and Auditing Flags

Security configurations that allow IT managers to check the audit log for the Operating System (OS) kernel and the system calls it processes can be useful for identifying suspicious activity during an audit.

Monitoring Location Services for Mobile Devices

Forcing the use of “Where’s My Mac” or similar location services can help prevent the loss of mobile devices and mitigate the risk of data stored on mobile devices becoming compromised. Using location services can be one of the best security settings for preventing device and data loss.

Application Blacklisting/Whitelisting

Application blacklisting is a security setting that creates a list of applications that a system should never run—which is useful for guarding against known malicious software. Application whitelisting creates a list of trusted programs—blocking any other program from running. Blacklisting requires frequent updates, but makes it easier to add new software to IT assets. Whitelisting is more secure, but if a legitimate program isn’t on the approved list, it will be blocked from working at all, so more strict management is necessary.

These are just a few of the security configurations that can be useful for achieving goals such as establishing baseline security controls to prevent data theft. However, to truly achieve FISMA compliance, organizations need to have a way of monitoring the security configurations they’ve set. That’s where Kandji can help.

Kandji provides a platform for improving security settings on macOS devices and actively monitoring the security status of these devices from a single, centralized dashboard. This helps financial organizations demonstrate their compliance with FISMA’s rules.

Curious about how Kandji can help your financial organization achieve compliance by managing your security settings? Try out Kandji on up to 10 Macs! New call-to-action

Topics: Security

Join Newsletter

Recent Posts