Cyberthreats Continue to Rise: Onsite Coverage
LAS VEGAS — If a single theme dominated the CU InfoSecurity conference in Las Vegas, it was cyberthreats are multiplying and the criminals are getting better at their jobs.
One of the key questions before the nearly 50 credit unions in attendance at the confab this week at the Red Rock Resort was are they taking the necessary steps to win the battle?
Sometimes, the network and its firewall are set up with easily-prevented vulnerabilities baked in. Often, though, the biggest vulnerability may be a credit union’s employees who can be easily tricked into giving up their login credentials.
“This is your largest threat,” Robbins said.
He offered a hypothetical: Imagine if many employees receive an official looking email from human resources telling them that, because of Obamacare, they need to fill out an insurance questionnaire. A link to the questionnaire is included and to authenticate who they are, they need to provide their login credentials. Robbins insisted that typically, there is a stampede of employees filling out questionnaires.
The first five to complete the survey will receive $15 Starbucks gift cards for their time. However, that HR email is spoofed but the link to a site with a toxic payload is real.
“We can turn a $5 gift card into a $5 million data breach,” he noted.
The cure for this type of scenario? Robbins advised not trusting anyone and urged attendees to reiterate that message throughout their organizations.
Demetrios Lazarikos, an IT security consultant with risk assessment firm Blue Lava Consulting LLC in San Jose, Calif., and the former chief information security officer at the Sears Online Business Unit, offered a stern warning.
“Don’t think you are not a target. You will be found and you will be probed.”
In many cases, criminals are moving faster than legitimate organizations, some of which are struggling with dire shortages of qualified information security staff.
Lazarikos’ other major takeaway was in order for IT security to succeed it has to have buy-in from the very highest levels of the organization. Without that, efforts could fail.
At the conference, a panel of three vendors spoke on Distributed Denial of Service or DDoS mitigation services.
Marc Gaffan, a co-founder at Redwood Shores, Calif. mitigation company Incapsula, opened the discussion with this: “The size of DDoS attacks we are seeing is going through the roof.”
He said many more are multi vector, meaning they mix modes of inflicting DDoS, which makes defense strategies that much harder.
“DDoS is starting to look more like (advanced persistent threat),” Gaffan explained. “Attacks no longer last for hours or days. We see some lasting for weeks.”
Miguel Ramos, a product manager at Neustar, a Sterling, Va.-based telecommunications analytics company, said his firm has been seeing similar DDoS attacks.
“Q1 2014 was an inflection point in terms of size of the attacks,” Ramos said. “They are much bigger.”
According to a Neustar survey, 71% of respondents, which included many credit unions, said they experienced DDoS, said Ramos, who did not offer more details about the experiences of credit unions.
Kyle Stutzman, chief operating officer at disaster recovery services CUSO Ongoing Operations in Hagerstown, Md., said the only way to successfully combat DDoS in the near term is to be agile. Attackers continue to adapt their techniques and that means credit unions will have to be quick and flexible with their reactions, he advised.
Ongoing Operations is exploring ways to better pool DDoS mitigation tools, and thus costs, so that the protections can be affordable to more credit unions, Stutzman said. While he did not go into detail about the new strategies he did say this is a top of mind focus at the CUSO.