NCUA ACET & its New Cybersecurity Standards
With Internet of Things (IoT) and Bring Your Own Device (BYOD) growing exponentially every year, financial institutions stand to see key benefits in facilities cost reduction and employee productivity. But credit union executives must also ask – what are the unseen risks of becoming more connected?
For example, the facilities department might implement online thermostats to remotely control HVAC systems, lighting, or time clocks. Employees might bring their own mobile devices to connect to the enterprise network, unaware their devices might be infected with malware or a virus, and unwillingly spreading laterally to the company. All these behaviors, while productive, can also put the institution at severe risk because it leaves a potential hole in the network – the ability for a bad actor to attack the unsecured Internet of Things devices that lack proper security or access controls, and/or mobile home devices (iPad, phones, etc.) of unaware employees.
The Shift to a New Examination Tool
The NCUA issued a statement warning of increasing cybersecurity vulnerabilities for federally-insured credit unions and financial services market participants, including ransomware, malware and phishing attacks, identity theft, denial of service, ATM skimming, pandemic-themed attacks and supply chain attacks – the latter being a significant threat due to the multiple parties that must work together to deliver financial services to consumers.
The NCUA has recently moved to a new security examination tool called the Automated Cybersecurity Examination Tool (ACET). Previously in 2015, NCUA was using just the Cybersecurity Assessment Tool (CAT) to identify cyber threats and test their security readiness. The NCUA ACET is based on CAT, however it adds security control validation and includes an easy-to-read dashboard. According to a report from the NCUA, the purpose of the ACET was not to be a long-term examination program, but to “benchmark” credit unions, measuring the industry’s cybersecurity preparedness.
Initially, the NCUA began reviewing credit unions with $1 billion or more in assets using the ACET, refining the tool throughout the process to ensure it could scale properly for smaller, less complex credit unions.
What This Means for Credit Unions
With the shift to the NCUA ACET, it is now necessary for credit unions to have certain controls in place in order to pass NCUA audits. Of the five domains laid out in the ACET, Domain 3 is perhaps the most critical when it comes to cybersecurity. Domain 3 tackles the necessary as it examines the necessary preventive, detective and corrective cybersecurity controls.
In the end, credit unions CIOs and CISOs have a responsibility to protect their members and their financial data. This year, as the security talent crisis grows, breaches get more complicated and IoT/BYOD device attacks get more severe, an easy to implement NAC solution should be on top of their list.
Portnox CLEAR & the NCUA ACET
As the NCUA audits continue to expand, many credit unions struggle with finding an effective solution to meet Domain 3 controls within the ACET framework.
Fortunately, Portnox CLEAR provides the network access control, endpoint awareness, risk and real-time remediation capabilities that either directly meet or highly contribute to many of the most difficult Domain 3 audit areas and requirements.
| Statement Number | Domain | Assessment Factor | Component | Maturity Level | Category Declarative Statement | Portnox Value | Explanation |
|---|---|---|---|---|---|---|---|
| 188 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Baseline | Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. | Contributes | Portnox own passwords and usage of passwords comply with that requirment. |
| 189 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Baseline | All ports are monitored. | Meets | Portnox Clear will monitor all ports for switches configured to work with Clear. |
| 190 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Baseline | Up to date antivirus and anti-malware tools are used. | Meets | Portnox verifies that the installed antivirus and anti-malware is up to date and can trigger an update as well |
| 192 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Baseline | Ports, functions, protocols and services are prohibited if no longer needed for business purposes. | Contributes | Portnox can monitor the usage of services on desktops and servers and also prevent from using them (enforcing a policy) |
| 194 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Baseline | Programs that can override system, object, network, virtual machine, and application controls are restricted. | Meets | With Portnox you can monitor the installed and in use applications and prevent from uanuthorized programs to execute on the endpoint |
| 196 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Baseline | Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) | Meets | Portnox performs the authentication to wireless networks, you can enforce on the portnox that certain SSID will use ONLY secure protocols |
| 199 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Evolving | Technical controls prevent unauthorized devices, including rogue wireless access devices and removable media, from connecting to the internal network(s). | Meets | Portnox Clear provides network technical controls to prevent unauthorized devices including rogue wireless access devices and removable media from connecting to the internal network protected by Clear. |
| 201 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Evolving | Guest wireless networks are fully segregated from the internal network(s). (*N/A if there are no wireless networks.) | Meets | Portnox Clear supports guess wireless management and segmentation. |
| 205 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Intermediate | The enterprise network is segmented in multiple, separate trust/security zones with defense-in-depth strategies (e.g., logical network segmentation, hard backups, air-gapping) to mitigate attacks. | Meets | Portnox Clear fully supports network segmentation (VLAN) and assures authorized devices are placed in the correct segment based on access control policy. |
| 206 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Intermediate | Security controls are used for remote access to all administrative consoles, including restricted virtual systems. | Meets on some architectures | Portnox can be used to verify that only endpoints with the correct security controls can connected to remote consoles / virtual systems which are behind an RDP GW, VPN or similar gateway |
| 207 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Intermediate | Wireless network environments have perimeter firewalls that are implemented and configured to restrict unauthorized traffic. (*N/A if there are no wireless networks.) | Contributes | Portnox Clear can control and assure that only authorized devices are able to connect to specific AP/SSID(s). Portnox Clear can manage guest WiFi |
| 208 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Intermediate | Wireless networks use strong encryption with encryption keys that are changed frequently. (*N/A if there are no wireless networks.) | Contributes | |
| 213 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Advanced | Anti-spoofing measures are in place to detect and block forged source IP addresses from entering the network. | Contributes | Portnox Clear can control and assure that only authorized devices are able to connect to specific AP/SSID(s) — supporting certificate and/or company credential authentication. |
| 214 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Innovative | The institution risk scores all of its infrastructure assets and updates in real time based on threats, vulnerabilities, or operational changes. | Contributes | Portnox Clear is aware of endpoint risk. Portnox Clear can block or alert based on associated policy/risk score assesment. Portnox Clear can block devices from network access it reach a block level of risk. |
| 215 | 3: Cybersecurity Controls | 1: Preventative Controls | 1: Infrastructure Management | Innovative | Automated controls are put in place based on risk scores to infrastructure assets, including automatically disconnecting affected assets. | Meets | Portnox Clear support risk based (risk score) access controls. Devices first connecting to the network must both authenticate and also be at an acceptable risk level. |
| 218 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. | Contributes | Portnox Clear can control network access and segmentation based on associated group policy. |
| 219 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Employee access to systems and confidential data provides for separation of duties. | Contributes | Portnox Clear can control network access and segmentation based on associated group policy. |
| 220 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls). | Contributes | Portnox can monitor who had administrative privlidges on local systems and alert on changes |
| 223 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Identification and authentication are required and managed for access to systems, applications, and hardware. | Contributes | Portnox Clear can control network access and segmentation based on associated group policy. |
| 227 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) | Contributes | Portnox manages the segementation of systems between environment – thus creating the basis for segregation between production and non-produiction systems. |
| 229 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | All passwords are encrypted in storage and in transit. | Comply | Portnox own passwords and usage of passwords comply with that requirment. |
| 230 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). | Contributes | All communication with Portnox Clear is TLS encrypted. |
| 231 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) | Meets | Portnox Clear provides real-time endpoint compliance validation against a defined policy. The risk policy can include validation that endpoint encryption is enabled and if not, alerts can be generated and device access can be limited or restricted. |
| 232 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. | Meets | Portnox Clear can elevate existing remote access with zero-trust. Full remote endpoint risk awareness, real-time remmediation to help assure remote end points stay compliant and 2FA for remote connecting devices. |
| 233 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Baseline | Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. | Meets | Unauthorized aoftware are notified immidiatly when they are installed and thus actions can be taken to uninstall them |
| 241 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Intermediate | The institution has implemented tools to prevent unauthorized access to or exfiltration of confidential data. | Contributes | Portnox Clear supports endpoint risk and remmediation policies that can assure removable storage is not connected to company issues devices. |
| 244 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Intermediate | All physical and logical access is removed immediately upon notification of involuntary termination and within 24 hours of an employee’s voluntary departure. | Contributes | Integration with Directory Services. Changes propergate to Clear |
| 245 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Intermediate | Multifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution’s network and/or systems and applications. | Meets | Ability to place contractors on specific network segment/VLAN. |
| 248 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Intermediate | Controls are in place to prevent unauthorized access to collaborative computing devices and applications (e.g., networked white boards, cameras, microphones, online applications such as instant messaging and document sharing). (* N/A if collaborative computing devices are not used.) | Contributes | Portnox Clear supports endpoint risk and remmediation policies that can assure only authorized USB devices are connected to company issued endpoints. |
| 251 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Innovative | Adaptive access controls de-provision or isolate an employee, third-party, or customer credentials to minimize potential damage if malicious behavior is suspected. | Meets | Policy based dynamic VLAN assignment. |
| 254 | 3: Cybersecurity Controls | 1: Preventative Controls | 2: Access and Data Management | Innovative | The institution is leading efforts to create new technologies and processes for managing customer, employee, and third-party authentication and access. | Contributes | Portnox Clear provides network access controls that can support employee, customer and third-party access requirements. |
| 256 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Baseline | Controls are in place to restrict the use of removable media to authorized personnel. | Meets | Group level policy controls to allow only authorized USB devices. |
| 257 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Evolving | Tools automatically block attempted access from unpatched employee and third-party devices. | Meets | Risk based access controls includes OS patch validation. |
| 258 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Evolving | Tools automatically block attempted access by unregistered devices to internal networks. | Meets | Only authorized, authenticated and risk compliant devices can get network access. Others access denied. |
| 259 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Evolving | The institution has controls to prevent the unauthorized addition of new connections. | Meets | Portnox assures only authorized valid devices are able to access the network. Unauthorized devices are denied access or moved to a guest or other VLAN based on policy. |
| 260 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Evolving | Controls are in place to prevent unauthorized individuals from copying confidential data to removable media. | Meets | Group level policy controls to allow only authorized USB devices. |
| 261 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Evolving | Antivirus and anti-malware tools are deployed on end-point devices (e.g., workstations, laptops, and mobile devices). | Contributes | Risk and remmediation policy can assure AV us deployed, running and updated. |
| 263 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Evolving | The institution wipes data remotely on mobile devices when a device is missing or stolen. (*N/A if mobile devices are not used.) | Meets | Portnox has options to remote wipe mobile devices. |
| 265 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Intermediate | Mobile device management includes integrity scanning (e.g., jailbreak/rooted detection). (*N/A if mobile devices are not used.) | Meets | Portnox mobile risk validation includes check if jailbroken/rooted. |
| 267 | 3: Cybersecurity Controls | 1: Preventative Controls | 3: Device / End-Point Security | Advanced | Employees’ and third parties’ devices (including mobile) without the latest security patches are quarantined and patched before the device is granted access to the network. | Contributes | Portnox risk policy can check patch status and either block or place in quarantine VLAN. |
| 284 | 3: Cybersecurity Controls | 2: Detective Controls | 1: Threat and Vulnerability Detection | Baseline | Antivirus and anti-malware tools are used to detect attacks. | Contributes | Portnox risk policy checks continiously the existence of those tools on the endpoints |
| 289 | 3: Cybersecurity Controls | 2: Detective Controls | 1: Threat and Vulnerability Detection | Evolving | Antivirus and anti-malware tools are updated automatically. | Meets | Portnox risk policy checks continiously the configuration and the automatic update of those toold on the endpoints. It can also remidiate issues with that configuration automatically. |
| 307 | 3: Cybersecurity Controls | 2: Detective Controls | 2: Anomalous Activity Detection | Evolving | Logs provide traceability for all system access by individual users. | Contributes | Portnox provides logs associate with all authorized network access as well as alerts/logs of unauthoirzed access attempts. |
| 317 | 3: Cybersecurity Controls | 2: Detective Controls | 2: Anomalous Activity Detection | Advanced | A system is in place to monitor and analyze employee behavior (network use patterns, work hours, and known devices) to alert on anomalous activities. | Contributes | Portnox Clear awareness of network access, users/devices, etc. can contribute to meeting this requirement. |
| 320 | 3: Cybersecurity Controls | 2: Detective Controls | 2: Anomalous Activity Detection | Innovative | The institution has a mechanism for real-time automated risk scoring of threats. | Contributes | Portnox Clear support risk/compliance awareness of company employee |
| 321 | 3: Cybersecurity Controls | 2: Detective Controls | 2: Anomalous Activity Detection | Innovative | The institution is developing new technologies that will detect potential insider threats and block activity in real time. | Contributes | Portnox Clear allows only authorized compliant devices on to the network/network segment based on policy. |
| 323 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Baseline | Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. | Contributes | Portnox Clear provides alertson all network access (allowed or denied) and can integrate with existing SIEM. |
| 324 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Baseline | Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. | Meets | Portnox Clear is aware of any/all devices connecting to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.). |
| 326 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Baseline | The physical environment is monitored to detect potential unauthorized access. | Meets | Portnox Clear is aware of any/all devices connecting to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.). |
| 327 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Evolving | A process is in place to correlate event information from multiple sources (e.g., network, application, or firewall). | Contributes | Portnox Clear provides alertson all network access (allowed or denied) and can integrate with existing SIEM. |
| 329 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Intermediate | Event detection processes are proven reliable. | Contributes | |
| 330 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Intermediate | Specialized security monitoring is used for critical assets throughout the infrastructure. | Contributes | Portnox Clear is aware of any/all devices connecting to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.). |
| 331 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Advanced | Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices. | Contributes | Portnox Clear support real-time endpoint remmediation helping to assure enduser devices stay in a compliant state (make sure FW is running, AV, etc.). |
| 332 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Advanced | Real-time network monitoring and detection is implemented and incorporates sector-wide event information. | Meets | Portnox Clear is aware of any/all devices connecting to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.). |
| 333 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Advanced | Real-time alerts are automatically sent when unauthorized software, hardware, or changes occur. | Contributes | Portnox Clear support real-time endpoint remmediation helping to assure enduser devices stay in a compliant state (make sure FW is running, AV, etc.). Alerts to any changes and resulting remmediation actions are logged. |
| 335 | 3: Cybersecurity Controls | 2: Detective Controls | 3: Event Detection | Innovative | The institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur. | Contributes | Portnox Clear is aware of any/all devices |
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
About CDM InfoSec Awards
This is Cyber Defense Magazine’s ninth year of honoring global InfoSec innovators. Our submission requirements are for any startup, early stage, later stage or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service. Learn more at http://www.cyberdefenseawards.com
About the Judging
The judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature and other market variables. CDM has a flexible philosophy to find more innovative players with new and unique technologies, than the one with the most customers or money in the bank. CDM is always asking “What’s Next?” so we are looking for Next Generation InfoSec Solutions.
About Cyber Defense Magazine
With over 5 Million monthly readers and growing, and thousands of pages of searchable online infosec content, Cyber Defense Magazine is the premier source of IT Security information for B2B and B2G with our sister magazine Cyber Security Magazine for B2C. We are managed and published by and for ethical, honest, passionate information security professionals. Our mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products and services in the information technology industry. We deliver electronic magazines every month online for free, and special editions exclusively for the RSA Conferences. CDM is a proud member of the Cyber Defense Media Group. Learn more about us at https://www.cyberdefensemagazine.com and visit https://www.cyberdefensetv.com and https://www.cyberdefenseradio.com to see and hear some of the most informative interviews of many of these winning company executives. Join a webinar at https://www.cyberdefensewebinars.com and realize that infosec knowledge is power.