What's in a Name? For Credit Unions That Carry Malware, Everything
They carry names such as WannaCry, Petya, SamSam, Industroyer and GhostHook. They may sound like wrestlers or hurricanes, but they are in fact types of malware, which threaten systems everywhere. Are credit unions fearful enough of these threats, and how can they protect themselves?
CU Times asked experts how credit unions can strategize against the seemingly constant barrage of bad cybersecurity news resulting from breaches, hacks, ransomware, phishing and account takeovers, among other things.
Credit unions must prepare to withstand dangers such as Internet of Things botnets, exploit kits, password stealers, keyloggers, malvertising and spyware; as well as overwriting, boot and directory viruses; ransomware and backdoor Trojans; and banking/financial and POS malware.
John Horn, director for SecureNow, Fiserv's integrated cybersecurity services, has served as an information security specialist for more than 20 years. He recalled that in 1997, the biggest security issue was putting up and stabilizing firewalls. Today, cybersecurity is more complex. “The business risk associated with cybersecurity gets heightened to the point where it is not just a cybersecurity problem and not just a fraud problem, it's a top-of-mind, C-level kind of problem,” Horn noted. “Brand risk has risen significantly based on cyberattacks.”
Horn said a credit union can avert attacks if it has a strategy. “But if a credit union does not have a strategy, then it is going to be more reactive, confused and overwhelmed by the complexity of the event and seek help from a vendor who may provide a narrow view of solving the problem.”
Vijay Basani, co-founder, president and CEO of the Boston-based cybersecurity firm EiQ, maintained, “Credit unions are easy targets for hackers focused on financial fraud.”
Basani added a credit union without proper cybersecurity defenses is not only easy, low-hanging fruit for fraudsters, but could find itself considerably harmed. A breach could result in significant damage and cost to a credit union, including but not limited to a loss of members, funds, reputation and deposits, as well as a forensics investigation and increased NCUA oversight and audit costs.
Credit unions need a well thought out security program, Basani interjected. This should include an incident-response plan, periodic security-awareness training, appropriate access controls, multi-factor authentication, regular data backup, continuous monitoring for suspicious activity and anomalies, and plugging exploitable vulnerabilities by applying appropriate patches.
“Credit unions understand that while FFIEC compliance is a good starting point, one should make a true commitment to security to avoid becoming a news story,” Basani recommended.
The initial step is often the hardest and most important.
“First you must have a strategy,” Stefan Ionescu, chief technology officer and vice president of product development for the Islandia, N.Y.-based loan origination provider Teledata Communications Inc., said. He warned that if credit unions shop for a solitary product or silver-bullet solution, they have already lost the fight. “There is no one single product that will be the answer.”
Brian Soldato, senior director, product management for the Austin, Texas-based cybersecurity firm NSS Labs, noted even the most inclusive cybersecurity strategy will likely fall short. “It will be a continual battle to stay ahead of breaches for financial institutions, but they shouldn't panic in the wake of news of breaches.”
Soldato proposed during a security incident, each credit union needs to first evaluate how damaging a discovered vulnerability may be to their environment. “Don't be the credit union to create a panic when there isn't a need to do so.”
However, with an aggressive plan in place, credit unions can act quickly to address potential weaknesses. Soldato recommended once it identifies a vulnerability or a compromise takes place, a credit union should react immediately and decisively, and communicate to members about remediation measures.
When putting together a strategy, Ionescu recommended credit unions lock down their first line of defense: Data center security. “You hear people saying they are not going to use cloud services because they don't know how secure they are, yet they have a data center somewhere in the basement where 200 people with no certifications can access it,” Ionescu pointed out.
The TCI CTO emphasized the data center needs personnel with appropriate certifications such as the Service Organization Control's reporting framework, which consists of SOC 1, SOC 2 and SOC 3, and the payment card industry data security standard.
The second tier comprises data encryption at rest and in transit. This consists of blocking those trying to decrypt information or interfere with data integrity, Ionescu pointed out.
“Knowledge is power when it comes to dealing with emergency issues that the credit union sees either in the media or in releases by cybersecurity firms,” Tom DeSot, EVP and chief information officer for the San Antonio-based cybersecurity firm Digital Defense, said.
“First and foremost, credit unions need to have completed an enterprise risk assessment so that they understand what data is most important to them and what systems store, process or transmit that data,” DeSot explained. He added the risk assessment, regardless of the type (OCTAVE, NIST, Star, NSA, etc.), helps to identify hazards.
Additionally, instituting a holistic vulnerability assessment program helps impart critical information about the credit union's network to both the IT and information security teams. “The vulnerability management program is much more granular and will tell them the next part of the story by illuminating which systems, if any, are vulnerable to the issue being discussed in the media,” DeSot added.
Prioritization is also key when interpreting breach news. “Otherwise every issue that crops up will seem like an emergency and the credit union's IT/InfoSec team will quickly begin playing ‘whack a mole’ trying to put out fires where no fires even exist,” DeSot said.
DeSot suggested some ways to stay informed and reduce anxiety:
Pick sources that provide the most up-to-date information and use them to religiously learn about new potential risks.
Create profiles for key systems (operating system, patch level, etc.) so credit unions can quickly determine if a system is at risk when presented with a vulnerability.
Build an incident response process for times when vulnerabilities do impact key systems.
Ionescu said credit unions have to start looking at every product they intend to secure. He added how organizations configure their firewall and their ability to detect intrusions is critical.
“Partnering with a third-party provider can bring expertise, stability, security best practices and a reputation of being customer-centric,” Basani emphasized. He added it's important to ensure those providers are SOC2 compliant and have true 24/7 security operations centers staffed with many security engineers.
“We think cybersecurity is an evolution, not a revolution. It's a continuous ongoing process of the credit union becoming aware of cybersecurity,” Horn said.
Soldato said, “All credit unions need to be proactive. The fact is most are in the practice of being reactive.” He provided steps credit unions can take as part of a proactive cybersecurity plan:
Protect member data through encryption.
Implement security precautions on mobile device applications including strong authentication.
Implement premier next-generation firewalls and host-based intrusion detection along with antivirus protection.
Use a threat intelligence solution specific to the credit union's network environment and financial vulnerabilities.
Monitor the threat landscape and environment, and other suspicious traffic patterns.
Get digital certificates from an established, trustworthy authority.
Educate members about data security and protection.
Basani recommended credit unions focus on implementing common sense controls. “While no one can guarantee 100% security, at least credit union executives and their IT staff will sleep well knowing they have a process in place to deal with the unexpected.”