Today’s blog comes courtesy of Robbie Wright, founder of CU Innovators, helping credit unions and CUSOs innovate and execute.
Danger, Will Robinson!
By: Robbie Wright
Corporate espionage and international cyber-wars sound like themes from the next John Grisham book, but these trends are becoming more and more commonplace as the perceived value of data stored on the Internet increases exponentially. In December, Google detected an incredibly sophisticated attack on their infrastructure and a number of other web companies that could have a dramatic impact on credit unions.
In these particular attacks, Google discovered that the hackers had been targeting assets of human rights activists. These assets included their Google Mail, or Gmail, account, email accounts at Yahoo, and other miscellaneous information from a variety of companies, including a few financial institutions. What makes these attacks slightly different is the broad spectrum of techniques that were employed to gain access to the data.
The techniques that were used to gain access to sensitive information are capable of bypassing many of the security mechanisms credit unions have in place both for internal controls and external access to member information. As is commonplace in many technology attacks, they begin with social engineering and capturing passwords.
In social engineering, an adversary attempts to gain privileged information from a target without the target realizing they have divulged anything of value. A common technique used by security audit firms, and bad guys alike, is to pretend to be a service representative sent by “IT” to perform maintenance on a server or computer at a branch. They may know the name of the Vice President or Director of IT, gleaned from LinkedIn, which would lend them credibility to a teller. In the case of this attack, they went after the social networking sites, email accounts, and instant messaging accounts of the friends of employees at companies who had access to privileged information. The hackers would then impersonate the friends of those employed at the target companies, hoping to increase their chances of success by getting the employees to click on a link to a malicious website.
In addition to the social engineering aspects of the attack, a previously unknown vulnerability in Microsoft’s Internet Explorer was also exploited. This bug enabled the hackers to run their malicious software on the victims’ computers, capturing passwords, emails, and other sensitive information.
While this attack does not represent an immediate threat to credit unions directly, the techniques that were employed during the hack should alarm every credit union IT manager, auditor, and security firm in the industry. Most credit union employees already know that strong passwords are a must. Recently, Twitter, the micro-blogging service, was the victim of an online attack which was enabled by weak password policies within the organization, security oversight on the part of some employees, and weaknesses in personal email accounts. It is vitally important that credit union staff have secure passwords. Those passwords need not be impossible to remember simply in the name of security.
These attacks did teach us valuable lessons that we can use to improve the security of our credit unions:
• Never underestimate the lengths of which someone is willing to go to gain access to sensitive information. Make yourself an undesirable target by having a thoroughly designed and tested security plan.
• All of the technology solutions in the world won’t be able to stop someone who has gained access to a user’s password. Enforce strong, but not impossible to remember, passwords on all systems in the credit union.
• Social engineering can and mostly likely will happen to all credit unions at some point. The only prevention against social engineering is education.
• Encourage your employees to maintain a security-conscious mindset at home, both physically and electronically.