Breach Tests Reveal Weak Spots Despite Robust Firewalls
If the folks at TrustCC attempt to penetrate your security systems, chances are they’ll have some bad news for you.
Tom Schauer, CEO of the University Place, Wash.-based IT and security assessment firm, said in 2013, the company's employees gained access to the internal network at 63% of the credit unions they tested. Seventy-nine percent of the time they were able to compromise sensitive data, and escalate to domain admin privileges 58% of the time.
TrustCC's testing approach includes loading onto the target system a program that will give them remote control of the computer, Schauer explained. That, he added, is exactly what the bad guys are doing.
Schauer acknowledged credit unions spend a great deal of money and energy on cybersecurity. They’ll have solid firewalls but that doesn't assure security.
“They can have the strongest technical controls in the world, but if the hackers can find vulnerability or can trick an employee, all those strong controls on the perimeter are easily bypassed,” he warned. “You need internal layers of security, and that's where credit unions are often weak.”
Schauer described a test on a large credit union on the East Coast that had robust firewalls, anti-virus software and other controls. However, their employees also had local admin authority on their workstations. TrustCC called into a branch posing as an IT employee diagnosing a problem. They convinced the member service rep to use their admin privileges to disable their anti-virus software.
They then tricked the rep into surfing to a website that replicated the look and feel of the credit union's actual website with a link for the employee to run a supposed network diagnostic tool. The tool was actually a back door to the credit union's internal network.
“Two hours later, we had completely defeated their control and were domain admin on their network,” Schauer said. “As domain admin, we can do anything, attribute our actions to an actual employee, and delete many of the audit trails that could lead to our detection.”
Schauer said such attacks by actual hackers are relatively infrequent because the bad guys haven't figured out how to make their attacks pay off. Still, once they do know how, for example selling credit card numbers at $25 each, the attacks will escalate.
If this suggests all employees, not just IT staff, need to prepare to fight hackers, Amy Baker agrees. She's vice president of marketing at Pittsburgh-based Wombat Security, a firm that helps organizations train employees to avoid cyberattacks.
“There are a lot of parts to the puzzle,” said Baker. “There is the matter of creating awareness of risk, then giving people actionable information so they know how to protect themselves.”
Awareness includes realizing social media provides avenues to overshare personal data a cybercriminal can use, such as a birthdate, the town you live in or were born, names of children, a spouse, an anniversary date and so on. Armed with that information, a cybercriminal may be able to guess a person's password and gain access to the credit union's files.
Baker said some people might believe executives are the only employees targeted by crooks. Actually, it may be the opposite. Anyone in the organization could potentially provide valuable information and can be more at risk because they’re less wary.
“Everyone who has access to a computer should be trained,” Baker advised. “Even employees who might not have access to a computer at their day job but use a computer at home should also be trained because they may be sharing information about the company or themselves; information as innocent sounding as what cafeteria service the organization hired or the antivirus system they use.”
The regulatory environment can prompt financial institutions to look at their cybersecurity, but more often, a successful attack is the wakeup call, the experts said.
Wombat uses a process called continuous training methodology, according to Baker. The process starts with the organization identifying vulnerable areas. An online questionnaire assesses what the organization knows about cybersecurity. Then, Wombat emails training courses targeted at specific weaknesses. The company can also pretend to be a cybercriminal and stage a mock attack such as a phishing or text message breach.
“These mock attacks are great at assessing vulnerability and motivating employees to understand how vulnerable they are,” Baker said. “Last year, 57% of small businesses suffered theft-related security breaches. That was up 12% from the previous year.”
Cyberveillance, headquartered in India with offices in the United States, also underscores the threats that come from outside a firewall. Eric Olson, vice president of product strategy, said cybersecurity has traditionally been linked with an institution's own computer system network. As a result, there's a need for companies to understand things outside their system that touch their business and may not affect the network but may impact the company.
“For example, that would include phishing or fake websites created to lure people by email to log into a site that looks like their financial institution and reveal their user name and password,” Olson said.
“Another example would be mobile apps that appear to be issued by your financial institution but are actually malicious copies that eavesdrop on your transactions.”
Olson said both the number of threats and types of threats are growing. In the late 1990s and early 2000s, Cyberveillance focused on abuse of a company's brand. Over time, the breaches have grown to include theft of intellectual property, funds and identity. Unfortunately, he indicated, the numbers are all up.
“Anti-virus companies are identifying between hundreds of thousands and millions of new pieces of malware each year,” Olson said. “Just for our current customers, in February we identified more than 13,000 mobile apps which we believe are not the ones issued by legitimate companies.”
So credit union members, he continued, need to take basic precautions such as using strong passwords and keeping their anti-virus program updated. They should be aware that if they conduct any sort of transaction or shopping or banking online, they are a target.
“It is both good to do and good business to help educate the member,” Olson said. “Engage some form of monitoring. Know what's happening outside the wall where you may not see it at the credit union but your members are impacted. Keep an eye on what's going on out there with social media.”