The “Internet of Things” to most folks is the “Internet of Targets” to hackers, who at anytime could produce a “resume-producing event” for those in charge of security at their credit union.
That combines two observations from the second day of the CU InfoSecurity Conference in Las Vegas, one from a speaker, the other from an attendee.
The “Internet of Targets” comment came from David Trepp, president and CEO of Info@Risk, a security assessment firm based in Eugene, OR. The “resume-producing event” notion was from David Margolis, network administrator at Tennessee Valley Federal Credit Union ($1.1B, Chattanooga, TN).
Margolis was responding to a comment from an earlier speaker who noted that the chances of a credit union actually suffering a security breach that causes serious reputational or financial loss are pretty slim.
“I get the idea that the chances are pretty great that you could go your whole career and not experience something like that,” Margolis says. “But if you do, just that one time, that could be your RPE (resume-producing event).”
CU InfoSecurity Day 1: 'Internet Of Things' Complicates Credit Union Security
Trepp, meanwhile, spoke in detail about system configurations that could help thwart attacks that might lead to such a job search.
One key point: Don’t expect long, strong passwords to be the end-all, be-all to locking the cyber doors. “People think these brute force attackers won’t get through if you’re using 10-character passwords, but nowadays, you need to know,” Trepp told his audience of about 75 credit union and security vendor representatives, “that there are hackers now using software that tries a billion password combinations a second. A second. How long do you think before they find yours?”
And please patch punctually. Apparently many don’t. Trepp says that, according to research by security vendor Venefi, 85% of 1,642 surveyed Global 2000 organizations still have unpatched servers a year after the notorious Heartbleed bug was discovered.
Trepp then asked his audience how many of them had fixed another specific vulnerability in their network systems. One hand went up.
Trepp recommends insisting that vendors document full disclosure of all accounts they’ll be accessing, as well as the related minimum credential requirements and privilege levels.
He also has this advice when it comes contract time: “Use ‘shall’ verbiage when you’re talking about due diligence and due care. Don’t let them use words like ‘best effort,’ ‘goal’, and ‘target.’ I hate to see that crap. I’m no lawyer, but those words mean zero in court. ‘Shall’ is enforceable.”
Meanwhile, as securely as things can be tied down inside the shop, there are still the members out there, many of whom could be using older browsers that are poorly protected and vulnerable to attacks that could compromise the online banking protections.
Orphaning those browsers may cut off access for some, but they’ll just need to upgrade. “You really need to tell them they have to ‘this high to ride this ride,’” Trepp says.
Conference attendee Steven Ramirez, IT network manager at CBC Federal Credit Union ($414M, Oxnard, CA), experiences that balancing act every day.
Ramirez also says he has to weigh the benefits of running applications in-house against getting outside help. “We’re very leery about member data getting outside our network, but we have to weigh that against the economies of scale that vendors can bring. They often have the personnel and data bandwidth that we don’t have.”
He adds that “configuration management is a particular pain point for me, because you can’t really just use the default settings and expect that to be enough. And once the cow’s out of the barn, it’s too late to rein things back in.”