Organizational Security Assessments

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym or wherever you decide to tune in.

Jonathan Jeffery  00:18

Expectations about how well organizations are doing in the defense of their assets are increasing among management teams, large corporations, banks, and non banking financial institutions are also rapidly increasing their expectations and requirements with their suppliers and vendors. I’m Jonathan media production specialist at Strategic Treasurer. And today I have Craig Jeffery here with me. Hey, welcome to the show, Craig.

Craig Jeffery  00:42

Jon, it is good to be here. I’m excited to talk about this topic, which is of great interest, some knowledge and just some opinions.

Jonathan Jeffery  00:52

Yeah, today we’re gonna be discussing some of the general security landscape and implications for treasury and finance. There’s quite a few things we need to pay close attention to in this, do you want to start us off with what are some of the most common security testing exercises and practices that corporations are they’re running through right now and they’re starting to put on their requirements?

Craig Jeffery  01:14

Yeah, they’re doing this on their own, or they’re using it to respond to requests from outside organizations. One, and we’ve talked about this before is about the human side training and testing on cybersecurity generally, but also specifically on payment security, that’s one.  The second is data loss prevention, this is less about exercises, but setting up tools to capture and and prevent and report on the mass exfiltration of sensitive information, whether it’s bank account information, private, PII, things like that.  On the testing side, those would be things like vulnerability scanning, penetration testing, and monitoring and scoring.  You know, kind of the more resilient, continual activity. So vulnerability scanning, penetration testing tends to be over a period of time or an event. And monitoring and scoring is, you know, tracking assets over time. Those are some of the those are some of the most common areas that people look at.  You know, he may come up with terms like red team and blue team. And some people categorize those as part of the penetration testing and others are just, you know, see that as a overall security assessment practice.

Jonathan Jeffery  02:29

Yeah, we’ll get into the different teams in a minute.  You mentioned something about the different tools that they’re using.  Is QR codes one of those tools?

Craig Jeffery  02:38

For testing?

Jonathan Jeffery  02:39

Yeah.

Craig Jeffery  02:39

I don’t know how common it is. We had that one of our pen tests that we had run against us. I think I’ve talked to you about that they tried to compromise people and in our systems in different ways. And so they, they used QR codes, and they actually stuck them on postcards, sent them to employees homes, with a fake site for some free offer sent across the board as a way of showing the potential for compromise. By using a QR code that could compromise a particular system, you’d go to a site that would load not malicious, but an example payload that would prove the case that there’s a potential to be compromised through that method of social engineering people to scan a QR code compromise the device, it may even be a personal device that they eventually use to gain insight and information into the company. Yeah, that would be that could be part of it. I don’t think that’s common.

Jonathan Jeffery  03:41

That’s a pretty good way to do it, though, because QR codes are everywhere. And your first thing is to scan it.

Craig Jeffery  03:46

Not me, not anymore.

Jonathan Jeffery  03:47

You got to start teaching people to you got to manually type in a website, and you got to know where that website is before you type it in.

Craig Jeffery  03:54

It’s just that’s just ruined me. You know, the other thing I learned is you don’t have you had a really good pen test, you blocked like everything that they throw at you one year, you shouldn’t just rub it into the pen testers about how they can’t compromise you in any way. Because they will, they will, they will pull out all the stops. And the company we work with is great. But you know, I think I think I said too much. And they do use us in some ways as a guinea pig because we offer payment security training and security training. So they consider us a hardened, hardened asset or at least educated staff. And so they create these scenarios and test them against us and then use them against some of their clients, which is I guess, is an honor but it’s also less optimal, I guess in some ways.

Jonathan Jeffery  04:39

Now you’re getting a first experience of what kind of what kind of things hackers are figuring out and looking to use against you.

Craig Jeffery  04:46

Oh, there’s other things that they’ve done too that are just like, Okay, that was really creative. Every time I know when we’re doing going through a pen test and they keep extending the timeframe as they’re, they’re rolling out more things to try to find some way to get someone to click on something or to respond in a certain way.

Jonathan Jeffery  05:03

Yeah, yeah. But if you live in a cave, you won’t ever get hacked.

Craig Jeffery  05:08

Yeah, not not, not hacked digitally, right?  If you unplug electricity, sure.

Jonathan Jeffery  05:13

So we talked a little bit about different types of vulnerability scanning. What is it in, in this general broadest definition?

Craig Jeffery  05:21

Vulnerability scanning is seeing, seeing where your assets are vulnerable, you know, what might be unprotected? So do you have personally identifiable information, financial information, bank account information, any of that, is that exposed within your network, from outside or from within? So one of the things that we we do a number of years ago, we do work for banks, non-bank financial institutions, like insurance companies, as well as large corporations. And it seems that banks, and then insurance companies, and then the largest corporations, and then other corporations, start asking for things, you know, when they, when they we first hear it from banks, it’s like, we’d like to see something on this, tell us what you do. And we know that it’s going to become a requirement for banks in the next year or the next two years. And then, you know, you know, that’ll cascade from that to the insurance companies and eventually to the other ones from cybersecurity from a protection of assets from a training perspective, all that’s going to flow down. So once that starts happening, we, we think, Okay, we’ve got to do that. Not today. But if we don’t start doing it today, we won’t be ready. For example, for vulnerability scanning, we, we run it every month from external sources, as well as internal off our machines. So that looks and scans any port weaknesses, it looks for unprotected data. Everything’s supposed to be secured, stored off site, but it looks at machines to see if there’s anything local, anything that’s accessible, that is some type of weakness is something not patched something not running. So this runs all the time. And I’ll say when when that’s run, in the beginning, it was, it was always kind of interesting, because the beginning it was like, Okay, we have so much information, including, you know, it pulls up a lot of false positives in the beginning too. So you have to mark those off, you have a presentation with a credit card on the presentation slide per credit card numbers, an example. So it flags that as a, Hey, you got card information, you got a Japanese tax ID or whatever, it pulls a bunch of false information. But it was also relentless back in those early days of finding everything on everyone’s machine, on the network. And so you know, you move stuff out of it. So it gives you this, you have to you have to clean it. And you run it again, and you get tighter and tighter. And so it gives you that regular process, I think when we started there, like either on pen test at least once a year. So we just started running every single month. And it’s it’s relentless. So we have to fix things before you can move on. So that’s that’s really what a vulnerability scanning is. Where you’re exposed assets, ports, there’s a huge range of of items on there. This is not for IT people, but it’s just understand what what goes on there from general business perspective.

Jonathan Jeffery  08:05

And on penetration testing, what are some of the different methods?

Craig Jeffery  08:10

Yeah, the goal of penetration is to see you’re paying someone to see if they can break into your system, somehow break through somehow, if they can, can they land in your system, and they can they move laterally and compromise other assets, once they land, they can compromise other assets. They’re trying to find vulnerability. So we usually use a disclosed method. The blind method is where the pen testing company tries to create a complete inventory of your assets, figure out where your domains are, what IP addresses, et cetera, et cetera. We think it’s a, maybe that’s fine the first time you do it, but it’s much better to give them a list of all your IP addresses and assets. Tell them what you’re using, so that they don’t spend a week or two, building up this inventory of what they’re going to attack, give them that information, make it disclosed, as opposed to blind, so that they can they can spend their time really testing your system not finding out what’s there. There’s external and internal components to that you can have them only come in from the outside, you can give them you know, a device that they can send you a device and stick it on your network that has you know that they can It’s like someone planted something inside your organization and gained access that way and they can control it remotely to see if they can probe find any weaknesses by getting past your external firewalls, right, because you want to have protection beyond that just like the you know, a fort, you’ve got a great wall. But what if people get inside? What is the protection inside? So things like a compromised endpoint or rogue devices or other methods that people use to help detect if you have vulnerabilities? What can they find? How can you shut those down because you’d much rather have your, your ethical party, the pen tester, find those things and you shut them down as soon as you can.  So those are some of the some of the methods. Now, the Blue Team Red Team, some people view that separately, I view penetration testing as you can have the red team is the pen test company and the blue team is your inside resources. Red team is on offense, they want to find weaknesses, they want to penetrate the systems and security. They’re also supposed to provide some feedback to the defense, sometimes they do it at the end. Sometimes they do it during an exercise. So that they can say, hey, we’ve compromised this and so that the defense team can start patching those things so that the exercise can continue to develop. So that they can find more and more instead of just finding the the low hanging fruit, and then it gets patched. And then you wait another six months or a year. It’s this whole feedback loop through the test and exercise where you know, the the blue team or the defensive team is maturing, the defense is making them stronger throughout the exercise.

Jonathan Jeffery  10:55

Without that continual feedback, it would it by the time that you have things patched, they’d be out of date. And the attacks would be growing and changing. So you’d have to you kind of need that feedback as you’re going through it not just waiting for a final report.

Craig Jeffery  11:10

That’s true from how quickly do you patch your systems, that’s a huge element of how secure you are, there’s going to be vulnerabilities that come up are you patching, you have a patching cadence that’s quick to fix those that’s necessary from your firewall to the systems that you use to your website assets. That’s also true from a training perspective, you don’t just say I’m gonna get my my staff trained every two years, or every year. Now it’s more, I’m going to train them regularly to keep track of things and not doing that is an issue. And just like in this example, here’s vulnerability exploits come up, you have to patch them regularly, you have to test this on a on a regular basis. That kind of ties into the the other area when we think about penetration testing, there’s monitoring and scoring systems. We use a particular one that monitors all of our assets, and also any suppliers that we have, as well as customers that can monitor from an external standpoint, to show and look at the the assets. So they do scans of the different assets you have available, the different domains. Are things being patched. Are they being hosted on different platforms that have had some type of compromise? Has there been any malware installed on any of the machines across the board, and I’ll tell you, it is really, it is really helpful to see the broader ecosystem that you work in from a customer and a partner perspective to see what’s happening. But it’s also really, really effective because you can’t hire pen test teams to start every five days and continue to run a test that runs for two or three months. And just keep them starting every two weeks. I guess you could but it’s also very useful for us is to have the systems poking and probing and monitoring and tracking everything all the time, giving scores, showing it’s like okay, web page headers, your decamped stuff on your email has, isn’t as strong as it could be or the encryption keys, you got you got some web assets that could be updated to, you know, 4000, as opposed to 2000. And this constant monitoring gives you scores. And that’s helped us quite a bit because it’s, it’s this constant area for our IT and security groups to patch fix. Nothing sits there a long time because it’s flagged, it gets reported. And it’s that’s the that’s also the working list of what needs to get fixed. So there’s never any guesswork about what has to be done. There’s just constant activity. So that’s, that’s another area of penetration testing. There’s a whole whole other group of like, on your website assets, you can you can have security services, run, check, make sure there’s no changes, validate check against different lists. But that’s that’s well beyond probably what we need to talk about today.

Jonathan Jeffery  14:01

Yeah, so a lot of this is about the red team that we’ve talked about the social engineering, the QR code example at the beginning, the penetration testing, even getting into your emails and just reading your communications, phishing campaigns. One of the questions I have is, if you can outsource the red team, you can outsource the you probably should outsource the red team so that they can see your vulnerabilities more than you’re going to see yourself. But for the blue team, should you outsource this? Or should it be people within your organization who are building up these walls these securities?

Craig Jeffery  14:35

I think that’s a good question. I mean, the the outside testers coming in, I mean, if you’re a big enough organization, you can have your own red team and then also have external. I think you’re trading partners, you’re gonna want some independent test. I mean, that’s, that’s for sure. You want some independent tests, not some, hey, we’re all good. We did our own medical exam. We’re fine. So so from the red team that makes sense. On the blue team side, I think that depends on In the size of the company complexity, what you’re trying to do.  My view is, I don’t believe that we have the ability to protect all of our assets. That’s it’s been that way for a long time on our own. So we moved much of our data into the cloud into very secure servers, data rooms, we didn’t feel I didn’t think it was possible to stay as current with a with a fairly small company as what these groups that are, you know, have armies of people who are built to keep their, their whole network secure and manage the process. And, and we have other elements that we can layer on additional security on our own. But we certainly have our own resources as well, where we’re making sure the patches that are not automated, are put through quickly, that we’re testing seeing weaknesses, weaknesses, and principles, or practices, or maybe any weaknesses. But alerts, there’s all kinds of issues that can come up that are just sort of like, maybe this is not the best practice, or this is something else that’s going on, that you can fix, or you can make better. And that usually comes about from there’s industry knowledge that, hey, this is a better way to do that than this. And this just happens. And so starting to fix and improve your posture makes a significant way to improve what you’re doing.

Jonathan Jeffery  16:19

So whether the blue team and the red team, one or both are outsourced, it’s still extremely important to take what you’ve learned and spread the awareness across your company because if you if every person isn’t involved in training, security training and awareness, these attacks are still going to be effective.

Craig Jeffery  16:38

Yeah, and it’s in the level, the level of detail that has to be taken through the organization is going to differ. You know, I said earlier, what do the criminals the criminal hackers try to? Do they want to compromise your systems? How do they do that they can’t just necessarily just break through the front door and steal everything. So they try to gain some type of foothold. And then as I mentioned, they try to move laterally. Like if I get some credentials here, I can move laterally, get more credentials, and then I can eventually lock people out, I can lock up your hard drives, Grant more permissions, and then again, control and learn what’s going on, find out where value is, and whether it’s data or through some type of ransom, to leverage that or even gain control of payment systems. You know, one example that was one of our penetration testing companies told us is they were able to compromise a accessing a UPS system, you know, uninterruptible power supply? Yeah, they were able to find a hole and get into one of those systems, which had ID and passwords, and it wasn’t the password wasn’t changed, or they were able to brute force onto that.

Jonathan Jeffery  17:46

In a battery?

Craig Jeffery  17:46

Yeah, well, it’s not just it’s not like the, it’s not like the ones under your desk, they’re, they’re bigger, more sophisticated ones, because they control the network and provide feedback. And so it has permissioning. And so they were able to gain control of that. And from that, then they were able to get over to human resource system, they were able to use some of the internal permissions to probe and then land on the HR system. And then from there, you know, they just continued to expand. And so this moving laterally comes in areas you don’t think and so I know you’re gonna say you shouldn’t have any batteries in your office, because that can be a point of vulnerability.  Paper and pen, maybe not even ink, pencil. But that idea of wherever they can find a spot to land, they’ll find the weakest link, and then leverage that weak link to go elsewhere. And so that’s just kind of the, you know, you need a certain level of paranoia. And I’ve always said this, like, what’s paranoid today with security is commercially reasonable in a year and a half. I was like, This is so foolish. We don’t need to do that a year and a half later, that’s what standard and then a year and a half after that would be, it’s a dereliction of duties if you’re not doing that. And I don’t know if that timeframe is right. But every time we see something that seems crazy, it says like, we got to we got to put stuff in to fix it. Because that’s going to be the next, you know, the next issue.  Let someone go to some other place to find their weakness.

Jonathan Jeffery  19:11

Yeah, let let someone else scan this QR code. I can’t believe I was doing that.

Craig Jeffery  19:19

That ruined me on QR codes. I mean, it’s like.

Jonathan Jeffery  19:22

It’s not something you think about, but moving on from these color coded teams and responsibilities. What’s DLP?

Craig Jeffery  19:30

Do DLP stands for data loss prevention, you know, the exfiltration of information getting information out and people can take information out of the company by putting it on a thumb drive or, or emailing it or dropping it into some, you know, file sharing site. You have to minimize that you have to prevent the the exfiltration of that information and it could be someone gains access to your system and then they want to pull that out. So it doesn’t have to be an employee could be an employee. It could be a contractor, it could be someone who’s gained access to someone’s credentials doing that. So data loss prevention is, you know, how is your system set up to monitor unusual activity, unusual movement of data.  It can also be set up on emails, and hopefully many companies use that set that up on their, their email platform. So whether you’re using corporate Gmail activity, you’re using Microsoft 365, those have a lot of built in functions that will track for this is sensitive information, a lot of sensitive information have been sent out, and you have abilities to qualify what that is. And block, you know, this is a violation of the policy, that transfer has been stopped, and it reports it to the to the group that’s that you see it. So we deal a lot with, with clients with sensitive information. You can’t just email that stuff around, it exposes it. And so you have to use either secure mail, use a file sharing site or ways you can operate where the data doesn’t get exposed to just regular traffic. It’s not passing over where people with sniffers can pull it out, or any relay system that allowed to pull it out. So you want it to be traveling securely, from end to end, or not even be traveling but just being accessible, they get alerted to where they can go get it.

Jonathan Jeffery  19:30

So as we look at this from an industry wide treasury, finance, what’s changing from an expectation perspective?

Craig Jeffery  19:38

Well, you said you said something earlier, which is really what’s changing, it’s like you have to, you have to stay current on things. And so the, the speed, you know, speed matters. That’s one of the 12 security principles that we lay out in our, in our book, we should probably put that in the footnotes that people can download the securities principles, ebook that we have, but speed matters. And so we went from a you need training, general cybersecurity training to specific payment security training, but you go from training, to training and testing every year, every other year to training and testing on an ongoing basis. So maybe it’s quarterly, maybe it’s semi annually. That’s an element. Same thing with the expectations is that everything will be patched within a week or two weeks, not months, your systems will be kept up to date. And the expectation to is that I think maybe this is a bit of a projection. But I certainly think the projection or the perspective is that you have to have this ongoing monitoring, you can’t just do a pen test once a year, twice a year, you need to have that that extra discipline where there’s smart adversaries trying to compromise your system. But the idea that you can have really, really smart systems, probing monitoring, tracking and noticing differences over time. That is, that is certainly a change from a perspective, it’s like, hey, we need to monitor these things. Companies should be monitoring these things on their own, and monitoring their their other partners to see if they’re compromised, because you have a risk if you have trading partners were compromised. Because of I’m trying to land and expand on if I’m a criminal, a criminal hacker, I want to land in your system and then expand and move laterally, gain more control. Why wouldn’t they do that with if I can compromise one of your suppliers, and then I have access, maybe our systems aren’t connected. I want to find a way to get into the big payoff by by going through other trading partners or suppliers, so as to be done. And I’ll say, I’ll say that your question’s a really good one. From the expectations perspective is that the different partners we have, you know, we call them customers or clients, depending on the day and the mood. What are they expecting? They’re expecting everyone to maintain a strong security posture. But what do you mean by expecting to maintain a strong security posture? We have a number of clients who we have to submit our stuff through portals that show what we do, here’s our results of our latest pen test. Here’s the answers to specific questions. And more and more of them will common will get emails that say you’ve got to go to the site and look at this new CVE or Common Vulnerabilities and Exposures.  It’ll have a number it’ll say this system was compromised or there was a violation of this or tell us if your websites contain this type of information. So they’ll share that information, you have to respond fairly quickly to that and give response that shows you didn’t have that exposure, or your media at that exposure, or you’re addressing with some other type of compensating controls. And so this, the speed with which you need with which you need to respond is is really quite rapid. We have monitoring tools that track stuff all the time and stuff pops up for us directly. And then usually there’s a one to three or four week delay before our customers will send it through the portals for that activity. But in the last month or so we we’ve had we had one come up before it showed up to the monitoring tool because they were they were using other monitoring tools to look for common vulnerabilities and then put something out now it wasn’t as severe as what we normally see, come through there. But it it’s a new standard, they’re they’re asking for you to make sure you’ve patched these new and significant items. So that’s the, the expectation is, you’re moving to almost real time monitoring, real time patching, and real time responsiveness to any particular issues that might be out there any type of exploit, or weakness.

Jonathan Jeffery  25:33

That’s great. And as we come to a close, what do you have to say to someone who says, All this information is good and great, I’m so glad IT takes care of that for us.

Craig Jeffery  25:43

I would say awesome.  I guess I would say is, depending on what your role is, in Treasury, you want to know some of the broader context, because of what we do we help people with their payment security assessments, we help them understand their role as superintendent of payments, superintendent payments security, protector of some of those liquid assets in the company. And so there’s you have to know some of what the other group is doing. In particular, IT.  You have to partner with them to do these things. So what should what should Treasury do? What should they think?  The idea is, you have to have regular monitoring, like we talked about, you have to have testing, and people have to be trained. And so we also think that Treasury should should understand that payment security assessments, your payment, your payment inventory, or payment processes need to be both inventoried, they need to be assessed.  Where are the weaknesses of the vulnerabilities? Just because you checked your external network and had a pen test, you had a vulnerability scan, you got a red team and a and a blue team, all that’s excellent generally, but you also need to do a payment security assessment.  You have to have a full inventory of all your payment processes.  You need to look at it for where are the weaknesses across a number of domains. If you’re not doing that, you are no longer achieving what’s considered commercially reasonable standards. I’ll just give you a real quick example. Or a couple examples.  Maybe won’t be real quick. But I’ll give you a couple examples. On the card side, the PCI DSS standards Payment Card Industry Data Security Standards, that’s been up for well over a decade. And it was you have to protect the payment system, the payment network cards are the costs were getting astronomical for losses. And so they have standards for controlling data security, what people do, and there’s annual attestations and review of that work. And so that payment channel added that.  Swift has their own Swift customer security program, or customer, or CSP is another standard.  If you’re on the Swift network, they want to make sure that there’s a minimum standard for those that are on the network. And so they have a whole standard. There’s external attestations. There’s just some things that we do for companies review, review everything from the surface areas of attack, to training, to making sure that they comply.  We help and assist companies there. And that’s for another messaging channel related to payments. I fully expect that to happen to, you know, the US, the ACH network and other standards that companies with a certain volume or a certain set of activity, need to have an annual way of reviewing it to protect these payment networks and payment rails. I think that’s I think that’s inevitable. We’ve seen it with these two major ones. There’s certainly some more standards from for some of the high volume users of the ACH network for protecting and tokenizing account information to protect that that information from being exposed or unencrypted. That is where things are going. Make sure you have done something recent or you’ve reviewed and assessed your payment security processes.

Jonathan Jeffery  28:57

Well, thanks so much for sharing all this information on the podcast today, Craig. They’re everywhere. I bought a shirt recently and had a QR code in it to go to the website of the shirt. They’re everywhere. You gotta watch out. Well, we talked about two different things that I want to leave notes.

Craig Jeffery  29:00

It was my pleasure. It was it was fun talking about it.  I was sad that you brought up the QR code thing again, that got me sad. I never use my phone to scan QR codes almost. Not almost, but I’m just so suspicious, so. You have to watch out about the shirts or like someone’s inserting QR codes to?

Jonathan Jeffery  29:30

You never know. Yeah, you never know. So we talked about two different things that I want to leave links to in the show notes. We talked a little bit about our our online video series SecureTreasury, where we offer in-depth training and insights for common fraud types, best practices, and email security. You can find more information in the show notes. We also briefly mentioned our mini ebook. Is it really cool ebook that we printed and became a real book last year for AFP, a little book that you could fit in your pocket but if you want to download the digital version, it’s called “Payment Security and Fraud Prevention:  The Principles of Secure Clamps.” And to learn more about that, follow that second link down in the podcast write up.

Craig Jeffery  30:11

And scan the QR code that’s included there.

Jonathan Jeffery  30:14

Alright, thanks, everybody.  Have a good week.

Announcer  30:18

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.