I’m a firm believer that, for far too long, we’ve put our focus on protecting our network perimeter, with thoughts of trying to keep “the bad guys” from getting in, rather than focusing on the security of our people and our data, and keeping the sensitive information from getting out. Broken? Backwards? Upside down? Your call, but fixing this is a major paradigm shift in thinking and organization culture.

So, you ask, how do we fix it? Let me outline the top 3 most important steps to paving the way for a security model repair.

1. Elevate the cyber discussions to board level. The financial, operational, legal, regulatory, reputational and, therefore, strategic risks around cyber threats are game changers for credit unions, their leaders, their employees, their members, and all their other stakeholders. Executives and boards must be in active discussion and seeking the proper security awareness and education.
2. Fix the broken training model and start providing employees engaging and continuous cyber awareness training. Most existing cyber awareness training programs are severely lacking. First, nobody gets excited about 60 to 90 minute module based training followed by a quiz. Secondly, annual or quarterly training could never keep the security awareness top-of-mind enough to gain the required behavior modification required of employees in order to foil emerging threats. That would be similar to showing a 7 year old student multiplication flash cards once a quarter and expecting them to have quick recall of the answers. Just not going to happen. Effective training must be served up in continuous, short bursts that utilize some level of gamification to keep employees engaged and in active discussion. With research showing that greater than 90% of breaches occur because of user targeted phishing (or similar) attacks, this is a serious issue.
3. Protect the DATA! Make sure the data is encrypted. We must assume that a breach has already occurred and a user, or the network, has been compromised. Not if, but when, it does happen, will the data be easily obtained and exfiltrated? Granular encryption of data both at rest and in motion should be a baseline requirement.

Don’t let the pressure of security related guidance coming from all directions create confusion and stall your progress.

As our team at CUdefender works with credit unions nationwide, we are assisting and guiding them in exactly how to accomplish the above steps in the most affordable way. Our engaging cyber awareness and training program is showing highly effective results. Please reach out for more information.

CUdefender can be contacted at 1-888-632-4339 or by visiting http://www.cudefender.com

Rob Harbin is CEO and Cyber Security Evangelist for CUdefender, LLC., a credit union cyber security company. His LinkedIn profile can be viewed at www.linkedin.com/in/robharbin. Email him at rharbin@cudefender.com and follow CUdefender on Twitter at www.twitter.com/CUdefender and Facebook at www.facebook.com/CUdefender

The post Security is Broken, Backwards, and Upside Down appeared first on CUdefender.

CEOs, don’t believe it for a minute and surely don’t advise this approach to your board! Security checklists won’t save you.

Your credit union risk environment is an ever-changing landscape that’s highly incompatible with a checklist style “set it and forget it” approach. The only safe and advisable method of risk management is one that evolves and adapts to cover inevitable changes in your organization.

CEOs, you must lead in these important security focused matters.  The financial, operational, legal, regulatory, reputational and, therefore, strategic risks are game changers for credit unions, their leaders, their employees, their members, and all their other stakeholders.

Credit unions need to radically rethink cyber security as a tightly integrated and holistic part of their risk management program and daily operational activities. Your information assets are changing. Your threats are changing. Your vulnerabilities are changing. The controls available to you to deploy are changing.  The only way you are going to stay on top of this constantly changing collection of ingredients in the risk equation is to establish, operationalize, and mature your information risk management program.

Some key points to remember as you consider your next steps:

1. Heed the lessons from JPMorgan, Target, Home Depot, etc.  Do your research and learn from their mistakes.
2. Listen to your gut.  You create, receive, and maintain sensitive member data!  Stop fretting over the semantics of PCI, FFIEC guidance, etc.  It’s all sensitive. This data constitutes “information assets” that need to be safeguarded. Make sure it’s getting done!
3. Know your threats and weaknesses.  Risk analysis and the identification of real and applicable vulnerabilities is the place to start and, done properly, will produce a prioritized list of exposures for your credit union.
4. It’s easier than you may think.  Security is complex and the tasks required to get your environment “up to snuff” may seem daunting but, trust me, huge steps forward can be taken without huge costs or time commitments. It’s knowing what items can achieve the greatest impact and executing on those items first.
5. CUdefender has guidance and solutions that meet many security needs and we are here to help you.

NCUA has prioritized cyber security as a top item for the 2015 year. But don’t do security right for the NCUA, do it because it’s the right thing to do for your credit union and its members.

CUdefender can be contacted at 1-888-632-4339 or by visiting http://www.cudefender.com

The post CU CEOs: Security Checklists Won’t Save You appeared first on CUdefender.

Cyber attacks, like last November’s hack of Sony Pictures, have motivated many to increase focus on external threats and begin having more discussions around real world cyber threats and overall preparedness.

Credit unions, like many other companies, have business units that submit regular requests to buy new cloud apps, the most popular being file-sharing services like Box, Dropbox, and Evernote. With most credit union infrastructure being built as fragmented layers of add-ons, over a period of many years, the security methods used to protect the legacy network and applications, as well as these new cloud applications, is severely lacking.

2015 is the year that credit unions must reinvent their security model to be more holistic and ready to face the sophistication of emerging threats. This doesn’t have to be a complete rip-out and replace initiative, and it can be accomplished much easier that most believe. Our team at CUdefender speaks regularly with credit union executives and boards who don’t realize some of the quick and cost effective steps they can take to have an immediate positive impact on their security posture.

The long-standing issue of security having a proper seat at the executive table should no longer be a problem. Now it needs another lift upwards to the board. Hopefully credit unions will have foresight to make cyber topics a substantial part of their 2015 board and strategic planning meetings.

Credit unions looking for security planning assistance or cyber threat protection can contact CUdefender at 1-888-632-4339 or visit http://www.cudefender.com for additional information.

The post Cyber Security Needs Board Level Visibility appeared first on CUdefender.

Firstly, if you’re reading this as a CUdefender customer using our security services, you are already protected. But, there is still some information you may still like to know.

What is POODLE?

“POODLE,” an acronym for a serious security flaw in a specific version (version 3.0) of Secure Sockets Layer (SSL), the technology that most web sites use to protect the privacy and security of communications with customers.

What systems could be affected?

Any web browser accessible system supporting SSL 3.0 and certain versions of TLS.

What are the security consequences?

POODLE can potentially lead to exposure of personal data such as email addresses, passwords, and credit card numbers—the very things SSL was designed to protect. Basically, any data sent of a vulnerable encrypted connection could be at risk.

How can our credit union protect against POODLE?

According to an advisory from the U.S. Computer Emergency Readiness Team (US-CERT), a partnership run in conjunction with the U.S. Department of Homeland Security, although there is currently no fix for the vulnerability SSL 3.0 itself, disabling SSL 3.0 support in Web applications is the most viable solution currently available. US-CERT notes that some of the same researchers who discovered the Poodle vulnerability also developed a fix for the TLS-related issues.

Non-CUdefender users:

1. Scan your web endpoints using a good SSL/TLS scanning tool to determine vulnerable systems (many free scanning tools exist).
2. Disable SSL 3.0 on any web exposed system including websites, webmail, remote access gateways, online account opening tools, etc.

CUdefender users:

1. CUdefender has immediately removed support for POODLE-vulnerable CBC ciphers. CUdefender customers are not susceptible to the POODLE vulnerability for protected endpoints.

For more information on how CUdefender can protect your credit union, please visit http://www.cudefender.com or contact us now at 888-632-4339.

The post POODLE Returns – Credit Unions Exposed appeared first on CUdefender.

According to a recent article issued by the FBI, we have reached the point that given enough time, motivation, and funding, a determined adversary will likely be able to penetrate any system connected to the Internet. While that may be true, with the right tools, processes, monitoring, and most importantly, awareness and training, I believe we can minimize the risk and make for a very hard target.

It never ceases to amaze me how credit unions will spend vast amounts of money on technology solutions in order to create a better security posture, but many times forget that it’s the old go-to, tried and true, social engineering threats against employees and members that are easiest for hackers to exploit.

Old Threats Made New Again

Phishing, smishing, and vishing are not new threats, as they’ve been around for many years, but it is the way that cyber attackers are adapting these old threats to conduct their attacks that have changed.

1. Phishing. Phishing is a form of attack where a hacker attempts to lure unsuspecting consumers or employees to click a malicious link in order to infect the system with a trojan or malware. Many times the malware is in the form of a key logger, which is capable of stealing anything the user types including corporate credentials, account information, or other sensitive passwords.

According to security firm RSA in their September 2014 report, these phishing attacks against credit unions have more than doubled and are highly clever in their ability to fool not only the user clicking the link but the corporate systems and controls designed to stop them.

Many phishing attacks are slowly moving away from email, as corporate email systems have gotten much better at blocking spam, and on to new social platforms such as Facebook, Twitter, and LinkedIn. Users of social networks have an uncanny amount of trust in posted links to articles and videos and will click without much hesitation. Credit unions without a robust Social Risk Management solution, to monitor and alert when executive or employee accounts are targeted, are at high risk of fraud via social phishing.

2. Smishing. Smishing, or SMS phishing, sends a text message to a mobile phone in an attempt to get its user to divulge personal information. Smishing is becoming more attractive and having higher success rates for attackers because consumers and employees are not as conditioned to receiving spam on their mobile phones and are more likely to believe the communication is legitimate.

Smishing, like phishing, continues to be a growing problem for credit unions.
The two most common types of smishing attacks are:

1. A person receives a text message that directs them to call a phone number to confirm personal or account information.
2. A person receives a text message that directs them to visit a website to confirm information, but is actually being infected with a malicious trojan or malware designed to steal information such as passwords.

3. Vishing. Vishing, or phone phishing, is the practice of using the telephone system to illegally obtain personal and financial information. Vishing exploits an individuals trust in telephone services, as the victim is often unaware that fraudsters can use methods like caller ID spoofing and other automated systems to commit this type of scam.

What can we do about it?

The most important step for credit unions in mitigating phishing, smishing, and vishing risks is building more awareness. Awareness and education needs to be consistently presented and available for members, employees, executive teams, and credit union board directors. There are many reasons that attackers continue to evolve their tactics, and one of the key factors is increased awareness among their intended victims.

Remember to remind members and employees of the following tips:

• Never open an attachment or click a link in an email or social network feed from someone you do not know. It most likely contains a trojan or other form of malware designed to steal your information.
• Never provide personal or financial information via email or over the phone. Credit unions and banks will never request you confirm this information through email, text message, or over the phone.
• Always know who you are dealing with online, especially when it comes to your personal information. Just because an email looks valid or a pre-recorded phone message says it is the bank doesn’t mean it is legitimate.
• Guard your privacy and limit the amount of personal information you share online. Professional attackers will find and use all available information, including social network profiles which often contain highly personal life details, against their victims.
• Check your bank and credit card statements regularly looking for suspicious transactions.

While the tactics and methods that fraudsters use continue to evolve and adapt, many of the core methods continue to revolve around basic phishing, smishing, and vishing tactics. In addition to implementing professional credit union cyber security tools, credit unions need to continue to build awareness and disseminate frequent educational security tips to keep evolving attack methods top-of-mind.

Got comments or questions? Did I miss something? Email me at rharbin@cudefender.com

The post Credit Union Security – Ain’t that some ish? appeared first on CUdefender.

51% of CEOs surveyed said their company experiences cyber attacks hourly or daily

60% of employees circumvent security features on their mobile devices

It doesn’t take qualified research or a fancy publication in a trade journal for us all to agree that: Every employee in your credit union is a potential penetration point for your network, systems, and your data. Getting rid of all the employees doesn’t seem like a popular risk mitigation option, so we’re left with education and behavior modification.

Assess, Train, Monitor, Repeat

The foundation of any good information security or data protection program is the component of security awareness and training. At CUdefender, we are strong advocates for making credit union employees aware that threats exist but also teaching them how to recognize threats and know exactly how to respond to keep data and systems secure.

This four-step approach seems to help employees retain information they are taught and change behaviors over the long term.

1. Assess – It is imperative that credit unions understand the level of risk within their own institution. Simulated attacks and knowledge assessments are great tools for helping accomplish this, but it shouldn’t just be about penetration testing; it should also be about education and motivation for employees. Take this opportunity to provide employees guidance about how they can make better choices in the future. This education is critical to long-term retention. As Art Gilliland, General Manager of Enterprise Security Products at HP, told Kathryn Dill of Forbes Magazine, taking advantage of a teachable moment directly following an action is more effective than a general conversation later. “Educate at that moment,” said Gilliland. “It can be private, but it’s very powerful at the time of failure.”
2. Train – Providing in-depth training as an add-on to specific teachable moments provides employees a better understanding of the potential risks. It’s during this phase that staff gets a sense of how important their actions are to the safety and security of your credit union. It’s critical to think beyond phishing attacks and email and extend training to include the many other channels where attacks may be present such as social networks.
3. Monitor – After employees receive in-depth training, effectiveness must be monitored and measured as this helps to identify your weaknesses and which employees may require additional training. Many credit unions stop after training and don’t take the extra steps to formalize key performance indicators (KPIs) to establish a clear path forward. Where should you be 6 months or a year from now? Having clearly defined goals and publishing the general trend will further serve to keep security top-of-mind and keep staff motivated.
4. Repeat – Cybersecurity threats are ever changing and come in many different forms: phishing, smishing (malicious SMS/Texts), and vishing (classic fake phone calls); social engineering, social network threats, and lost or stolen devices are just some of the issues credit unions are facing. Hackers are fast learning and relentless. Their approaches are becoming more varied and complex. For these reasons, it is critical that we continue to reinforce best practices and teach good behavior. A security awareness and training program that gives you the ability to deliver training with high frequency (bi-monthly) is key to realizing the best possible results.

As with anything, security awareness and training is just a small piece of the puzzle. Following the four-steps outlined above can vastly improve your training program and make for a strong foundation, but be sure to think holistically. At CUdefender, we help protect credit unions from cyber threats by providing guidance as well as a full range of easy to implement tools delivered 100% from the cloud. Feel free to visit our website http://www.cudefender.com or reach out to our team for more information.

The post Four Steps to Improve Security Awareness appeared first on CUdefender.

Credit Unions should use this Cyber Security Awareness Month to help remind and ensure that members are updated with the latest information about online scams, email and social phishing, password complexity, and have an opportunity to refresh skills with their overall online security. Also, Credit Unions that are taking proactive measures to improve security and further protect themselves (CUdefender customers :-), should help better educate members to keep them aware of the importance placed upon security and to provide more peace of mind.

The post Credit Union Cyber Security Awareness appeared first on CUdefender.

The vulnerability, known as Shellshock, will be a serious problem for many Linux, Unix, and Mac OS X users.

In order to protect our Credit Union customers from being affected by Shellshock, CUdefender has proactively updated its Web Application Firewall (WAF) rules to block the vulnerability.

Our implemented security rules work in multiple stages to ensure that Shellshock cannot be exploited on systems protected by CUdefenders’s WAF.

As a best practice, administrators of any systems running Bash should patch their systems as soon as patches for their distributions are available, even if those systems are already protected by CUdefender. Mjor Linux distributions such as Redhat, have already released patches.

Some vendors and third parties have already gone as far as creating simple diagnostic tools which can be run after patching to make sure that the vulnerability is closed and unexploitable on your system.

Technical details for Shellshock and affected versions for this vulnerability can be found in the National Vulnerability Database using the ID #’s CVE-2014-6271 and CVE-2014-7169.

The post CUdefender Protects Credit Unions Against “Shellshock” Vulnerability appeared first on CUdefender.