Archive

Go to:

August 2017
SMTWTFS
12345
6789101112
13141516171819
20212223242526
2728293031
< Jul Sep >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Are You Vulnerable to Hacking?
Monday, January 23, 2017 6:40 AM

Michael Salyer, IT Analyst, Credit Union Resources

Hacking has again come into the limelight recently. The CIA, FBI, and the NSA have recently released findings that Russia may have been involved in the hacking of the DNC emails, as well the emails of Hillary Clinton’s campaign manager John Podesta. The influence this had on the election is far beyond the speculation of this blog post, but it does once again show how anyone can be vulnerable to hacking.

For obvious reasons, financial institutions will always be a high priority target for hackers. The financial reasons are a given, but some of the grey-hat hackers might choose to attack financial institutions not for monetary gains, but to sow chaos.

The hacking mentioned above shows that no institution is safe from hackers. So if you are a $10-million credit union or a $1-billion-plus credit union, it’s vital that you take the necessary steps to protect your credit union and your members’ assets from hackers in three main ways: strong passwords, a robust firewall, and ongoing social engineering training.

Strong password security is an ongoing battle between users and administrators. If network admins had their way, all passwords would have to be at least 20 random characters required to be changed on a weekly basis. Most users would like to have to never change their password, which is most likely the name of their favorite child or pet. The ideal balance is something in between.

Good passwords start with having four out of four on complexity; meaning, an uppercase character, lowercase character, number, and special character. One measure we teach is to use passphrases instead of passwords. Take this phrase, “My network admin does not like me and the feeling is mutual.” If you use the first letters from each word, make every other word capitalized, and change some letters to numbers you can get this: “MnAdNlM@Tf1m.” This is a password no one could possibly guess, except perhaps your network admin, who doesn’t like you.

Another security measure you should take is having a robust firewall with a built-in intrusion detection/prevention system (IDS/IPS). Before any penetration is attempted on your network, the hacker is most likely to attempt a probe on your system. A firewall is the first device that sees incoming data from the Internet.

Like a security guard posted at your credit union entrance, a firewall receives, inspects, and makes decisions about all incoming and outgoing data. But a firewall is not a “set and forget” device. Not only does it require constant monitoring (to include automated alerts), but proper patching is vital. Hackers are always looking for new loopholes to exploit, so if your firmware is out of date, you could be vulnerable to attacks.

Finally, we get to social engineering. This is defined as a non-technical way to breach your security. Social engineering is just another form of ID theft, in which the hacker will try to gain access to a user’s full name, date of birth, SSN, account number, etc. Account numbers are especially attractive to hackers, since many online banking platforms require members to use this as their login ID.

Some of the more common types of social engineering, and perhaps the best known, are phishing techniques, usually done through email. As a rule, never click on a link in an email that you aren’t 100 percent sure about—especially ones asking you to log into something.

A good rule of thumb, if you aren’t sure, is to hover your cursor over the link. At the bottom of your browser it will show you the actual location you’ll be directed to. In addition, always report suspicious emails to your IT personnel.

Another method of social engineering would be someone attempting to infiltrate your branch disguised as someone else. This could be someone dressed as a technician or someone in authority (policeman, fireman, etc.). No matter who it is, always check for an ID, and then check with your management to ensure this person has authorized entry.

These three measures are by no means all you need to do to protect yourself and your members’ data, but it’s a good start. Your IT personnel and/or your security officer should keep up to speed on current and trending threats. However, it’s not their job alone. Every credit union employee must use common sense and situational awareness to keep your assets safe.

______________________________________________________

Assess Your Systems and Manage Your Risk

As technology changes, every credit union faces new security issues. Let Credit Union Resources help you stay on top of it—your future could depend on it. Our team of technology professionals provides guidance on compliance, shares best practices, and performs audits. We have a vested interest in your success, and your cybersecurity matters to us. To find out how we can help you manage cybersecurity and operational risks, contact:

Idrees Rafiq
469-385-6799
800-442-5762, ext. 6799
irafiq@curesources.coop

Deanna Brown
469-385-6464
800-442-5762, ext. 6464
dbrown@curesources.coop

About Credit Union Resources Inc.
Credit Union Resources is a service corporation that provides industry-leading solutions and expertise to credit unions across the country. Credit Union Resources is a part of the Cornerstone Credit Union League, a regional trade association representing the interests of credit unions in Arkansas, Oklahoma, and Texas.