The government is here to help!
Posted on 12/01/2015 at 11:46 AM by John Lande
Brian Krebs of Krebs on Security recently posted an article about the Department of Homeland Security's (DHS) program to test the cyber-defenses of private entities. Mr. Krebs is a well-known cybersecurity journalist who closely follows the development of cyber-threats and defenses, and the evolving cybersecurity legal framework.
According to Mr. Krebs, DHS operates a program called the National Cybersecurity Assessment and Technical Services (NCATS) to test for vulnerabilities. The DHS program originally focused on testing federal agencies vulnerabilities but has since expanded to begin limited testing of some private entities. According the DHS's 2014 annual report, the NCATS program offers two kinds of testing risk and vulnerability assessments (RVA) and cyber-hygiene assessments (CH). RVA is intended to perform vulnerability scanning and manual penetration testing using commercially available tools.
CH assessments, in contrast, are more focused on an entity's cyber-perimeter by looking for vulnerabilities in internet accessible systems. In 2014 DHS conducted 68 individual cyber-assessments. The 2014 report includes some helpful information for banks concerned about their cybersecurity. For example, DHS identified one of the most significant vulnerabilities that organizations have is out-of-date software. This vulnerability comes from employees failing to download and apply software patches. The report also notes that 46% of the RVAs conducted revealed easily guessable usernames and passwords.
Finally, the report notes that 25% of the phishing emails sent to employees resulted in a click on a malicious link. These statistics confirm that there are many easy steps a bank can take to help ensure its systems are protected from vulnerabilities. Regular software patching, and employee training on phishing emails and password strength are just a few policies that a bank can implement to take an active role in its cyber-defense. Banks and their boards should consider whether they are doing everything they can to prevent cyber-attacks on their institution.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.