Staff education is critical to financial institutions' cybersecurity efforts, as the most common way hackers break into a network is to steal valid login credentials, according to Nick Roberts, technical research and marketing manager for DefenseStorm.

Adding to the cybersecurity challenge? Some 93% of phishing emails include ransomware. 

The bulk of attacks come from hackers in China, Russia, North Korea and Ukraine, Roberts said.

The most common type of attacks include phishing, a major source of consternation and difficulty for firms, Roberts said, and malware, which is still another popular attack sector.

Join us at the new Credit Union Times Fraud: Don't Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security .  This two-day conference is designed for credit union executives, board of directors and those responsible for your credit unions cyber security policy.    Register to attend and save $150.

Outdated machines

Misconfigured and outdated machines are also a threat.

“Obviously, updating machines and making sure they're running the most recent version of software is important, but hackers also understand they can build a database of machines that are outdated and misconfigured,” Roberts said. “If you're not updating those machines or you're not configuring them properly, they're going to be exploited.”

Michael Oldright, security engineer at DefenseStorm, suggested firms with limited resources to devote to updating their technology infrastructure segregate outdated systems on a virtual LAN or network segment. Whitelisting can also help identify specific systems that have been tested and are known to be safe.

Microsoft's Enhanced Mitigation Experience Toolkit disables buffer overflow attacks, Oldright suggested, “but it can be kind of difficult to implement. You have to do a lot of testing [and] it can cause some problems for applications.”

Firms may also need to limit internet access on outdated machines, and increase patch updates and logging frequency, he said.

Hackers scan networks for vulnerabilities

Attacks don't need to be sophisticated, Roberts said. A so-called zero-day attack is when a hacker exploits a previously unknown hole in a target's software before the vendor can fix it.

“We don't need a complicated zero-day to get access to the network or to get access to your bank,” he said. “In fact, even just physical access is easy still; getting access to a financial institution and walking in by impersonating a repairman.”

Some small financial institutions may feel like their size protects them from hackers, but Roberts said “that is categorically untrue.” Hackers are scanning networks for vulnerabilities, regardless of where they are located or how many assets they can potentially access.

Traditionally, firms used signature-detection tools, such as antivirus and antimalware tools, threat matching, block lists, intrusion defense and prevention systems, and reputation-based signature detection to identify threats.

These tools rely on events that have already happened and been reported to block threats, and on their own are inadequate.

“Today's landscape requires much more than a signature-based approach to detection,” Roberts said. “The effectiveness of these signature-based detection methods depends on how often the cybercriminal is evolving their approach from something that is known to unknown.”

New tools for detection

New tools for detection include anomalous activity detection, which builds a baseline of user activity and looks for events outside of normal activity.

For example, say an employee who typically works from 8 to 5 appears to log in to the network at 3 a.m.

Roberts said, “Why is Steve logged in at 3 in the morning? Does somebody have access to his credentials or is Steve logged in at 3 in the morning because he's at the office downloading files to a USB drive because he's stealing data from the network?”

Daily tasks should include reviewing activity for new incidents and abnormal data flows, Oldright suggested. Firms need a way to quickly escalate issues when they're identified.

After finding a threat, firms should block the IP address on the firewall and isolate the host, but this is also a good time to educate users, Oldright said.

Steps for prevention

Steps for prevention include internal penetration tests, restricting access to certain administrators, and monitoring guest and wireless networks. Firms should have the same policies that go on their production networks on guest networks and monitor them for breaches, Oldright said.

Firms should also audit user logins and service accounts to delete accounts from former or temporary workers, including any test or demo accounts that may have been set up for new software.

Finally, firms should conduct regular scans for vulnerabilities.

“If you haven't already done so, you want to implement a vulnerability management program,” Oldright said, such as Nessus or Pwnie Express. He recommended conducting weekly scans and downloading patches as they become available.

Join us at the new Credit Union Times Fraud: Don't Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security .  This two-day conference is designed for credit union executives, board of directors and those responsible for your credit unions cyber security policy.    Register to attend and save $150.