Credit Unions Need to be More Proactive in Cyber Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cutimes.com/2014/06/19/credit-unions-need-to-be-more-proactive-in-cyber-s

Credit unions and banks have been targeted and damaged by high-profile
cyber security incursions, resulting in a loss of consumer confidence and a
move by credit unions to upgrade security measures in the constant battle
against criminal hackers.

Security threats exist at multiple points, whether via targeting the
customer or as a direct threat from hackers against the industry.
Problematic links in the chain range from mobile device/application
vulnerabilities and email scams to ATM threats and attacks on internal
credit union systems, among many others.

One important, industry-wide tool credit unions are implementing is
penetration testing, conducting ongoing self-evaluation of systems,
processes and policies in an effort to stay ahead of hackers. However,
penetration testing is not being implemented often enough to independently
serve as a reliable means of security against dynamic, rapidly changing
threats.

Credit union executives should take note of a recent report on banking
cyber security by the New York State Department of Financial Services that
can be extrapolated to credit unions. It found that while 100% of large and
medium-size institutions surveyed and 91% of small institutions undertake
penetration testing, only 9% of all institutions do so quarterly and only
4% do so monthly.

All others, 87%, only penetration test on an annual basis. Unfortunately
for credit unions and consumers, hackers work and evolve cybercriminal
activity on a daily basis.

The thinking of credit union leaders should change to a much more
aggressive approach against advanced persistent threats. It's essential to
identify new threats ahead of time while they are being developed and
discussed by hackers in the “deep web.”

This more-aggressive approach, called active threat intelligence, is needed
to fill the gaps in penetration testing and implement a dynamic cyber
security program. It's often the case that hacks are not noticed by credit
unions or consumers until weeks or months after the intrusion, creating far
more problems.

Credit unions should monitor the deep web to identify vulnerabilities
before they are exploited by criminal hackers. Only by staying ahead of
hackers with advanced persistent defenses on an ongoing basis can credit
unions have a chance to combat nefarious activities.

It's similar to having a tornado warning; even a bit of notice can go a
long way. It's important to have time to understand each threat and prepare
countermeasures.

This type of aggressive cyber security is not typically implemented by
traditional information technology departments, but by ethical hackers who
work and lurk in the same places as criminal hackers, but use information
to protect businesses and consumers. Ethical hackers monitor and
participate in message boards, chat rooms and other online sites, as well
as hacking conferences, where the most current information on what's coming
next appears before criminal techniques are implemented.

This is much the way some of the best police or intelligence sources are on
the streets or in the field, closest to the action. In this way, ethical
hackers create the warning time needed to implement defenses to emerging
threats.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!