TraceSecurity - Security Compliance Management

News & Events

Security Breaches. Are You Prepared?

Credit Union Digest , 06/01/2006

by Jenny M. Boyle (California and Nevada Credit Union Leagues)

Phishing. Pharming. Spoofing. Intrusions.

You hear any of these threatening words and several more come to mind: security breach, identity theft, loss of reputation, helplessness.

Today, credit unions’ concerns about data security are growing rapidly—and with good reason. Many are grossly under-prepared to prevent or deal with the aftermath of a security breach.

According to the Anti-Phishing Working Group (APWG), a global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming, and email spoofing, financial services continue to be the most targeted industry sector, growing to 90 percent of all attacks in March 2006.

Kevin Prince, chief security officer for Perimeter Internetworking, says the phishing trend is moving from larger financial institutions to smaller ones—particularly credit unions—because they are an easier target.

“Security technology has traditionally been very expensive for many credit unions,” says Prince. “Intrusion detection and prevention, firewalls, anti-virus servers, spam filters, and URL filters were all sold as separate devices and typically required a minimum 50-user license to purchase—something outside a smaller credit union’s budget.”

The cost and types of security technology are improving, and Prince urges credit unions to take action quickly to protect their information. “We have a credit union customer that signed up for our service and in one month was phished 35 times,” he says. “Credit unions don’t believe the impending danger and scope of the threat that exists, but it’s so successful that last year, I read the price of an identity on the black market had actually gone down because it’s so easy to steal information.”

The total number of unique phishing reports submitted to APWG in March 2006 was 18,480—the most reports ever recorded. Though Prince says some recent news suggests phishing attacks have gone down, these numbers obviously tell a different story. The technology to stop them is getting better and cheaper, and credit unions need to act now to put the correct security measures in place.

Phishing, Pharming, and Intrusions

Phishing and pharming tactics direct people to fraudulent websites where they are likely to disclose important information such as names, social security numbers, PIN numbers, and passwords. Phishing uses a lure, most-often an email, to get victims to go to the website and give information, while pharming basically poisons a domain name and in effect, redirects anyone who tries to access the legitimate website to a fraudulent one. Prince says pharming is far more difficult to do, but if a hacker succeeds, it is a more effective way to gain mass amounts of information. But whether it’s a phishing or pharming incident, Prince says every credit union has to have a response program in place to get the website shut down as soon as possible.

“The national average for shutting down a fraudulent website is 5.8 days,” he says. “Our program can do it in three hours. If you can get the site down that quickly, your members are going to have a much lower chance of giving out their sensitive information.”

Prince says taking down one of these websites has its challenges. “In 53 percent of cases, the site isn’t hosted in the U.S.,” he explains. “There are time zone barriers, 24/7 problems, and language barriers.”

But even if the site is hosted in the U.S., a take-down may not be any easier or faster.

“Free service providers like MSN and Yahoo can be used as phishing sites,” says Prince. “And because they’re such huge organizations and there’s so much red tape to get through, it can often take longer than shutting down a site based in another country.”

Credit unions face a technical barrier as well when an attack occurs. Unless the credit union gathers enough data forensics surrounding the attack, it will have a difficult time filing an insurance claim or a report with law enforcement. “Most credit unions don’t have the ability to gather this information on their own,” says Prince. His company offers a CD to help correctly gather data in the event of an attack, but Prince says once the information is in the wrong hands, there’s not much anyone can do to get it back.

And if phishing and pharming aren’t bad enough, another tactic being employed by hackers is the use of a Trojan horse, which can be installed on a single computer to gain access to information. Prince gives this example: Someone inside the credit union offices is lured to a false Katrina relief website where she thinks she’s learning how to help the survivors. She doesn’t realize a Trojan horse program is being installed in the background that transfers information out to the hacker and allows him to ride the connection back in, making everything her computer screen sees available to him.

No matter the scheme, prevention is the best answer to security threats.

Threat Management

Prince says one of the best things happening in the security industry right now is the unified threat management (UTM) device—a great choice for credit unions with a close eye on the bottom line.

“It’s not new,” explains Prince, “but it has several different security measures all built into one device, which makes it much more cost-effective.”

Think intrusion prevention and detection, anti-virus software, spam-filtering, and URL filtering all in one source that is constantly monitored and updated to adhere to new compliance rules.

Prince says a big problem with many security companies is that they try to push all the separate services they offer, which can add up and still leave the credit union with less than the best security measures. A personalized risk assessment like the one found at www.riskprofile.org (see sidebar), can help your credit union decide exactly what services are needed to get the most bang for your buck.

“The problem with technology in general,” says Prince, “is that people don’t make use of it fast enough. They don’t have what they need when they need it.”

Perimeter Internetworking has tried to solve this program with its “in the cloud” approach to IT security and compliance coverage. The subscription based, pre-integrated security utility allows businesses to connect to the Internet through the company’s security infrastructure and receive the same benefits of a UTM without the integration headache.

The best bet for a credit union looking to manage threats is an all-in-one system—but beware, your network isn’t the only way information thieves get what they want from you and your members.

Social Engineering

Picture this: It’s an all-too-typical day at your credit union. Members travel in and out of the branch making deposits, stopping at the ATM, or filling out a loan application for that new car they’re planning to purchase. You’re busy reviewing the latest quarterly report—deposits are up, it’s great news. You receive a visit from the city fire inspector who says he’s come by to make sure everything is up-to-code and in working condition. He announces he’ll be inspecting the building, and of course, you oblige for the man whom just about everyone regards as a local hero. As he makes his way around, he casually asks the teller who has been escorting him if he can have a cup of coffee to keep him going through the rest of the afternoon. The teller graciously obliges and in a moment returns with a steaming cup. The inspector quickly finishes and goes on his way with virtually no interruption to the normal flow of the work day … or so you think.

What you haven’t realized is the “hero” who just went through every office in your branch has almost effortlessly managed to hack into your credit union server and steal thousands of members’ information. And the worst part is you let him do it.

When you hear the term “security breach,” is the scenario above something that comes to mind? According to Jim Stickly, chief technology officer for Trace Security, it should be. As if the threat of phishing, pharming, and skimming weren’t enough to worry about, some of today’s hackers are reverting to methods of old, says Stickly, whose company, along with offering several security services, specializes in social engineering.

“Hacking today is more difficult,” says Stickly. “The security software that’s out there works really well, so some hackers are finding other ways to get the information.”

Stickly says years ago, before the dawn of the Internet age, social engineering was how just about everyone stole information. A trend is moving back in that direction with the development of increasingly sophisticated security software. And when asked what the biggest security threat to credit unions is right now, Stickly doesn’t hesitate to answer.

“Employees,” he says. “Probably 65 to 70 percent of our business is credit unions and we find that employees are their biggest weakness. Their awareness training is generally not where it should be.”

Trace Security is often hired by credit unions to administer risk assessments. A company employee will dress up as the fire inspector or a pest controller and play out the scene described previously to gather information.

In other tests, a Trace employee will send an email to a credit union employee as though it is coming from another co-worker inside the credit union. The email will generally say something about the creation of a new website and will ask the receiver to login and “make sure it’s working correctly.” And you know what happens when people visit a fraudulent website and start arbitrarily giving out information.

Then, of course, there’s the dumpster in back of the credit union. Stickly talks about what his company finds in trash bins like it’s a winning lottery ticket—and it is … for hackers. The result of not shredding even the smallest of post-it notes with information can result in the identity theft of one of your members. The risks these tests expose are shocking.

“We have a success rate of around 95 percent,” says Stickly. “It only takes one employee who does not properly follow policies and we can gain access to everything.”

Now, imagine if the Trace employee you hired to steal your information was a real hacker. If you’re worried, you have a right to be.

“It’s the simple, stupid stuff that’s extremely successful for us,” says Stickly. “Employees hear about the obvious things like phishing, pharming, and skimming, but they don’t hear as much about fake emails or people dressing in uniform to gain access.”

Stickly attributes this to a lack of proper, regular education concerning security threats, along with a fear of being customer un-friendly. If employees were trained to look for unusual behavior, they would be more likely to question an unusual email, and if they worried a little less about offending a supposed person of authority like our “hero” and more about following company procedures, the real hackers wouldn’t get away with such crimes.

“All the employee has to do is pick up the phone and double-check with the person who sent the email to make sure it’s legit,” he says. Likewise, if a non-employee requests access to the office, that person should be escorted the entire time—regardless of who they appear to be. As for the information in the dumpster, Stickly makes it pretty clear, “Tearing documents into pieces is not good enough.” He says trash receptacles next to the kiosks inside the branch are a goldmine for information because employees often fail to shred those materials before they toss them out with the rest of the trash—and that’s just one example of the treasures hackers find in the garbage.

Now, most credit unions have some type of employee training and policy review, and credit union executives may even understand the importance of enforcing such measures, but Stickly says it’s not happening as often as it needs to be.

“We hear all the time from our customers that they do a massive once-a-year training for employees,” he says. “And then we ask them, ‘What about an employee who starts two days after that training?’ and they say, ‘Well, they get the 20 minute version.’

“Training should happen once a month,” he says. “After we run these tests, we’ll come in and sit down with the entire credit union staff. We’ll show them everything we stole and it makes them understand. It’s a really good way to open someone’s eyes.”

Stickly says employers can continue to educate staff between training sessions by sending out alerts when news of a new scam becomes available. The goal is to ensure that security policies are strictly adhered to, and hopefully, prevent breaches from occurring.

“I don’t envy any of [these employers],” says Stickly. “We have a hard enough time training our own employees, and we’re a security company!”

As for the future of data security, Stickly is cautiously optimistic.

“I think it’s going to get better,” he says. “But there’s always going to be a scam, I don’t think that will ever go away. As long there have been banks, there have been bank robberies. You just have to know how to protect the information.”

Regulations And Guidelines

NCUA Rules and Regulations § 748 requires each federally-insured credit union to develop a written security program that strives to protect the credit union, its members, and the confidentiality of records. The appendix to that section offers guidelines to make it all happen, but they aren’t much help say both Prince and Stickly. Currently, there are no clear-cut rules, and when they talk to regulators, they don’t get a common answer.

“We’ve been told by numerous NCUA regulators about what they’re looking for,” says Stickly. “But they’re not on the same page because there’s no official word. They’re saying as long as credit unions have documentation that shows their moving in the direction of having strict security procedures, [the examiners] are okay with that.”

Prince has had an interesting perspective with regard to what examiners will look for.

“I’ve trained the NCUA examiners for the last four years,” he says. “They have a committee that tells me exactly what they’d like their examiners to be trained on. I can often tell what these examiners will be looking for when they visit credit unions because it tends to follow whatever I’ve educated them about for that year.”

Prince says this year he spoke a good deal about continuing firewalls, UTM devices, and other intrusion detection and prevention services.

“I know this is going to be a very big push because the cost of intrusion detection and prevention services has come way down,” he says. “I’m already seeing many credit unions sign up for this service.”

Stickly says his company offers assistance to its clients by putting regulations in laymen’s terms. “We help them understand what a regulation is, what a guideline is and what they need to meet,” he says. “Credit unions have to have something in place by 2007 and the NCUA and FDIC are bound to come up with something that has real teeth, but right now, it’s really gray.”

SIDEBAR

Some Terms To Know

Domain Name Server (DNS)—a system that stores information associated with domain names in a distributed database on networks, such as the Internet. The DNS associates many types of information with domain names, but most importantly, it provides the IP address associated with the domain name. The DNS makes it possible to attach easy-to-remember domain names (such as “ccul.org”) to hard-to-remember IP addresses (such as 13.29.135.137).

Secure Sockets Layer (SSL)—a protocol for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data—a public key known to everyone and a private or secret key known only to the recipient of the message.

Social engineering—the practice of obtaining confidential information by manipulation of legitimate users. Social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes.

Unified Threat Management (UTM)—term used to describe network firewalls that have many features in one box, including junk e-mail filtering, anti-virus capability, an intrusion detection and prevention system, and web content filtering, along with the traditional activities of a firewall.

SIDEBAR

Data Security Legislation

Current legislation does not protect a credit union’s reputation if a breach occurs. And the penalties for the criminals don’t equal the suffering of the victims exposed in a security breach. The "Identity Theft Penalty Enhancement Act," which was signed into law in July 2004, establishes aggravated identity theft as a criminal offense, and establishes mandatory penalties for aggravated identity theft, which is defined by law as the use of a stolen identity to commit certain criminal acts. Under the law, convicted criminals will receive a mandatory five-year prison term if convicted of using or providing false identification to help terrorists. Providing false identification for non-terrorism-related crimes would carry a two-year prison term. It takes a victim of this crime longer to repair the damages to his or her credit and reputation.

League Director of the Washington Office Ryan Donovan says three committees in the House and three committees in the Senate are currently working on data security legislation. The Credit Union National Association (CUNA) has identified which ones pertain to credit unions and is supporting the implementation of a national standard for rules of disclosure. Topics of concern include:

Consumer notice: Credit unions take a large reputation risk with current disclosure legislation. They believe if the breach is not the fault of the credit union, that credit union should be able to tell its members where the breach originated.

Reimbursement: The cost of reporting the breach should be incurred by the breacher, not the financial institution reporting it (if the breach occurred outside the financial institution).

Safe Harbor: If a credit union has used information in the normal course of business, remaining in compliance, the credit union should not be held liable.

Donovan reports that later this month, the House is planning to consider security legislation. “They’re going to bring together all the bills that have passed and roll them into one bill,” he says. “We just don’t know what it’s going to look like yet.”

Credit union leaders are urged to keep voicing this issue in meetings with their legislators to ensure that they are protected.

SIDEBAR

Services That Help

Trace Security offers the Trace Assure tool bar, a free product that cross references every web page domain with the corresponding IP address. This information is validated against the secure TraceAssure "White List." Participating sites that have been validated will display an "Authenticated" notification as well as posting the name of the organization the user is visiting. If a malicious site attempts to impersonate a legitimate web site it will fail authentication and a "Malicious" message will be displayed. In addition, if a malicious site were to perform a man-in-the-middle type of attack, TraceAssure would catch the IP address difference and warn the user with a "Malicious" notice. For more information, visit www.tracesecurity.com.