Tackling cyber-security has become part of every credit union’s list of ongoing initiatives. With new threats emerging every day, members can become numb to the shock of having their data compromised. However, it is still important that data losses not be traced to the credit union’s own lack of controls.
The task of understanding how well your credit union is combating cyber-crime can be a daunting task for management and supervisory committees. At minimum, the supervisory committee should require annual information technology audits to be completed and presented to them. The committee should select the auditor that will be completing this work, and the auditor completing the work should present the report to the committee. This will open up a dialogue between the auditor and the committee to help explain the risks that were uncovered and how these risks can be mitigated.
In addition to the audit, the committee and management should determine if the credit union’s IT department is following any standards or controls to mitigate cyber-security risks. The Center for Internet Security (CIS) is a widely accepted organization that has developed control standards with input from the international IT community. These control standards have been vetted and benchmarked building on lessons learned from real life attacks with solutions that resulted in averting further damage.
CIS has used five philosophies from which it has further created a more granular set of 20 critical security controls (CSC). The five philosophies are as follow:
- Offense Informs Defense Continuously monitor attacks on other organizations to determine if similar attacks would be successful against your credit union.
- Prioritization Implement the most critical protection measures first and build on that implementation.
- Metrics Use metrics that are understood by the board, the supervisory committee, executive management and your IT staff.
- Continuous Diagnostics and Mitigation Actively test your network and correct any issues detected.
- Automation Automate notifications of unusual network activity.
The more granular set of 20 critical security standards that were developed with these philosophies are prioritized below. These steps can help IT professionals and organizations in general recognize the most effective order for investing their time and resources. Interestingly, not all of these controls have a big price tag associated with them, although they all require diligence on the part of the IT department.
Critical Security Controls
- Inventory of Authorized and Unauthorized DevicesKnow and monitor what is hooked up to your network at all times.
- Inventory of Authorized and Unauthorized SoftwareKnow and monitor the software that is loaded on all devices attached to your network.
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersMake sure that fleets of devices have uniform configurations and remove default passwords.
- Continuous Vulnerability Assessment and RemediationConstantly monitor the network for vulnerabilities and keep all systems and software current with the latest available patches.
- Malware DefensesMaintain up-to-date anti-malware software with definitions set to refresh constantly, along with regular scans.
- Application Software SecurityManage the lifecycle of software and ensure you have the latest supported versions with the latest patches. If software is no longer supported it should be replaced.
- Wireless Access ControlEnsure all wireless access points are secure. If wireless access is provided, access should only be allowed outside the firewall so wireless users do not have access to internal network resources.
- Data Recovery CapabilityEnsure consistent, good-quality backups are made and that you can and have restored from them.
- Security Skills Assessment and Appropriate Training to Fill GapsEnsure all staff (not just the IT staff) have sufficient training with respect to cyber-security, as untrained staff can be victims of social engineering, thereby unknowingly compromising network security.
- Secure Configurations for Network Devices such as Firewalls, Routers, and SwitchesEnsure all network devices have been hardened before being placed into production by removing the default configurations. Ease-of-use and ease-of-deployment should be placed secondary to security.
- Limitation and Control of Network Ports, Protocols, and ServicesManage all network ports, device protocols, and services and disable all that are not actively in use.
- Controlled Use of Administrative Privileges Minimize administration privileges on all workstations, servers, network devices, and applications.
- Boundary DefenseControl the flow of traffic through network borders and monitor content by looking for attacks and evidence of compromised machines. Boundary defenses should be multi-layered while relying on firewalls, proxies, DMZ perimeter networks, and network-based IPS and IDS.
- Maintenance, Monitoring, and Analysis of Audit LogsDeficiencies in security logging and analysis can allow attackers to hide their locations, malicious software, and activities on victim machines. Without solid audit logs, an attack may go unnoticed indefinitely and the damage done may be irreversible.
- Controlled Access Based on the Need to KnowSome organizations do not carefully identify and separate their most sensitive and critical assets from less-sensitive, publicly accessible information on their internal networks. In many environments, internal users have access to all or most of the critical assets. Once attackers have penetrated such a network, they can easily find and remove important information, cause physical damage, or disrupt operations with little resistance.
- Account Monitoring and ControlAttackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network personnel.
- Data ProtectionThe adoption of data encryption, both in transit and at rest, provides mitigation against data compromise. Encrypting data provides a level of assurance that even if data is compromised, it is impractical to access the plaintext without significant resources. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize exposure to attackers.
- Incident Response and ManagementThe best IT departments do not question if a compromise will happen. Instead, they focus on when it will happen. This way of thinking is about being prepared for what happens when an attack is successful and understanding how quickly the department can restore security. Without an incident response plan, even after an attack is detected, the organization may not be able to follow good procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion.
- Secure Network EngineeringNetworks and systems constantly evolve, new business imperatives appear, attackers develop new techniques, and new technologies emerge to complicate the security problem. In such an environment, attackers take advantage of missing security features, time gaps in deploying new defenses or moving information, and the seams between defensive controls. Re-evaluate and upgrade security controls regularly and implement new measures as necessary especially when implementing changes to networks and systems.
- Penetration Tests and Red Team ExercisesSuccessful threat mitigation requires a comprehensive program of technical defenses, good policy, and governance, and appropriate action taken. The use of independent red teams who then take on the role and mindset of an attacker and prod for weaknessescan provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place or planned for future implementation.
It is important to note that the independent testing performed by outside auditors is last on this list of 20 CSCs. Ensuring even the first five of these controls are covered will help reduce the chance of successful cyber-crimes against your organization. However, this is version five of these critical controls, and it is clear there will be future revisions coming as technology and cyber-security continue to evolve.
Checking to see how many of these CSCs are implemented at your credit union will give you an idea of the level of security in place and where improvements can be made to keep your members and their information well protected.
About The Author
Kian Moshirzadeh has been in banking since 1988 and joined TWHC in 1993 where he started his career as a credit union auditor. Since that time, he has worked with hundreds of credit unions helping them with audits and consulting engagements. Today, Moshirzadeh is the managing partner of TWHC and continues to work with credit unions and financial institutions exclusively.
About Turner, Warren, Hwang Conrad AC
Turner, Warren, Hwang Conrad AC is a service-oriented tax, accounting, and business consulting firm headquartered in Burbank, CA. Individuals, small businesses, credit unions, and financial institutions choose us for their tax preparation, audit, and financial consulting needs because of the dedicated personal service they receive. Learn more at www.twhc.com.