Let’s break all the rules. Accept a jump drive from someone you don’t know. Bring it to work and plug it into your workstation. Copy the files over, and if your computer warns that a program wants to communicate with a known malicious website, click ‘yes.’
Sound far-fetched? Perhaps. We’d all like to believe that no one in our credit unions would ever do anything like this. But they may not have to.
Let’s consider the incredible first. It is widely believed that scientists carried jump drives infected with the Stuxnet worm into a secret nuclear facility in Iran. Stuxnet, allegedly developed by a another country, succeeded in gumming up the Iranian nuclear enrichment program for a while. But in the process, Stuxnet also succeeded in escaping “into the wild.”
That means that several variants of the highly sophisticated Stuxnet worm could be knocking on our doors one day, using their highly advanced “zero-day” attack mechanism to spread from one computer to another.
Zero-day attacks are the hacking world’s most potent weapons since they exploit software vulnerabilities that neither the software makers nor the antivirus vendors have seen.
Is your credit union ready for anything like a zero-day attack or advanced persistent threat? What would happen if your institution were attacked? Do you have the basics of security in place?
The most recent Verizon Data Breach Report noted that of the breaches studied, roughly 80% were purely victims of opportunity. The hackers simply found a security shortcoming they could take advantage of. This is akin to a burglar walking the neighborhood, checking to see who forgot to lock the door to their house.
In the vast majority of the breaches it was rather simple to breach the perimeter of the organization, and in most cases the breaches could have been prevented by the use of relatively simple controls. This sounds eerily familiar. In 2006 I gave several presentations underscoring the importance of mastering the basics in order to prevent security breaches. Six years later it seems that some organizations are still falling short with the basics.
There are a variety of basic security controls that should be standard operating procedure by now. Let’s run through a short list:
- System Configuration – Are all devices properly configured as recommended by the vendor or some other reputable, independent source such as NIST? Misconfigurations can often give an attacker a foothold.
- Antivirus/Antispyware – Although there will always be the threat of zero-day exploits, there is still a wealth of exploits for well-known vulnerabilities. Failing to protect the organization against known vulnerabilities leaves the organization unnecessarily exposed.
- Access Rights Management – Do employees have access only to the information they need in order to perform their job function? Are administrative rights restricted to those who truly need them? Often hackers will make use of existing IDs to carry out their nefarious deeds. You can make it more difficult for them by tightly controlling access rights.
- Vulnerability Scanning and Patch Management – Keeping your systems updated is very important. If a vendor releases an update that closes a security hole, it should be applied as soon as possible. Frequent scanning of systems for known vulnerabilities is equally important. It’s important to know where the holes are in the dike so you can plug them as quickly as possible. Sources such as Secunia can help you keep abreast of what’s going on in this area.
- Firewall, IDS/IPS, Web Filtering – Traffic to/from the outside world should be filtered and inspected. Your network should not be completely open to the outside world. Network traffic should be scanned for known malicious traffic patterns. It’s also important to filter the sites that your employees can visit.
- Log Review – It’s important to be able to identify what has happened on a computer network. This will give you the ability to detect a breach and help you investigate what has been compromised as a result.
- Security Awareness Training – Last but certainly not least, it’s important to educate the human at the keyboard. Many breaches today leverage some type of social engineering attack, and the amount of information posted online in places like Facebook make it easier for hackers to customize their attack. This makes it more challenging for employees to identify what is suspect and what is not. Employees should be very cautious when opening documents, surfing the Internet, and handling media they have been given or found.
There is certainly no one silver bullet that will make all our challenges disappear. But ensuring that the basics are covered at your institution will go a long way toward preventing a security breach. Your behavior at your credit union can make the difference between a mild annoyance and a catastrophe.