DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/894814
» VISIT US ONLINE @ DSNEWS.COM 73 of course, monitoring needs. ese external companies have highly qualified and experienced staff that can monitor network traffic reactions to possible intrusion. ey offer an alternative to an in-house-developed Security Operations Center (SOC) for those organizations that do not have the expertise themselves. Regardless of how monitoring is accomplished, it is imperative that it takes place. Internal monitoring via security information and event management (SIEM) can give a holistic view of a company's network and systems, and alert security officers to anomalies and suspicious activity. Monitoring of threat activity is as important as the monitoring of internal events. To determine if the various software and systems that are deployed within a company's environment are vulnerable to attack, it must be aware of the versions of code and firmware it is running. Remember to review all of the company's systems and software, old and new. While new code may have a few bugs, often- new vulnerabilities are found within very-old code that has been used successfully for years. ere is greater risk with the older code because new software is regularly built on old code libraries and segments, and companies may be unknowingly susceptible to the exploits. ere are numerous services and websites that can be used to identify the latest breaches, attacks, and vulnerabilities. Some of these sites include: » US-Cert.gov » Exploit-DB.com » Sans newsbites and @risk » Nist.gov » ZeroDayInitiative.com (announcements for zero-day vulnerabilities are on their Twitter feed) » DataBreachToday.com » Snopes.com » Symantec.com » Various manufacturers' sites It is important to be aware of new vulnerabilities because once they are discovered, it is only a matter of time before they will be used by hackers to try and compromise unsuspecting networks. REACT AND REMEDIATE After implementing all of the proper controls and toughest encryption on the best gear available, it is time to rest easy, correct? Not exactly. As identified in monitoring protocols, there are vulnerabilities found in both new and old code daily. Subscriptions to the cybersecurity lists such as US-CERT and others confirm this, and set off a chain reaction of events that trigger the next course of action—remediation. Once these vulnerabilities have been identified and posted, companies only have a small amount of time to patch their systems. is is the part where reaction time is critical. e longer systems remain unpatched from new vulnerabilities, the greater the odds that one of these vulnerabilities may affect the business. ere are various published standards for remediation time based on the severity of the vulnerability and its prevalence in the wild. e times generally range from several days for zero- day vulnerabilities, and as the severity decreases, the time allowed to patch increases. Depending on the complexity of applying the necessary patches, firmware, and updates, the company may be vulnerable for longer than necessary. In some cases, companies may opt to wait before applying the patches from fear that they may adversely affect their systems. is is a standard methodology adopted by information technology experts to watch new software and only adopt it once the bugs and inconsistencies have been worked out. But it is a dangerous gamble when racing a clock and betting on the fact that the company will not be targeted. ADAPT OR DIE To make assumptions based on the idea that hackers only target large businesses and companies that have high-value data like the mortgage servicing industry is wrong. Examining recent attacks of "wannacry" and "notPetya," the groups that released these did not target individuals but rather sent them out in a wide scope. e malicious actors themselves were unaware of how successful their worldwide cyber attack would be, and were not prepared for the fallout of the attack. Some of the 200,000 victims of the ransomware probably thought that they would have sufficient time to remediate their systems. is is why companies cannot afford to hesitate too long in this new cyber landscape. ey should be fostering the security- lead decision-making process and implementing new procedures within these companies to facilitate more aggressive patch cycles, and decrease the amount of time to remediate new vulnerabilities. ose in the mortgage field services industry know that their servicing clients are well aware of the same vulnerabilities when they are released, and how damaging they can be. ese clients, as part of their own due diligence, are reaching out to their field services partners and requesting posture assessments of new threats. is is why field services companies and their security leaders should not only be first to evaluate, mitigate, and remediate environments, but also take the lead and proactively inform their servicing partners of their positions to demonstrate that they understand the risks, and take them seriously. EXCEPTIONS TO THE RULE As mentioned, there are times when it is necessary to maintain deprecated and sometimes older standards, but this should be done with full understanding of the risks involved. ere also should be mitigating controls in place to monitor the systems and events for anomalous activity that could be indicative of intruders and malicious software. One reason to maintain old standards is the interoperability with outside parties that have a more complex environment, or are not as agile, and are currently on old standards. Of course while the current situation may dictate this position, companies should have a plan to migrate to supported protocols at the first opportunity. Another case may be to support a legacy framework within a company that is incompatible with the newest protocols. ese are only a couple exceptions, and while each situation may be unique, reasons exist for not upgrading as quickly as needed. ose entities that are looking to subvert a company's network and systems are counting on complacency. e mortgage servicing industry and its field services partners can no longer afford to merely meet security compliance standards, but should aggressively be pursuing a more stringent security posture. When implementing cryptographic controls, companies should opt for the highest common level that their environment can support to afford the most time before change becomes necessary. e cyber landscape has changed from the targeted attacks, and companies need to become more adaptable in preventing them. COVER STORY INDUSTRY INSIGHT INDUSTRY INSIGHT INDUSTRY INSIGHT