Cybersecurity Awareness Month was first observed in October 2004 as a broad effort to help all Americans stay safer and more secure online. Sponsored by the National Cyber Security Alliance and the U.S. Department of Homeland Security, awareness efforts in that first year centered on updating antivirus software twice a year.
However, the 2020 threat landscape is much more complex — and potentially dangerous. A survey published in August by Boston Consulting Group reported an estimated 40% of employees were working from home from the end of May through mid-June. The rapid change to remote work in response to the COVID-19 pandemic has created system access nightmares for cybersecurity teams. Additionally, record unemployment and a shrinking economy have been driving an increase in cybercrime. In the first quarter of 2020, the number of records exposed to hackers soared 273% over the same period in 2019 — which was itself a record year for data breaches. Meanwhile, regulators have handed down record fines for breaches, including the $575 million settlement with Equifax for exposing the records of 147 million Americans in 2017.
Darrick Wilson, VP of Information Security, Patelco Credit Union
“Our members and team members must understand attackers are not taking a break,” says Darrick Wilson, vice president of information security at Patelco Credit Union ($7.9B, Dublin, CA). “Instead, they are increasing their attacks.”
TDECU ($3.9B, Lake Jackson, TX) is marking Cybersecurity Awareness Month with a special drawing on top of its ongoing cybersecurity awareness training program. Employees who read a TDECU article on security awareness and correctly answer questions in an online survey can earn a $50 Amazon gift card. John Gallo, director of security and compliance at TDECU, says security awareness has always been one of the organization’s top four priorities.
“I began in this role seven years ago, and I would say it’s a more dangerous environment because we know more,” Gallo says. “We didn’t know what the bad guys were doing with phishing attacks. We were just trying to educate our users. There have been a lot of enhancements in technology that have made us more aware of what’s going on.”
For example, the latest anti-virus software uses behavior analytics to spot potential hacker behavior. Users logged in from multiple locations is an obvious red flag. However, no one in cybersecurity could have predicted the new vulnerabilities that would arise with the move to remote working in 2020.
To help credit unions stay secure, these credit union experts offer a list of security tips that will help protect the enterprise and ensure employees and members are aware of the latest threats.
1. Secure those home networks.
Home routers used for remote work by millions of Americans pose a major concern to security professionals. Home routers were not designed to protect banks and credit unions, and in some cases, employees are using older routers that are no longer supported. In smaller communities served by TDECU, telecommunications firms have issued routers to customers with the same username and password.
John Gallo, Director of Security and Compliance, TDECU
“Equipment at home is more exposed to theft and unauthorized users in an unsecure home environment,” Gallo says. “Additionally, home networks are not as secure or monitored as TDECU office space.”
The challenge is so complex that the U.S. Cybersecurity and Infrastructure Security Agency has produced tips to secure home routers and networks. The most important step is ensuring the home router is using the latest firmware version. Credit unions should encourage staff members to visit their vendor’s website to download the latest firmware version for their model of home router and keep it up to date.
Organizations can also restrict access to network services over home routers and work with staff members to ensure no open ports are accessible from the internet, change the default password to a strong password, and use strong passwords to log into home wireless networks.
Remember, threat actors can access home networks from multiple devices, such as personal laptops and tablets used for virtual classes or Zoom meetings. That’s no small threat considering the credentials of more than 500,000 Zoom teleconferencing accounts were put up for sale on the dark web in April for as little as 2 cents each. Even printed records at homes pose greater risks for embarrassing breaches if not disposed of properly, Gallo notes.
2. Beware social engineering attacks.
To safeguard access to key corporate systems and data, most credit unions have moved to multifactor authentication (MFA), which typically involves submitting both a password and a randomly generated access code from the user’s mobile device.
MFA is a highly effective second layer of access control; however, Wilson at Patelco warns IT organizations against falling into a false sense of security.
“With all the distractions of working from home and multi-tasking while on Zoom calls, it is important to remember to take the extra 30 seconds to look for signs of an email or phone call being phishy.”
“Talk to your remote workers about social engineering,” Wilson says. “With all the distractions of working from home and multi-tasking while on Zoom calls, it is important to remember to take the extra 30 seconds to look for signs of an email or phone call being phishy.”
Since the beginning of the pandemic, Wilson says his team has seen an increase in social engineering attacks aimed at tricking users into sharing their credentials and then authenticating to give hackers access. It starts with a phishing email, prompting users to enter their username and password into a spoof website. Once attackers harvest the credentials, they call the victim to gain access to the network.
“Look for a suspicious email and then, minutes or days later, a suspicious phone call asking if you were able to access the site,” Wilson says. “They use phone social engineering to get you to navigate to the site and try to login again. They then prompt for MFA, and the user approves the connection, but it is the bad actor’s connection they are approving — not their own access.”
CU QUICK FACTS
HQ: Lake Jackson, TX
Data as of 06.30.20
12-MO SHARE GROWTH: 18.8%
12-MO LOAN GROWTH: 11.8%
Gallo at TDECU says he’s seeing the same tactics. In fact, the credit union has an audio recording of a nine-minute phone call between a cyber attacker and an employee in attempt to access the network.
“They really put the pressure on you,” Gallo says.
Thankfully, he adds, the user did not share their credentials.
3. Step up anti-phishing training.
Cybercriminals are opportunists. As COVID-19 was spreading around the world, the number of phishing emails tied to news about the pandemic — including spoof websites for the World Health Organization — skyrocketed. Following federal government relief efforts, phishing attacks quickly shifted to small business owners seeking information about the Payroll Protection Program.
A few years ago, access to customer personally identifiable information (PII) was a key target for hackers. Today, the emphasis is on stealing employee credentials to gain unfettered access to core systems. In 2020, more attackers are focusing on injecting ransomware, as well as exfiltrating data, to give them a better bargaining position to demand higher ransoms. A growing number of ransomware attackers now claim, “We’ve encrypted your files and stolen your data.” Such demands typically come with a link to a website with a sample of the stolen data as proof.
To combat these growing threats, TDECU has a formal anti-phishing program that involves monthly training as well as a monthly targeted phishing email to test users. During the past year, 91% of employees passed the test by not clicking on a link in the email, slightly better than the financial services industry average success rate of 89%.
“Our CEO Steph Sherrodd is very supportive of the security program,” Gallo says. “She makes sure her team realizes compliance is a requirement and their team members should follow through with it. She’s the only one on her team who hasn’t fallen for a phishing email. She’s pretty good at catching them all.”
4. Block access to malicious websites.
One of the benefits of working in a corporate environment is that organizations invest in security controls that allow staff to access websites in a secure manner. Most organizations implement web security controls where, if the users are directed to malicious websites, these tools will proactively block access to reduce the potential damage.
However, employees working from home can implement simple website-blocking add-ons such as uBlock Origin, which was created to block advertisements but has now progressed to block access to malicious websites. The software downloads a daily blocklist of known malicious sites curated by members of the online community.
“We’ve built a layered level of security to protect us when they do click on the links,” Gallo says. “We’ve got appliances on the outside that recognize they are going to a bad site, and it doesn’t allow it, so we can clean that user’s machine.”
That’s important because threats are changing weekly. For example, the security community just recently learned the Iran-linked Mercury group, also known as MuddyWater, Static Kitten, and Seedworm, is attempting to exploit the Microsoft Zerologon vulnerability.
The attackers are sending messages disguised as software updates to trick users into downloading malicious code and connecting to a command and control server. The Zerologon vulnerability has a criticality score of 10, the highest possible threat, because it allows attackers to gain control of an organization’s Active Directory, potentially inject ransomware into every connected PC, and cripple the business until the ransom is paid. Microsoft released a patch for the flaw in August, so hackers are now targeting organizations that haven’t applied the patch.
5. Actively manage user passwords.
It is a well-known best practice for users to not reuse one or two passwords across online authentication activities. Instead, passwords should be unique to each online portal or service.
However, it is extremely onerous for users to create and remember long passwords of high complexity that must change over time. Thus, users are often advised to use a password manager solution to ensure all passwords are securely encrypted and stored in a password file. This practice becomes even more crucial as credit unions continue to add new systems and tools.
CU QUICK FACTS
Patelco Credit Union
HQ: Dublin, CA
Data as of 06.30.20
12-MO SHARE GROWTH: 11.4%
12-MO LOAN GROWTH: 1.1%
“We all use similar technologies, and we all have human error issues to deal with as we drive technology teams harder to keep up with business demand,” Wilson at Patelco says. “Making sure you decommission old applications and systems completely to keep your potential exposure down is key.”
It is also increasingly popular for websites to ask users to log in with their social network account, such as Facebook, Google, or Apple. It might be convenient to the user, who won’t need to create another account or password, but the potential hidden cost is user privacy. Facebook or Google get to see what services their users are accessing, which gives them deeper knowledge of how users operate and new opportunities to monetize their behavior. Additionally, if the password of the user’s social network account is compromised or leaked, there is potentially greater harm for the user, whose stolen credential can be used to access websites they accessed through their social network account.
6. Invest in cybersecurity skills.
When revenues are down, companies tend to look for ways to reduce staff to maintain profitability; however, the security program is not the place to start cutting — even if it’s been a while since the last breach.
“Whether you’re a credit union or a bank, investment in your information security program, governance, resources, and tools are critical to vulnerability,” Gallo says. “Thus, smaller organizations face greater threats due to lack of investment in security.”
Skilled security professions are in high demand these days, which makes employee retention a big challenge for cybersecurity programs. One key strategy for dealing with these pressures is for security teams to work hand in hand with IT operations to monitor and manage vulnerabilities, Gallo says, enabling security specialists to focus on the latest threats. For example, Gallo says he’s investing in threat-hunting skills to spot attacks after the systems has been breached.
“We’re investing money in training our staff to become threat-hunting experts. That’s the next layer with an orchestrated security operations center.”
“You assume they’re already in there,” Gallo says. “You’re looking for threats that have already gotten past your defenses. That’s why we’re investing money in training our staff to become threat-hunting experts. That’s the next layer with an orchestrated security operations center, so that’s what we’re investing in for 2021.”
Another key area of security is privileged account management — securing access by key employees with top-level access to systems. This area of security management has become a greater concern because of the rise in spearphishing attacks in which attackers use phishing and social engineering tactics to target individuals in the organization.
“We can no longer wait for the breach,” Gallo says. “We need to be on the lookout for the breach or cracks in our armor. Establishing an identity and access management program that focuses on privileged account management limits users to only what they need to do their jobs.”
7. Plan your incident response.
Planning and drilling staff on what to do in the event of a breach saves precious time when the credit union is under attack. Make sure you know what IT infrastructure you have and who’s responsible for managing it. Plan for the worst. For example, last year, TDECU held a drill that assumed its Active Directory had been corrupted by ransomware. Ironically, the simulated attack was set in the middle of a measles outbreak.
Practice is crucial to responding to threats before significant damage is done, according to Patelco’s Wilson.
“Ensure you have visibility to see the attacks, create your playbooks for how to respond to common threats, and practice your response,” Wilson advises. “Make sure your cyber liability coverage is adequate to help mitigate potential loses. Last but not least, make sure the controls on all your devices are installed and functioning.”
Want more credit union strategies? Sign up for the CreditUnions.com free newsletter.