5 Scary Lessons Learned at CU InfoSecurity
More than 50 credit union executives attended the event May 21-23, said a conference organizer. Those who did heard provocative comments and keen insights into how better to fight fraud, such as the sharp-edged witticism about human intelligence.
That remark about stupidity was on target, too, because a big lesson from the conference was that criminals are testing credit union systems.
Stupidity may be too strong a word for credit unions. Often criminals prey on credit union employees’ willingness to go the extra mile to help a member in need; that could open the door for crime.
Want to know more? Read on for five lessons from this year’s CU InfoSecurity Conference.
1. Forget hackers, your employees are your biggest threat.
Numerous speakers made the same, terrifying point: Credit union employees are in the crosshairs as cyber criminals zero in on snaring their login credentials to provide easy access to the network.
It is very hard to hack into a well-constructed network.
But it can be very easy to sweet talk well-meaning employees into providing their logins.
Think your employees would never give up that information? Think again.
Andy Robbins, an ethical hacker with Washington state security firm TrustCC, explained how a simple survey could get numerous employees to cough up their credentials.
Just send out a form, seemingly from human resources (spoofing email addresses is easy, he said), and add that the requested information is legally required to keep the credit union in compliance with Obamacare requirements.
Ask a few questions about insurance coverage to make it look legitimate, he said, and then ask employees to authenticate themselves by entering their user IDs and passwords.
And, promise a $15 Starbucks gift card to the first 10 respondents.
You will get a stampede of respondents, Robbins promised.
Incidentally, he added, when employees go to the survey site, often toxic malware will download to their computer, which is a bonus for hackers in addition to login credentials.
Hackers go even further, he said, doubling the payoff by failing to deliver the gift card. Employees are told there is a problem with their computer’s configuration, and are instructed to sign in from another computer within five minutes to receive the gift card.
Many employees will do exactly that, Robbins said.
That puts the malware on yet more credit union computers.
Experts said they believe targeted attacks on credit union employees will keep rising.
And, increasingly, experts said they believe putting limitations on what employee computers can do may be necessary.
For instance, it is easy to allow a computer to download executables — programs — only from sites on a white list. That knocks out the downloading of toxic payloads, they said.
There also is growing interest in putting limits on the websites employees can access.
None of this will be greeted with employee enthusiasm, but such limits just may be needed to keep credit unions safe in an era of escalating threats.
Read more: Recruit your members ...
2. Members Are a Key Line of Defense.
What is the most common way financial institutions detect fraud, asked Bryan Jardine, a product manager at Sunrise, Fla.-based security company Easy Solutions.
In 2013, Jardine said, 62% of fraud cases came to the attention of the institution because of customer notification.
So far in 2014, 61% of fraud cases are initially detected by the customer, he said.
“One of the biggest concerns has to be customer education. They are going to be compromised,” he added.
But when customers are encouraged to become an educated part of the solution, Jardine suggested, an involved member base can help limit the losses from fraud with earlier reporting and quicker institutional actions.
Read more: DDoS is back ...
Many credit unions have said off the record that they do not see Distributed Denial of Service as an important security concern in 2014.
That thinking may be wrong.
CU InfoSecurity speakers painted a dark picture of more DDoS, smarter DDoS and more associated criminal activity.
The bad news speakers shared about DDoS is that when it is aimed at a vulnerable credit union, it can knock that institution’s website and online banking offline for hours, even for days.
Even worse, they said, there is increasing evidence that DDoS is being unleashed to help distract security staff and to pave the way for other criminal activity.
DDoS attacks, said Marc Gaffan, a co-founder at Redwood Shores, Calif.-based DDoS mitigation company Incapsula, are getting much, much bigger in volume. He added that they also, increasingly, blend multiple attack formats, making it that much harder to mount an effective defense.
“You need to be agile to defend against DDoS,” said Kyle Stutzman, chief operating officer at Hagerstown, Md.-based CUSO Ongoing Operations.
The bottom line was that more credit unions need to factor DDoS defense into their security strategy because it has become easy for an attacker to take out an undefended credit union, and to keep that institution offline for days, possibly even weeks.
Read more: Don't ignore your network log ...
4. The Humble Log Should Be a Security Cornerstone.
The network log, which tracks all activities of significance, including logins and login failure, is often ignored in security discussions. But, said Chris Martincavage, a senior engineer at Milford, Conn.-based security company SilverSky, it just may be the map that leads to criminals.
Logs are rearview mirrors, meaning they disclose what has already happened.
However, they can help pinpoint vulnerabilities that need mending. And a criminal who successfully penetrated a network almost certainly will return; but if his footprints are picked up in log analysis, his entryway can be barred.
Isn’t that obvious? You might think so, but Martincavage said many organizations do not log at all.
Many others log, he said, but nobody reviews the logs. Ever.
A third mistake many organizations have made is that they review logs but ignore anything that looks bad or worrisome.
“A log can and should be your first line of defense against breaches,” Martincavage said.
He pointedly urged credit unions to review logs daily.
Make this a habit,” he added.
Logs are very easy and inexpensive to create. Make log review part of the security analysis and returns can be powerful.
The payoff may even be discovering breaches that have already occurred but had gone undetected. That is not welcome news, but it needs to be known and acted upon.
Read more: Even your credit union has fraud issues ...
Easy Solution’s Jardine said many financial institutions shrug and insist they do not have fraud issues.
His strong advice: Look harder.
“I guarantee you, you do have issues,” he said. “And if you don’t see them, how will you fight back?”
“Don’t think you are not a target. You will be probed,” predicted Demetrios Lazarikos, former chief information security officer at Sears’ Online Business Unit and now an expert with Bluelava Consulting.
In a former era, cybercriminals hunted for trophies; they wanted to brag about taking down a Chase or an Amazon. Bragging is so yesterday, suggested multiple speakers at the conference.
Today, they said, it is all about stealing money and could mean more focus on credit unions, along with probes for weaknesses in defense. That was perhaps the most frightening take away from the conference.
“The criminals are not resting,” Lazarikos said. “Often they are moving faster than the good guys and you have to stay with them.”