A Credit Union Cyberattack Defense Manual

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cutimes.com/2015/02/11/a-credit-union-cyberattack-defense-manual



With the ever increasing risks that are associated with cyberattacks,
companies across industries are realizing the importance of having a
cybersecurity team. Companies also need a well thought out security program
that can proactively detect potential weak links, identify abnormal
activity as quickly as possible, provide necessary tools to identify the
root cause and remediate the issue in a timely manner before hackers
exploit them.

Cyber criminals are becoming more sophisticated, and they are able to hack
into the biggest financial institutions across the globe, like JP Morgan
Chase and HSBC. Credit unions and those in the financial industry
especially need not only have a solid documented cybersecurity program and
incident response plan in place, but need to make sure that it is
implemented, continuously monitored, measured and enforced at all times.

Any small dropping of the guard can result in catastrophic theft of
customer financial records, business data and syphoning of a large amount
of funds.

To a large extent, most credit unions do not have the sophisticated
defenses necessary to detect a advanced persistent or targeted cyberattack
due of lack of investment in the right security technologies. More
critically, they lack a well thought out security program that places equal
emphasis on all four pieces of an effective security program: People,
process, technology and culture.

It is common to find that credit unions pay lip service to security. They
tend to be driven more by compliance than security, resulting in a false
sense of security and complacency. In most cases, boards and senior
management of credit unions don’t fully understand the complexity of
cyberattacks.

As a result, they either lack sophisticated cyber security programs, or
fail to make sufficient budget and resource commitments to secure IT
assets, and protect their customers and business data.

We recommend the following as a starting point for credit unions to prepare
for and reduce the odds of suffering a security breach.

1) Implement a comprehensive risk management program, which should include
a comprehensive disaster recovery plan as well as regular backup of all
data.

2) Implement, measure and enforce a comprehensive security program. All
credit unions must understand that they are susceptible to cyberattacks and
vulnerable to a sophisticated data breaches.

They should be committed to investing in building a comprehensive security
program. This should include a well thought out process, implementing the
program across the entire organization, monitoring and measuring the
effectiveness of the program on a regular basis, enforcing the controls and
proactively taking corrective action to minimize and or eliminate potential
vulnerabilities.

Think Comprehensive Security Program, Not Latest Technology

Buying and implementing the latest anti-malware, anti-spam, AV, Firewall
and IPS technologies alone will not be sufficient to prevent a security
breach. A comprehensive security program should take into account the
investments required in people, process, technology and culture. Weaknesses
in any one of these four areas can be catastrophic for the business.

Technology. Invest in appropriate technologies to protect against new and
evolving adversaries. Understand that implementing a security technology
that is not updated regularly to deal with the latest attacks would mean
inadequate technology defenses. Not having proper security controls  –
 such as a limited number of super-admin credentials, continuously
monitoring for super-admin activity, poor authentication credentials across
the enterprise or not enforcing stringent standards across IT systems, and
not regularly patching systems against vulnerabilities –  will expose
credit unions to potential attacks. Understanding where your data resides,
who accesses it, how it is stored and what data is critical for your
business can go a long way in prioritizing your technology investments.
Prepare a comprehensive inventory of all your assets, start at the core
where critical data resides and then expand to the entire network of
assets. Remember, protect the core first and then think of the network
perimeter.

Process. In addition to investing in and deploying appropriate
technologies, credit unions need well defined processes for implementation,
monitoring effectiveness of technologies in protecting IT assets and
monitoring 24x7 for unusual activity, such as unauthorized users accessing
sensitive systems, accessing the system outside standard hours or activity
from known bad sources and unusual egress of data from the network or
between internal and external points. Credit unions must embrace well
thought out common sense best practices such as the SANS Critical Security
Controls, which allow them to build proactive security defenses. We have
seen that perpetrators are sophisticated and patient, so continuous
monitoring is an important aspect in protecting credit unions from APTs and
highly targeted cyberattacks and data thefts.

People - Credit unions need to either invest in a skilled cybersecurity
team to monitor and assess security posture or partner with a third-party
service provider to bring that expertise. Unfortunately, there is a severe
security professional shortage today in the market. By one count there is a
shortage of upwards of 1 million security professionals today. Even though
several universities have introduced cybersecurity programs and courses,
the fact remains that to be an effective security professional one needs
hands on, in the weeds experience. This means that the security
professional shortage will not be solved for several years to come. No
wonder cybersecurity analyst was the fastest growing job in 2014. What this
means is that credit unions are better off partnering with an outsourced
security service provider whose trained security team can act as an
extension to the credit union’s IT team.

Culture. Every credit union should invest in improving the security IQ of
their employees – not once a year, but on a regular basis to ensure they
don’t fall victim to cyberattacks via malware, phishing or social
engineering, where bad actors impersonate a known/trusted source.

An effective security program that deals with proactive security monitoring
as well as security intelligence will go a long way toward making it harder
for cyberattacks to disrupt the business. Perpetrators will always look for
the low hanging fruit – the easiest targets. By investing in and
implementing a well thought out security program that properly aligns
people, process, technology and culture, organizations can make it more
difficult for attackers.

And in turn, they may opt for other easier targets.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!