The Value of Membership
Credit Union Security
Non-tangible Assets
Member Information
Information Deemed Confidential
Tangible Assets
Computer Equipment
Furniture / Fixtures
Hard Copy Documentation
ext.
The Value of Membership
Identify current threats and trends.
Become familiar with administrative,
physical, and technical security best
practices.
Learn risk-based methods to identify
security risks.
Methods used to effectively implement
security into daily operations.
The Value of Membership
Security Trends
Breaches now inevitable
Cyber espionage continues
Mobile malware continues to increase
Mobile devices get anti-theft protection
Spear-phishing scourge continues
Social engineering attacks hit social networks
Botnets keep infiltrating businesses
Breach notifications gain greater traction
Critical infrastructure rhetoric keeps heating up
Code gets externally reviewed
Texas Credit Union League © 2013
The Value of Membership
First Line of Security -
Employees
Your ammunition is:
Knowing that:
COMPLIANCE SECURITY
Creativity to build on the material
Educating employees, members,
friends, and family
Altered frame of mind
Cognizant of new security threats
Texas Credit Union League © 2013
The Value of Membership
Distributed Denial-of-
Service (DDoS)
Attackers use compromised systems
(zombies / bots) to attack a specific
target
Compromised systems send an
overwhelming number of connections
requests it floods the target
The target receives so many
connections, it shuts down denying
service to legitimate requests
The Value of Membership
Assess Risk / Remediation
Targets are Internet facing
Website
Home Banking
Internet Service Provider
Due Diligence
Include vendor’s plan into credit
union’s disaster recovery
The Value of Membership
Types of Hackers
A white hat hacker breaks security for non-
malicious reasons (i.e. network penetration
testing)
A grey hat hacker uses their skills for legal or
illegal acts, but not for personal gains
A black hat hacker, sometimes called "cracker,”
is someone who breaks computer security without
authorization or uses technology (usually a
computer, phone system or network) for
vandalism, credit card fraud, identity theft, piracy,
or other types of illegal activity
A social engineer uses non-technical skills to
gain assess to information.
Texas Credit Union League © 2013
The Value of Membership
Types of Hacks
Security exploit
Packet sniffer
Password cracking
Spoofing attack
Key loggers
Trojan horse
Virus
Worm
Social engineering
Many more!!!!
Texas Credit Union League © 2013
The Value of Membership
Types of Hacks – Minimized
/ Foiled by training and
proper practices
Security exploit
Packet sniffer
Password cracking
Spoofing attack
Key loggers
Trojan horse
Virus
Worm
Social engineering
Many more…..
Texas Credit Union League © 2013
The Value of Membership
Security Exploit
Systems Affected: Microsoft Windows
running Adobe Reader, Acrobat, Oracle
Java
In May, 2013 both
www.federalnewsradio.com and
www.wtop.com had been compromised to
redirect Internet Explorer users to an
exploit kit.
Exploit kit delivers and executes viruses –
fake Flash installer.
Solution: Update software
The Value of Membership
Hacking Lesson for the
Non-Techie
Create a malicious Trojan Horse.
Texas Credit Union League © 2013
The Value of Membership
Hacking Lesson for the
Non-Techie
Install a virus.
Texas Credit Union League © 2013
The Value of Membership
Hacked by:
Poor system security
Antivirus
Antispyware
Poor Patch Management
Computer / System Privileges
USER KNOWLEDGE
Texas Credit Union League © 2013
The Value of Membership
Hacking Lesson for the
Non-Techie
Hack a Password
Texas Credit Union League © 2013
The Value of Membership
Hacked by:
Weak password
Computer / System Privileges
(allowed a key logger to be installed)
USER KNOWLEDGE
If a non-techie hacks your password: You’ve been SOCIALLY
ENGINEERED!!!!!!!
Texas Credit Union League © 2013
http://www.youtube.com/watch?v=L6W57_MJYdM&feature=player_detailpage
The Value of Membership
Non-Technical Hack
Social Engineering Psychological manipulation
The act of manipulating people into performing
actions or divulging confidential information,
rather than by breaking in or using technical
hacking techniques.
Trickery or deception for the purpose of
information gathering, fraud, or computer
system access. In most cases the attacker
never comes face-to-face with the victim.
Technical way of lying
Texas Credit Union League © 2013
The Value of Membership
How / Why It Works
Humans inherently:
Are trusting
Have fear of authority
Are courteous
Want to help
Desire to be liked
Are social
Are curious
Texas Credit Union League © 2013
The Value of Membership
Social Engineering – ID Theft
Texas Credit Union League © 2013
Full name
Address / phone numbers (past and present)
Date of birth
Social security number
Mother’s maiden name
Children’s name
Bonus
Loan information
Account numbers
Credit Card information
Employment information
Passwords
The Value of Membership
Older Methods of Attack
That are still used
Dumpster Diving
Address Change
*note the progression towards social
engineering!!
Texas Credit Union League © 2013
The Value of Membership
Current Methods of Attack
Pharming - Planting bogus websites www.redcross.org
www.redcrosss.com
www.redcross.org
Phishing – Usually through e-mail
Website spoofing
Spear phishing – your credit union is the
target
Whaling – high profile employee is the
target
Texas Credit Union League © 2013
http://www.redcross.org/http://www.redcrosss.com/http://www.curesources.coop/Technology_Services.html
The Value of Membership
Current Methods of Attack
Vishing is a
combination of the
words voice and
phishing
SMsphISHINGSMS
(Short Message
Service) is the
technology used for
text messages on
cell phones
SIM-swap
Caller ID Spoofing
Calls
Pretexting - Get
significant data
Test security
posture
Gain small amount
of data
Texas Credit Union League © 2013
The Value of Membership
Current Methods of Attack
Use of fear
Angry Member
Senior Executive
Law enforcement
Credit Collector
Physical bait
USB
CD
Acting – Third Party
AT&T
Building
maintenance
Law enforcement
IT Vendor
Examiner
Flirting
Texas Credit Union League © 2013
The Value of Membership
Where is your stolen
information?
Carding / Hackers Forums
Harvesters Phishing, Key Logging, ext.
Brokers Sell the harvested credit card,
account, password, personal
information
Distribution ID Theft - use information to
purchase tangible items then sold
for cash.
Texas Credit Union League © 2013
Supply Chain
The Value of Membership
Value
Stolen Credit Card Numbers: $2 to $90
Physical credit cards: $190 + cost of details
Stolen Online Bank Account Log-In
Information (User Name, Password, etc.):
$80 to $700 depending on the amount of
funds in the account
Online stores and pay platforms: $80-$1500
(with guaranteed balance)
Stolen E-mail Passwords: $1 to $18
Texas Credit Union League © 2013
The Value of Membership
Don’t Throw your Security
Investment away!
Bypass physical security (e.g., perimeter
alarm sensors, motion ext.)
Bypass all doors, locks, keys
Firewalls
Intrusion Detection / Prevention Systems
(IDS/IPS)
Network access levels
Data processor access levels
Many more…
Texas Credit Union League © 2013
The Value of Membership
How Protect from Threats
Risk assessment
Multi-layered Security
Deploy administratively
Deploy physically
Deploy technically
The Value of Membership
How Protect from Threats
Risk assessment
Rule of Least Privileges (Access Controls)
Deploy administratively
Deploy physically
Deploy technically
The Value of Membership
How Protect from Threats
Risk Assessment
Encryption
In storage
In transit
Training
Testing
The Value of Membership
Training / Tips
Do not divulge insignificant data – may
be significant to thieves
Escort!
Revisit open file policy / procedure
Be aware of connecting ANTYTHING to
your PC (i.e. USB drives/CDs/Keyboards)
When in doubt of a link, type it out
Don’t give phone extensions or e-mail
addresses out
Texas Credit Union League © 2013
The Value of Membership
Training / Tips cont.
Train cleaning crew
Ask employees to think of unique
ways to breach the credit union
Share stories with other credit unions
Develop member education program
Place Google Alert on you and your
credit union (google.com/alerts)
Websites – check reviews
Implement layered security
Texas Credit Union League © 2013
The Value of Membership
Training / Tips cont.
Organizational chart – include SEGs
Train to be suspicious
Security Risk Assessment
Training
Education
Testing
Security Program
Texas Credit Union League © 2013
The Value of Membership
Training / Tips cont.
Limit online personal information
Facebook, Twitter, LinkedIn
Birthday
Kids names / birthdays
Place of birth
Home address
When on vacation
Update Privacy Settings
Texas Credit Union League © 2013
http://www.youtube.com/watch?feature=player_embedded&v=kJvAUqs3Ofg
The Value of Membership
Security Posture Result
Reactive Credit Union
Lack of knowledge of current methods
No testing
Proactive Credit Union
Semi-annual training
Testing result positive
Texas Credit Union League © 2013
The Value of Membership
Test!!!
Don’t be complacent with policy!
Don’t let your staff be complacent!
Include cleaning crew in testing.
View results in a positive manner:
proactive
Texas Credit Union League © 2013
The Value of Membership
Summary
Train – EVERYONE and Often
Test – EVERYONE and Often
First Line of Security - Employees
Your ammunition is:
Knowledge of the following material
Creativity to build on the material
Educating employees, members, friends, and
family
Be vigilant and alert
Be abreast to the new methods
Verify
Share stories
Be SUSPECIOUS!!
Texas Credit Union League © 2013
The Value of Membership
Compliance : What you have to do
Regulatory responsibilities
US Department of Treasury
FFIEC
NCUA
You State’s Credit Union Department
Your State’s Finance Code
The Value of Membership
Gramm-Leach-Bliley (GLB) Act
NCUA Regulation 748 Burglaries
Larcenies
Embezzlement
Sections 501 and 505 of GLB required the NCUA Board to establish administrative safeguards for consumer records and information:
Administrative
Physical
Technical
The Value of Membership
Effective July 1, 2001, Regulation
748 encompassed GLB requirements
The Value of Membership
So a credit union has to have a written security
policy and program.
Appendix A is the answer!
The Value of Membership
Appendix A to Regulation 748
provides guidelines
Addresses
Administrative
Physical
Technical
The Value of Membership
Credit union responds when:
An auditor wrote up a recommendation
An examiner mandated it via a DOR
Result:
Documentation lie dormant on a shelf in
physical form or on a file server in
electronic form
The Value of Membership
It is imperative that you, as credit union leaders, establish a proactive approach to information security in your credit union!!!
The Value of Membership
Reactive vs. Proactive
Credit Union’s Reputation
6:00 PM News Report
The Value of Membership
Best Practice : What you should do
Examples:
Electronic Security
Active Directory vs. Local User Accounts
Physical Security
Examples?
Administrative Security
Examples?
The Value of Membership
The ultimate goal of information
security:
To protect the confidentiality, integrity,
and availability of information
Reduce risk
The Value of Membership
A security program designed to:
Protect all credit union facilities
Burglaries, larcenies, robberies, and
embezzlement
Ensure the security and confidentiality
of member records
Physical and electronic
Anticipated threats and hazards to the
integrity of the information
The Value of Membership
A security program designed to:
Protect against unauthorized access of
member information
Identification of persons who commit or
attempt to commit such crimes
Prevention of destruction of vital credit
union records
The Value of Membership
Information security management for a
credit union begins with managing risks
The Value of Membership
The actual assessment can be
achieved through two main formats:
Qualitative
Quantitative
The Value of Membership
A qualitative risk assessment is one that involves the assessor knowing best practice and establishing what will apply to the credit union
A quantitative risk assessment is one that involves the assessor using measures in terms of numerical values to assign to assets, threats, and vulnerabilities as benchmarks
The Value of Membership
Managing Risks = Risk Assessment
So what should your credit union be doing in a risk assessment?
Identify risks
Mitigate the identified risks (if possible)
Ensure an appropriate balance of risk and controls
Define specific security needs for the credit union
Ensure a layered approach to security
The Value of Membership
Definitions of components considered
in a risk assessment: Asset – tangible and intangible resources with
some value owned by the credit union
Threat – any potential danger that a
vulnerability will be exploited by a threat agent
Vulnerability – the absence or weakness of a
safeguard that could be exploited
Risk – the loss potential, or probability, that a
threat will exploit a vulnerability
The Value of Membership
Threat Agent Can Exploit This
Vulnerability
Result
Computer Virus Lack of Antivirus Software Viral Infection
Employees Lack of Training
Lack of Auditing
Sharing Mission Critical
Information
Altering Data Inputs and
Outputs from EDP System
Fire Lack of Fire Extinguishers
& Detection Systems
Facility and Computer
Damage
Loss of Life
Relationship of Threats and Vulnerabilities
The Value of Membership
How is risk calculated?
Risk Equation
Three multipliers in the equation to calculate
overall risk
Risk = asset value (x) threat probability (x)
vulnerability
The Value of Membership
Steps in a credit union risk
assessment
Step 1: Identify and assign value to
assets
Assets are going to differ in each credit
union
Step 2: Identify threats and
vulnerabilities associated with identified
assets
The Value of Membership
Steps in a credit union risk assessment (cont.)
Step 3: Measure the current level of risk Apply the risk equation Risk = asset value * threat probability * vulnerability
Step 4: Eliminate, Monitor / Manage, or Accept Recognize that not all risk can be completely eliminated
The credit union must achieve a balanced approach
Countermeasures should be considered and selected based with the intent to achieve balance
The Value of Membership
Steps in a credit union risk
assessment (cont.)
Step 5: Reassessment of risk
Risk MUST be reassessed as a result of
credit union changes
At least annually
The Value of Membership
Administrative Security
Practices
Dual Control / Multi-layer
Verbal Communication
Telephone - Multifactor
Lobby
Offices
Records Retention and Storage
Daytime
Nighttime
The Value of Membership
Physical Security
EXERCISE
Part I
The Value of Membership
The Value of Membership
The Value of Membership
Physical Security
EXERCISE
Part II
The Value of Membership
The Value of Membership
Technical Security
Patch Management
Antivirus / Malware Management
Firewall Management
Password Management
The Value of Membership
Patch Management
Functional purpose
Scope of patch management
Test before deployment vs. automatic
deployment
The Value of Membership
Malware management (Viruses /spyware/
adware)
Levels of management
Updates and scanning frequencies
Handling malware that reaches a machine
The Value of Membership
Firewall Management Functional purpose
Rules governing inbound and outbound data
traffic
Firmware updates
Penetration testing vs. vulnerability testing
Backup of configuration
The Value of Membership
Password Management
Functional purpose
Data processing vs. network operating system
Other software and Internet based applications
Policy enforcement Length, Complexity, Concurrency, Change frequency, Incorrect entry threshold
The Value of Membership
Regulatory Reference for Network
Security
NCUA Letter to Credit Unions 06-CU-
10NCUA’s Information System and
Technology (IS&T) Program
WWW.US-Cert .GOV
2011 IT-Questionnaires.xls
The Value of Membership
Technology Security
EXERCISE
Part I
The Value of Membership
The Value of Membership
The Value of Membership
Public
InternetT-1 Connection
Switch
3 Com 3C16475
24 ports
LAN
T-1Router
Cisco 1841
BRANCH OFFICE
LANSwitch
EZ Switch
SMC-EZ6508TX
The Value of Membership
Technology Security
EXERCISE
Part II
The Value of Membership
The Value of Membership
The Value of Membership
Develop Information
Security Policy & Program
The Value of Membership
What is the GOAL an Information
Security Policy & Program?
Defines the role that security plays
within the credit union
Provides a custom framework reflective
of a risk based approach to information
security as required by NCUA rules and
regulations
The Value of Membership
Who should be involved?
The Value of Membership
Everyone in the credit union should be involved
in all aspects of the information security
management infrastructure!
The Value of Membership
Relationship of Policy, Standards, Guidelines, and Procedures
The Value of Membership
Security Policy – overall general statement
produced by senior management that
dictates what role security plays within the
credit union
Issue-specific Policy
Monitoring of electronic communications
System-specific Policy
Firewall deployment and monitoring
The Value of Membership
Develop a security program to
support those policies
The Value of Membership
Standards are the mandatory
activities, actions, rules, or
regulations in effect at the credit
union
The Value of Membership
Procedures are the detailed step by
step tasks that are required to be
performed to achieve a specific goal
System backups
Opening and closing
Robbery
Member identity verification
The Value of Membership
Make security framework components
visible to the organization
Awareness training
Manuals
Presentations
Newsletters
The Value of Membership
Employees need to be aware that
The information security framework
directives have originated from senior
management
Their active involvement is mandated to
ensure the successful implementation of
the framework
Reward active involvement
Hold employees liable for non-compliance
The Value of Membership
INFORMATION SECURITY
Questions or comments regarding
fundamentals?
The Value of Membership
The Value of Membership
Appendix B of Regulation 748
specifically addresses the response
program requirements of credit unions
as a subunit of their security program
Effective on June 2, 2005.
The Value of Membership
A risk based response program in writing to address incidents of unauthorized access to member information
Encompass incidents of unauthorized access that may occur in the systems of domestic and foreign service providers.
Address vendor response program
The Value of Membership
The response program should contain
procedures for:
Assessing the nature and the scope of the
incident
Identifying what member information systems
and types of member data have been
accessed and / or misused
Notifying the appropriate NCUA Regional
Director when the credit union becomes aware
of an incident.
The Value of Membership
The response program should contain
procedures for:
Notifying the appropriate law enforcement
authorities
Suspicious Activity Report (SAR)
Notifying the membership when warranted
The Value of Membership
Procedures to include:
Taking the needed steps to contain and
control the incident to prevent further
unauthorized access or misuse of
information
Monitoring, freezing, or closing of affected
accounts
Preservation of records and other evidence
The Value of Membership
Unauthorized access involving systems
maintained by a service provider
The credit union is responsible for notifying
the membership and the regulator
The credit union does have the option of
contracting with a third party service
provider to notify the membership and the
regulator on the credit union’s behalf
The Value of Membership
Member notification must occur as soon
as a reasonable investigation has been
conducted.
The Value of Membership
Member notification may be delayed if
an appropriate law enforcement agency
determines that notification will interfere
with a criminal investigation.
In such case, the credit union needs to
obtain a written request from the law
enforcement agency in writing
The membership should then be notified
as soon as notification would no longer
conflict with the investigation
The Value of Membership
The basis of determining whether or not
the credit union should notify the
membership is the identification of what
information has been compromised.
The NCUA has defined a domain of
sensitive member information that, if
compromised, should prompt the credit
union to put the response program into
action
The Value of Membership
Sensitive information includes:
A member’s name, address, or telephone
number in conjunction with the member’s
social security number, driver’s license
number, account number, debit or credit
card number, or a personal identification
number (PIN) that would allow for access to
the member’s account.
The Value of Membership
Sensitive information also includes:
Any combination of the aforementioned
components that would allow someone to
log onto or access the member’s account
Username and password
Password and account number
The Value of Membership
If a credit union can determine the exact
members information that was
improperly accessed, the credit union
may limit notification to just those
individuals.
If there have been a group of member
files that were improperly accessed and
it cannot be determined which were
affected, the group of members should
be notified.
The Value of Membership
Tell the member to monitor and
reference:
Account statements
Credit reports from the “Big 3”
Also explain how they can get a free copy
Information about the FTC’s online
guidance regarding steps a consumer can
take to protect against identity theft
The Value of Membership
Member notices need to be given in a
clear and conspicuous manner
The notice should include the
description of the incident in general
terminology, along with the type of
member information that was improperly
accessed
The Value of Membership
The notice should also describe to the
member what measures the credit union
has taken to protect the information
from further illicit access
The notice should include a telephone
number that the members can call for
further information and assistance
The Value of Membership
Recommendation for the member to
remain vigilant over the next 12 to 24
months, and to notify the credit union if
identity theft is suspected.
The Value of Membership
Member notice delivery needs to occur in such a manner that the member can reasonably expect to receive it. • May contact the members by:
• Phone • Mail • E-mail (for those members who have had
a valid email address)
The Value of Membership
The Value of Membership
The Value of Membership
Idrees Rafiq
Assistant Vice President
Information Technology
Financial & Technology Resources
Credit Union Resources, Inc.
Toll free: (800) 442-5762 ext. 6799
Direct: (832) 687-0051