There’s nothing wrong with the technology available to secure today’s credit union against cyberattacks and inside jobs. People are the problem, and the people in charge need to be watching both people and processes.
Even the National Security Agency fell prey to that conundrum, when contractor Edward Snowden made off with thousands of classified documents laid bare for all the world to see.
Chris Inglis, a former deputy director at the NSA, was there when it happened. Now a professor of cybersecurity studies at the U.S. Naval Academy, Inglis told security professionals gathered at the CU Info Security 2016 Conference in New Orleans, LA, earlier this month that the signs were there.
Conference attendees were from credit unions across the country and vendors offering services ranging from credential management and anti-virus protection to leveraging artificial intelligence intended to predict attacks before they happen.
Inglis said nothing transactional that Snowden did in the months leading up to the massive leaks raised any red flags, but there were approximately a dozen instances where Snowden’s behavior should have tipped off the spy shop that something was wrong.
Inglis, who’s now board chairman of Securonix and the National Cryptologic Museum Foundation, said one big lesson learned is the need for improved capabilities in areas such as context-based monitoring, advanced behavior anomaly detection, and analysis-driven investigation.
Inglis, a longtime member of Navy Federal Credit Union ($75.2B, Merrifield, VA) and credit union advocate — “You’re doing God’s work,” he told his conference audience — also listed four emergent realities that now help form the challenges facing cybersecurity professionals:
Global enterprises that have resulted in a new geography dependent on cyberspace.
A new “social map” that sees people now organizing around ideology as much as geography. He pointed to the Orlando massacre as an example.
The internet helping to shine a bright light on continued disparities in the world, including in wealth, political influence, and even perceived respect.
The geo-political implications of cyber warfare. Inglis used the takedown of Ukraine’s electrical grid in December 2015 as an example. (Here’s a great explanation of the attack. It’s both fascinating and alarming.)
Inglis said he recognized that credit unions have limited resources, but still need to ask themselves, “Have I made our systems defensible given the resources available to me? Have I actually defended it?”
Credit unions must have a disaster recovery plan and they must practice it, Inglis said. Make it muscle memory, he said, adding that while a credit union can’t know the path of every attack, it can know its own infrastructure, and its people, better than does the enemy without.
Phishing For Whales
Spear-phishing relies on tricking people inside an organization to open the gates for cyberattacks. Aiming for the people at the top was the topic of another well-known presenter at CU InfoSecurity’s two-day conference. Stu Sjouwerman, CEO of KnowBe4, described how highly organized cyber criminals are employing increasingly sophisticated scams.
That includes phishing attacks aimed at “whales” such as CEOs and other top managers with access to Treasury wires and similarly rich targets, often using highly personalized messages that can make the missives seem legitimate even to the wariest.
Another major concern is ransomware, which Sjouwerman said often sails through all defense undetected. While the technology behind ransomware is 20 years old, the cyber-criminal group Cryptolocker raised the stakes in 2013 by turning the attacks into a profitable business. Since then more competitors have emerged, driving the creation and deployment of industrial-strength ransomware.
Sjouwerman, who dismissed anti-virus software in derisive terms, said there’s no way to fully protect against ransomware but that an organization can make itself a much harder target with “defense in depth” strategies.
That means having policies, procedures, and awareness about and around devices, internal networks, hosts, applications, and data. Sjouwerman advised testing the defenses by sending a simulated phishing attack and then:
See what percentage of employees respond.
Educate and train.
Rinse and repeat once a month.
On top of that, Sjouwerman said, “put in a military-grade backup recovery plan.”