News

09:42 AM
Kristi Nelson
Kristi Nelson
News
Connect Directly
RSS
E-Mail
50%
50%

Cornhusker Banks on People-Proof Security

It's the employees who provide final line of defense when it comes to protecting customer information.

When it comes to complying with the Gramm-Leach-Bliley Act (GLBA), technology is only part of the solution. After all, no matter how secure the data and systems, it's employees who provide the final line of defense when it comes to protecting customer information.

Educating users is critical, according to Craig Champion, senior vice president of bank operations at Cornhusker Bank, Lincoln, Neb. "Everyone plays a part in making sure information systems and customer information are maintained in a secure manner."

To provide that awareness, the bank contracted with CorpNet Security, a Las Vegas-based training firm. Prior to the GLBA deadline, Cornhusker employees were trained on privacy policies and procedures using CorpNet's PPS Aware. The goal: to protect the bank's systems and customer information.

"It's a combination of detection, prevention and awareness, that's really the key for these banks," said Rick Shaw, president of CorpNet, which offers a range of technology and training services called People Proof Security.

CorpNet's Web-based training and awareness program provides end users with core modules on e-mail and Internet usage, viruses, and accessing systems. It also instructs users on how to choose strong passwords, as well as some of the low-tech threats like dumpster diving and social engineering.

Employees use a unique user name and password to log in to the training, which is accessible 24 hours a day, seven days a week.

Not only does PPS eliminate the need for large classroom training sessions, but its modular format allows users to complete training in bite-sized chunks, or all at once, in less than two hours.

"This was really a much more preferable method of delivery, both from management's aspect, as well as from our employees viewpoint," said Jim Mastera, executive vice president at $224 million Cornhusker.

Administrative tools built into the system allow the bank to track employees' acceptance of policy information and awareness training. "As administrator, I could pull up every single user that was assigned to our bank and monitor completion," said Champion. "A user could go in and complete one or two or three sections, log out and then log back in and start right where they were. But I could monitor when they had completed everything."

Upon completion, employees are e-mailed a certificate, with an additional copy filed in Cornhusker's HR department.

Having documentation of its training and privacy policy recently helped the bank in meeting GLBA guidelines of managing and controlling access to customer information during a recent FDIC audit.

"We were able to describe our training function to them and it was obviously accepted," said Mastera. "We provided them with a copy of how it worked and the series of questions and the nature of how this was put forth and the records that were kept, and that certainly satisfied the request."

The same training will be provided to new employees. There's also an annual training provision that allows the bank to provide updates to employees on an ongoing basis.

Cornhusker plans to add additional technology solutions to its information security arsenal. The bank has signed agreements with CorpNet for three other people-proof security solutions, which it offers through a reseller agreement with WatchGuard Technologies, Seattle.

CorpNet's PPS Server collects and maintains encrypted log information, which is analyzed for critical events 24 hours a day. PPS Scan performs regular scans of all systems visible from the Internet, testing for more than a thousand security vulnerabilities. PPS Lock was designed to prevent intruder access, modification and destruction.

The bank's investment in security technology and awareness training provides returns that can't be easily measured on a balance sheet, Mastera said. "One of those is having a well-informed staff. And if that keeps you out of problems, that's a pretty good return."

---

Fast Facts

Institution: Cornhusker Bank

Assets: $224 million

Business Challenge: Ensure that employees are fully aware of privacy provisions of Gramm-Leach-Bliley Act.

Solution: CorpNet's PPS Aware

Keyquote: "Everyone plays a part in making sure information systems and customer information are maintained in a secure manner." -Craig Champion, Senior Vice President, Bank Operations

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Here is what the client expects us to develop...
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.