Credit Union Security - SCMSRafiq+-+CU+Security...Carding / Hackers Forums Harvesters Phishing, Key...

The Value of Membership

Credit Union Security

Non-tangible Assets

Member Information

Information Deemed Confidential

Tangible Assets

Computer Equipment

Furniture / Fixtures

Hard Copy Documentation

ext.


Identify current threats and trends.

Become familiar with administrative,

physical, and technical security best

practices.

Learn risk-based methods to identify

security risks.

Methods used to effectively implement

security into daily operations.


Security Trends

Breaches now inevitable

Cyber espionage continues

Mobile malware continues to increase

Mobile devices get anti-theft protection

Spear-phishing scourge continues

Social engineering attacks hit social networks

Botnets keep infiltrating businesses

Breach notifications gain greater traction

Critical infrastructure rhetoric keeps heating up

Code gets externally reviewed

Texas Credit Union League © 2013


First Line of Security -

Employees

Your ammunition is:

Knowing that:

COMPLIANCE SECURITY

Creativity to build on the material

Educating employees, members,

friends, and family

Altered frame of mind

Cognizant of new security threats



Distributed Denial-of-

Service (DDoS)

Attackers use compromised systems

(zombies / bots) to attack a specific

target

Compromised systems send an

overwhelming number of connections

requests it floods the target

The target receives so many

connections, it shuts down denying

service to legitimate requests


Assess Risk / Remediation

Targets are Internet facing

Website

Home Banking

Internet Service Provider

Due Diligence

Include vendor’s plan into credit

union’s disaster recovery


Types of Hackers

A white hat hacker breaks security for non-

malicious reasons (i.e. network penetration

testing)

A grey hat hacker uses their skills for legal or

illegal acts, but not for personal gains

A black hat hacker, sometimes called "cracker,”

is someone who breaks computer security without

authorization or uses technology (usually a

computer, phone system or network) for

vandalism, credit card fraud, identity theft, piracy,

or other types of illegal activity

A social engineer uses non-technical skills to

gain assess to information.



Types of Hacks

Security exploit

Packet sniffer

Password cracking

Spoofing attack

Key loggers

Trojan horse

Virus

Worm

Social engineering

Many more!!!!



Types of Hacks – Minimized

/ Foiled by training and

proper practices

Security exploit

Packet sniffer

Password cracking

Spoofing attack

Key loggers

Trojan horse

Virus

Worm

Social engineering

Many more…..



Security Exploit

Systems Affected: Microsoft Windows

running Adobe Reader, Acrobat, Oracle

Java

In May, 2013 both

www.federalnewsradio.com and

www.wtop.com had been compromised to

redirect Internet Explorer users to an

exploit kit.

Exploit kit delivers and executes viruses –

fake Flash installer.

Solution: Update software


Hacking Lesson for the

Non-Techie

Create a malicious Trojan Horse.




Non-Techie

Install a virus.



Hacked by:

Poor system security

Antivirus

Antispyware

Poor Patch Management

Computer / System Privileges

USER KNOWLEDGE




Non-Techie

Hack a Password



Hacked by:

Weak password

Computer / System Privileges

(allowed a key logger to be installed)

USER KNOWLEDGE

If a non-techie hacks your password: You’ve been SOCIALLY

ENGINEERED!!!!!!!


http://www.youtube.com/watch?v=L6W57_MJYdM&feature=player_detailpage


Non-Technical Hack

Social Engineering Psychological manipulation

The act of manipulating people into performing

actions or divulging confidential information,

rather than by breaking in or using technical

hacking techniques.

Trickery or deception for the purpose of

information gathering, fraud, or computer

system access. In most cases the attacker

never comes face-to-face with the victim.

Technical way of lying



How / Why It Works

Humans inherently:

Are trusting

Have fear of authority

Are courteous

Want to help

Desire to be liked

Are social

Are curious



Social Engineering – ID Theft


Full name

Address / phone numbers (past and present)

Date of birth

Social security number

Mother’s maiden name

Children’s name

Bonus

Loan information

Account numbers

Credit Card information

Employment information

Passwords


Older Methods of Attack

That are still used

Dumpster Diving

Address Change

*note the progression towards social

engineering!!



Current Methods of Attack

Pharming - Planting bogus websites www.redcross.org

www.redcrosss.com

www.redcross.org

Phishing – Usually through e-mail

Website spoofing

Spear phishing – your credit union is the

target

Whaling – high profile employee is the

target


http://www.redcross.org/http://www.redcrosss.com/http://www.curesources.coop/Technology_Services.html



Vishing is a

combination of the

words voice and

phishing

SMsphISHINGSMS

(Short Message

Service) is the

technology used for

text messages on

cell phones

SIM-swap

Caller ID Spoofing

Calls

Pretexting - Get

significant data

Test security

posture

Gain small amount

of data




Use of fear

Angry Member

Senior Executive

Law enforcement

Credit Collector

Physical bait

USB

CD

Acting – Third Party

AT&T

Building

maintenance

Law enforcement

IT Vendor

Examiner

Flirting



Where is your stolen

information?

Carding / Hackers Forums

Harvesters Phishing, Key Logging, ext.

Brokers Sell the harvested credit card,

account, password, personal

information

Distribution ID Theft - use information to

purchase tangible items then sold

for cash.


Supply Chain


Value

Stolen Credit Card Numbers: $2 to $90

Physical credit cards: $190 + cost of details

Stolen Online Bank Account Log-In

Information (User Name, Password, etc.):

$80 to $700 depending on the amount of

funds in the account

Online stores and pay platforms: $80-$1500

(with guaranteed balance)

Stolen E-mail Passwords: $1 to $18



Don’t Throw your Security

Investment away!

Bypass physical security (e.g., perimeter

alarm sensors, motion ext.)

Bypass all doors, locks, keys

Firewalls

Intrusion Detection / Prevention Systems

(IDS/IPS)

Network access levels

Data processor access levels

Many more…



How Protect from Threats

Risk assessment

Multi-layered Security

Deploy administratively

Deploy physically

Deploy technically



Risk assessment

Rule of Least Privileges (Access Controls)

Deploy administratively

Deploy physically

Deploy technically



Risk Assessment

Encryption

In storage

In transit

Training

Testing


Training / Tips

Do not divulge insignificant data – may

be significant to thieves

Escort!

Revisit open file policy / procedure

Be aware of connecting ANTYTHING to

your PC (i.e. USB drives/CDs/Keyboards)

When in doubt of a link, type it out

Don’t give phone extensions or e-mail

addresses out



Training / Tips cont.

Train cleaning crew

Ask employees to think of unique

ways to breach the credit union

Share stories with other credit unions

Develop member education program

Place Google Alert on you and your

credit union (google.com/alerts)

Websites – check reviews

Implement layered security




Organizational chart – include SEGs

Train to be suspicious

Security Risk Assessment

Training

Education

Testing

Security Program




Limit online personal information

Facebook, Twitter, LinkedIn

Birthday

Kids names / birthdays

Place of birth

Home address

When on vacation

Update Privacy Settings


http://www.youtube.com/watch?feature=player_embedded&v=kJvAUqs3Ofg


Security Posture Result

Reactive Credit Union

Lack of knowledge of current methods

No testing

Proactive Credit Union

Semi-annual training

Testing result positive



Test!!!

Don’t be complacent with policy!

Don’t let your staff be complacent!

Include cleaning crew in testing.

View results in a positive manner:

proactive



Summary

Train – EVERYONE and Often

Test – EVERYONE and Often

First Line of Security - Employees

Your ammunition is:

Knowledge of the following material

Creativity to build on the material

Educating employees, members, friends, and

family

Be vigilant and alert

Be abreast to the new methods

Verify

Share stories

Be SUSPECIOUS!!



Compliance : What you have to do

Regulatory responsibilities

US Department of Treasury

FFIEC

NCUA

You State’s Credit Union Department

Your State’s Finance Code


Gramm-Leach-Bliley (GLB) Act

NCUA Regulation 748 Burglaries

Larcenies

Embezzlement

Sections 501 and 505 of GLB required the NCUA Board to establish administrative safeguards for consumer records and information:

Administrative

Physical

Technical


Effective July 1, 2001, Regulation

748 encompassed GLB requirements


So a credit union has to have a written security

policy and program.

Appendix A is the answer!


Appendix A to Regulation 748

provides guidelines

Addresses

Administrative

Physical

Technical


Credit union responds when:

An auditor wrote up a recommendation

An examiner mandated it via a DOR

Result:

Documentation lie dormant on a shelf in

physical form or on a file server in

electronic form


It is imperative that you, as credit union leaders, establish a proactive approach to information security in your credit union!!!


Reactive vs. Proactive

Credit Union’s Reputation

6:00 PM News Report


Best Practice : What you should do

Examples:

Electronic Security

Active Directory vs. Local User Accounts

Physical Security

Examples?

Administrative Security

Examples?


The ultimate goal of information

security:

To protect the confidentiality, integrity,

and availability of information

Reduce risk


A security program designed to:

Protect all credit union facilities

Burglaries, larcenies, robberies, and

embezzlement

Ensure the security and confidentiality

of member records

Physical and electronic

Anticipated threats and hazards to the

integrity of the information


A security program designed to:

Protect against unauthorized access of

member information

Identification of persons who commit or

attempt to commit such crimes

Prevention of destruction of vital credit

union records


Information security management for a

credit union begins with managing risks


The actual assessment can be

achieved through two main formats:

Qualitative

Quantitative


A qualitative risk assessment is one that involves the assessor knowing best practice and establishing what will apply to the credit union

A quantitative risk assessment is one that involves the assessor using measures in terms of numerical values to assign to assets, threats, and vulnerabilities as benchmarks


Managing Risks = Risk Assessment

So what should your credit union be doing in a risk assessment?

Identify risks

Mitigate the identified risks (if possible)

Ensure an appropriate balance of risk and controls

Define specific security needs for the credit union

Ensure a layered approach to security


Definitions of components considered

in a risk assessment: Asset – tangible and intangible resources with

some value owned by the credit union

Threat – any potential danger that a

vulnerability will be exploited by a threat agent

Vulnerability – the absence or weakness of a

safeguard that could be exploited

Risk – the loss potential, or probability, that a

threat will exploit a vulnerability


Threat Agent Can Exploit This

Vulnerability

Result

Computer Virus Lack of Antivirus Software Viral Infection

Employees Lack of Training

Lack of Auditing

Sharing Mission Critical

Information

Altering Data Inputs and

Outputs from EDP System

Fire Lack of Fire Extinguishers

& Detection Systems

Facility and Computer

Damage

Loss of Life

Relationship of Threats and Vulnerabilities


How is risk calculated?

Risk Equation

Three multipliers in the equation to calculate

overall risk

Risk = asset value (x) threat probability (x)

vulnerability


Steps in a credit union risk

assessment

Step 1: Identify and assign value to

assets

Assets are going to differ in each credit

union

Step 2: Identify threats and

vulnerabilities associated with identified

assets


Steps in a credit union risk assessment (cont.)

Step 3: Measure the current level of risk Apply the risk equation Risk = asset value * threat probability * vulnerability

Step 4: Eliminate, Monitor / Manage, or Accept Recognize that not all risk can be completely eliminated

The credit union must achieve a balanced approach

Countermeasures should be considered and selected based with the intent to achieve balance


Steps in a credit union risk

assessment (cont.)

Step 5: Reassessment of risk

Risk MUST be reassessed as a result of

credit union changes

At least annually


Administrative Security

Practices

Dual Control / Multi-layer

Verbal Communication

Telephone - Multifactor

Lobby

Offices

Records Retention and Storage

Daytime

Nighttime


Physical Security

EXERCISE

Part I


Physical Security

EXERCISE

Part II


Technical Security

Patch Management

Antivirus / Malware Management

Firewall Management

Password Management


Patch Management

Functional purpose

Scope of patch management

Test before deployment vs. automatic

deployment


Malware management (Viruses /spyware/

adware)

Levels of management

Updates and scanning frequencies

Handling malware that reaches a machine


Firewall Management Functional purpose

Rules governing inbound and outbound data

traffic

Firmware updates

Penetration testing vs. vulnerability testing

Backup of configuration


Password Management

Functional purpose

Data processing vs. network operating system

Other software and Internet based applications

Policy enforcement Length, Complexity, Concurrency, Change frequency, Incorrect entry threshold


Regulatory Reference for Network

Security

NCUA Letter to Credit Unions 06-CU-

10NCUA’s Information System and

Technology (IS&T) Program

WWW.US-Cert .GOV

2011 IT-Questionnaires.xls


Technology Security

EXERCISE

Part I


Public

InternetT-1 Connection

Switch

3 Com 3C16475

24 ports

LAN

T-1Router

Cisco 1841

BRANCH OFFICE

LANSwitch

EZ Switch

SMC-EZ6508TX


Technology Security

EXERCISE

Part II


Develop Information

Security Policy & Program


What is the GOAL an Information

Security Policy & Program?

Defines the role that security plays

within the credit union

Provides a custom framework reflective

of a risk based approach to information

security as required by NCUA rules and

regulations


Who should be involved?


Everyone in the credit union should be involved

in all aspects of the information security

management infrastructure!


Relationship of Policy, Standards, Guidelines, and Procedures


Security Policy – overall general statement

produced by senior management that

dictates what role security plays within the

credit union

Issue-specific Policy

Monitoring of electronic communications

System-specific Policy

Firewall deployment and monitoring


Develop a security program to

support those policies


Standards are the mandatory

activities, actions, rules, or

regulations in effect at the credit

union


Procedures are the detailed step by

step tasks that are required to be

performed to achieve a specific goal

System backups

Opening and closing

Robbery

Member identity verification


Make security framework components

visible to the organization

Awareness training

Manuals

Presentations

Newsletters


Employees need to be aware that

The information security framework

directives have originated from senior

management

Their active involvement is mandated to

ensure the successful implementation of

the framework

Reward active involvement

Hold employees liable for non-compliance


INFORMATION SECURITY

Questions or comments regarding

fundamentals?


Appendix B of Regulation 748

specifically addresses the response

program requirements of credit unions

as a subunit of their security program

Effective on June 2, 2005.


A risk based response program in writing to address incidents of unauthorized access to member information

Encompass incidents of unauthorized access that may occur in the systems of domestic and foreign service providers.

Address vendor response program


The response program should contain

procedures for:

Assessing the nature and the scope of the

incident

Identifying what member information systems

and types of member data have been

accessed and / or misused

Notifying the appropriate NCUA Regional

Director when the credit union becomes aware

of an incident.


The response program should contain

procedures for:

Notifying the appropriate law enforcement

authorities

Suspicious Activity Report (SAR)

Notifying the membership when warranted


Procedures to include:

Taking the needed steps to contain and

control the incident to prevent further

unauthorized access or misuse of

information

Monitoring, freezing, or closing of affected

accounts

Preservation of records and other evidence


Unauthorized access involving systems

maintained by a service provider

The credit union is responsible for notifying

the membership and the regulator

The credit union does have the option of

contracting with a third party service

provider to notify the membership and the

regulator on the credit union’s behalf


Member notification must occur as soon

as a reasonable investigation has been

conducted.


Member notification may be delayed if

an appropriate law enforcement agency

determines that notification will interfere

with a criminal investigation.

In such case, the credit union needs to

obtain a written request from the law

enforcement agency in writing

The membership should then be notified

as soon as notification would no longer

conflict with the investigation


The basis of determining whether or not

the credit union should notify the

membership is the identification of what

information has been compromised.

The NCUA has defined a domain of

sensitive member information that, if

compromised, should prompt the credit

union to put the response program into

action


Sensitive information includes:

A member’s name, address, or telephone

number in conjunction with the member’s

social security number, driver’s license

number, account number, debit or credit

card number, or a personal identification

number (PIN) that would allow for access to

the member’s account.


Sensitive information also includes:

Any combination of the aforementioned

components that would allow someone to

log onto or access the member’s account

Username and password

Password and account number


If a credit union can determine the exact

members information that was

improperly accessed, the credit union

may limit notification to just those

individuals.

If there have been a group of member

files that were improperly accessed and

it cannot be determined which were

affected, the group of members should

be notified.


Tell the member to monitor and

reference:

Account statements

Credit reports from the “Big 3”

Also explain how they can get a free copy

Information about the FTC’s online

guidance regarding steps a consumer can

take to protect against identity theft


Member notices need to be given in a

clear and conspicuous manner

The notice should include the

description of the incident in general

terminology, along with the type of

member information that was improperly

accessed


The notice should also describe to the

member what measures the credit union

has taken to protect the information

from further illicit access

The notice should include a telephone

number that the members can call for

further information and assistance


Recommendation for the member to

remain vigilant over the next 12 to 24

months, and to notify the credit union if

identity theft is suspected.


Member notice delivery needs to occur in such a manner that the member can reasonably expect to receive it. • May contact the members by:

• Phone • Mail • E-mail (for those members who have had

a valid email address)


Idrees Rafiq

Assistant Vice President

Information Technology

Financial & Technology Resources

Credit Union Resources, Inc.

Toll free: (800) 442-5762 ext. 6799

Direct: (832) 687-0051

[email protected]

Date post:	26-Jan-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	1 times

Credit Union Security - SCMSRafiq+-+CU+Security...Carding / Hackers Forums Harvesters Phishing, Key...

Documents