ATLANTA — Now, it's not a question of whether the bad guys got the goods, it's when they get around to using them.
That's the impression Joe Stewart often has of the current state of affairs when it comes to the theft of online information by cyberfraudsters.
Stewart is director of malware research at SecureWorks, an Atlanta-based information security services firm with a client list of more than 2,000 organizations, including more than 600 credit unions.
Pieces of personal information–card and other account numbers, insurance information, addresses, pharmacy records, you name it–reside by the millions on servers around the world, waiting to be exploited.
"These guys have collected all this stuff, so much it's hard to imagine how they could get around to using it all," Stewart said. "That includes large amounts of credit union data."
Although much of the information is fragmented and not in particularly usable form, "to some extent, maybe we've all been compromised in some way," Stewart said.
And enough of it can be used to steal identities and cash that it's worth the effort. That's why high-tech fraudsters have become the Willie Suttons of today, going where the action is online, according to another prominent member of the credit union security community.
"Stealing money is so 80s. It's data that everything's really about nowadays," said Jim Stickley, chief technology officer at TraceSecurity, a Baton Rouge, La., provider of security compliance software and social engineering services to more than 500 credit unions.
"Money is personal and direct and takes bags. Information can just sit on a server somewhere in Guam," Stickley said, while the fraudsters figure out a way to do something nefarious with it.
And figure it out they will. Stewart tells of going through the logs of one cache of stolen data and found that the hackers tested passwords on about 100 credit union accounts and got 79 to work.
The online hackers were believed to be in Russia and that particular credit union was not a SecureWorks client, Stewart said, and he didn't know if any theft resulted. But that's not the point. "They took the time to do this. I don't think they did that for nothing," he said.
Stewart and his colleagues spend their days spanning the globe online, detecting and thwarting and issuing warnings about new forms of keystroke-grabbing Trojans and phish attacks and other malware. The tools get increasingly sophisticated.
For instance, the Trojan mentioned above made its way into the credit union through a Web browser.
"That's the catch," Stewart said. "A lot of people are being affected through no fault of their own. In this case, an administrator logged onto an infected workstation, which used that administrator's credentials to spread to every other PC in the network."
So how do you prevent that? Don't give everyone access to the whole internal network. "Not everyone needs to touch everything," said Stickley at TraceSecurity.
A specialist in social engineering, Stickley knows by doing how easy it can be to scam tellers and other staffers to gain access to desktops, then ATMs and then the core system, "and then the sky's the limit," he said.
He said "too many network designs are just flawed, with every computer touching every other computer. We've been seeing this for years, and this is something that's finally getting some attention."
Stickley advocates two major steps to addressing that problem: putting in network-access controls is the first. "Everyone already knows to put a DMZ around the Web server, but they should be doing that for their other major critical systems," he said.
He said security can be enhanced with relatively simple segmenting techniques, such as deploying a VLAN, a virtual local access network, to map out who needs access to what ports and blocking those that don't.
The second step is putting policies in place that are relevant and followed. Credit unions all have to do the basics for compliance reasons, but "we're still seeing people who don't have near the policies they should," Stickley said.
"A lot of times they just go to Sam's Web site, download a de facto policy and say, 'Oh, that's our policy now,'" he said. "Unless it's really geared toward their organization and really reviewed and applied, it does no good."
He acknowledged that creating relevant internal regulations is no fun but said the gain is worth the pain.
"'Policies' is like a dirty word, and they're a pain in the butt to write, but you need to sit down with the right management team to get the right policies in place, ones that reflect your organization and how it works," he said. "If you don't, it'll come back to bite you. But if you do, once you're done, you'll breathe a sigh of relief."
Of course, this takes time, something often not in great supply at busy credit unions. But, the experts advise, keep in mind that that's something the fraudsters have in spades.
"The bad guys have plenty of time to perfect their techniques," said Stewart at SecureWorks. "And credit unions can't afford to not pay attention."
"Anytime there's an opportunity to move money out of a financial institution, someone out there's going to go after it."
–mrapport@cutimes.com
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.