Cybercrime has become a worldwide issue, thanks to the growing sophistication of online techniques. In 2014 alone, the FBI's Internet Crime Complaint Center (IC3) received 269,422 complaints with an adjusted dollar loss of $800,492,073.
By Roy Urrico, Credit Union Times.
More than a third of financial services industry websites contain at least one serious vulnerability, such as data exposure, every single day, according to the Santa Clara, Calif.-based WhiteHat Security's Website Security Statistics Report. Serious vulnerabilities give attackers the ability to take control over a website, compromise user accounts on a system, access sensitive data, violate compliance requirements and possibly make headlining news.
According to cybersecurity experts, there is no single fix – except for the awareness that cybercriminals continue to change their tactics and seek out the weakest defenses to compromise systems, and steal data and money.
To successfully fight off cybercriminals, credit unions must turn their focus to their most vulnerable areas, and be sure never to commit these 10 deadliest sins.
- Not monitoring social media users. According to IC3, “social media has provided a quintessential goldmine of personal data for perpetrators.” Some of their social media fraud methods include click-jacking, concealing hyperlinks beneath legitimate clickable content, doxing, publicly releasing a person's identifying information online without authorization, and pharming – redirecting users from legitimate websites to fraudulent ones for the purpose of extracting confidential data. Credit unions should impose restrictions on employees visiting external sites on organization-owned computers.
- Overlooking threats from within. Insiders have access to vital data, already comprehend the credit union's structure, and can circumvent security more effortlessly than outsiders can. Credit unions need to determine their level of exposure to insider threats, control inbound delivery methods, and aggressively implement administrative and technical solutions for controlling the potential damage an insider can cause.
- Practicing employee negligence. According to IC3, the business email compromise scam continues to evolve, and in 2014, targeted businesses reported having their personal emails compromised and multiple fraudulent requests for payment carried out and sent along to vendors. In 2014, IC3 received 2,417 business email compromise complaints with a total reported loss of $226 million. Criminals often revert to low-tech techniques such as phishing, which is very difficult to detect with a technology solution. User training combined with behavior analytics might be a necessary defense strategy, depending on the nature of the attack.For companies with a BYOD policy, employees should be aware of using USB drives that are not encrypted or safeguarded, and leaving computers unattended when outside the workplace. Employees who use personal devices for company business are also putting their own information at risk.
- Using weak passwords. Despite advances in security technology, passwords are still the first line of defense for most credit union PCs, laptops and mobile devices used for business. Members and staff invite trouble when picking passwords that are easy to remember and just as easy to decipher, such as their own, children's or pets’ names; birthdays or a simple number sequence such as “123456.” A compromised password opens the door to email or online banking fraud.“In the last 12 months, looking at how data is secured and how even employees are gaining access to accounts, how fraud can happen internally, how any sort of breach in and around extracting or accessing takes place, we think you will eventually see a move into having a place for biometrics,” Shawn Edmunds, North America vice president for the London, United Kingdom-based ValidSoft, which provides a voice recognition platform, claimed.
- Not evolving protection strategies to fight malware. Dangerous new vulnerabilities continue to catch many IT departments by surprise. Dyre and Dridex are the top two financial crime attack toolkit platforms used worldwide in Q1 2015 (based on the number of incidents), Eward Driehuis, product manager for the Amsterdam, Netherlands-based cyber intelligence firm Fox-IT explained. The Dyre Wolf scheme targets corporate banking accounts, and the organization behind the malware campaign consistently updated and maintained the malware, adding more tricks to further their deception. Dridex, the latest version of the Bugat/Feodo/Cridex banking Trojan, uses email campaigns that carry Word document attachments with built-in macro codes to download and execute the Trojans.
- Slacking on training. This was a leading factor for 51% of respondents, according to the SANs report. Financial institutions tend to focus on transactional security compliance, but employees are just as vulnerable to hackers and data breaches in their day-to-day business operations. Training curriculums should cover techniques for creating secure passwords; ways to avoid keylogger scams and phishing cons; and information on how to protect devices against viruses and malware.
- Not recognizing key targets. Credit unions ought to know which of their high-value assets could become targets for cyber treachery. Ron Gula, CEO at the Columbia, Md.-based Tenable Network Security, suggested credit unions should have 100% discovery of every asset, including laptops, email processors and web servers. That way, credit unions can look at where to take action and have the ability to make early detections.“Breaches often start by being able to exploit high value assets,” Chris Coleman, CEO at the Baltimore, Md.-based Lookingglass Cyber Solutions, said.
- Skipping a security policy. A good policy is a written plan for implementing and enforcing information security best practices supported by the executive management team, Gula said. “Saying that you have a firewall to protect your network is not good enough; a perceived plan is not a policy,” he said.Because the IT landscape is changing and attackers are adding new technologies to their arsenals, policies require ongoing reviews and updates.
- Having an insecure network. Technical solutions that address prevention, detection and deterrence effectively augment the controls credit unions have already implemented to counter threats.“Many organizations design their networks in a way that enables accidental as well as malicious insiders to cause significant damage,” the SANs report stated. Better segmentation and system isolation could control potential damage. Adaptive defense capabilities should not only protect against dubious attachments and URLs, but enable early detection of emerging campaigns and threats. “You can't just rely on defense, you have to have somebody out there looking for malware, hunting the bad guys so to speak, looking for anomalies,” Gula recommended.
- Not maintaining software patches. Cyberattacks frequently take advantage of opportunities to plant malware-laced email attachments and compromise websites. All organizations should establish a strong ongoing patch management process to ensure proper preventative measures against potential threats. In March, Moscow-based security firm Kaspersky Lab revealed a cybercriminal gang raided up to 100 financial institutions internationally for an estimated $1 billion. Hackers took advantage of unpatched systems, even though updates existed, to access administrators’ computers and video surveillance systems.