What is cybersecurity and what role does incident response play in an information security program?
Patrick Sickels: Cybersecurity is how your credit union manages both internal and external technological threats and provides evidence that you are doing so. Everything from risk assessments to antivirus software is a part of your cybersecurity strategy. The purpose of your program is to protect your members’ money and their identities.
Cybersecurity risk management involves reviewing all the technical threats to an organization’s information and evaluating the patrols necessary to mitigate these risks.
Jim Lawrence: An aspect of a cybersecurity incident response and security program is business continuity. Business continuity anticipates threats that could result in business disruptions and take steps to mitigate the impact of those threats. By creating a business continuity plan, credit unions provide instant response procedures to restore critical systems and processes and return to normal business operations.
David Wordhouse: Following up on what Jim said, all cybersecurity response plans should consider their network and a high availability strategy.
A network is a group of computers that can talk to each other. Network security is really nothing more than ensuring these computers and the information they contain are only used as intended by the organization that owns them.
For services and applications where even the slightest amount of downtime can result in significant impact operations, a high availability strategy helps keep systems online. High availability is achieved by replicating data between redundant systems in multiple locations.
What is encryption?
Matt Sawtell: Encryption is an effective way to improve data security. It provides security by scrambling the original message in such a way that only an authorized person can read or access it. Encryption is necessary for any data that may traverse a public area such as the internet. Encryption should be enabled when sending sensitive information via email or accessing it on a website.
How do I know when there is an intruder?
Sawtell: Intrusion detection is not one single thing or system. Rather, it’s a method of detecting unauthorized access to corporate computing resources and alerting management of unauthorized activities. Intrusion detection is a passive response, if you want your security system to stop the intrusion when detected, you will want an intrusion prevention service instead.
How do I keep the bad guys out?
Wordhouse: Make firewalls a priority. A firewall is a network device that helps separate networks that are untrusted from networks that are trusted. A firewall is typically used to keep malicious internet traffic outside the four walls of the credit union while still allowing some traffic to pass through so that business-important websites can be accessed.
Sawtell: Also, be on alert for networks you don’t trust. Just like in Korea, a demilitarized zone (DMZ) is a network that you don’t trust very much. DMZs are used for systems that need connection to the internet like email or web servers. Firewalls used to protect the internal network from the DMZ and a DMZ from the internet.
Sickels: Maintain a constant state of vigilance by having controls. Controls are the safeguards an organization has a place to detect or better yet prevent security attacks.
Wordhouse: Finally, be sure that there is layered security. Layered security is the concept that there is no silver bullet for network security. Effective security must be applied using multiple controls stacked together. For instance, using a firewall with antivirus software and data encryption.
What is malware and what are measures I can take to protect my credit union and members?
Sawtell: Malware is one of the most significant threats facing your organization today. Malware is any software running on a system that performs malicious actions. Malware can do many things such as encrypt or delete your data, exfiltrate information to the attacker, spy on activities record keystrokes, provide a backdoor for the attacker to remotely access your network. So much malware is being written today the traditional antivirus alone cannot keep up.
Effective protection against malware requires a lot of layers. First, you need up-to-date antivirus software that is properly configured. Second, make sure your staff is trained not to click on links or open attachments and unexpected emails. Third, you’ll need anti-malware software that works based on the behavior of the software. Fourth, up-to-date patching of applications and operating systems that are connected to your network is essential. Finally, you must have identification and prevention of network traffic to malicious locations on the internet.
What do examiners expect from credit unions?
Lawrence: As a result of requests from examiners, the business impact analysis (or BIA) is used to identify and prioritize business functions and the technology that supports them. For each function a maximum allowable downtime value is determined based on the loss to the organization in the event of a disruption.
What else can I do to protect my members?
Wordhouse: Require your members to authenticate. Authentication is providing proof that you are who you say you are. Typically this is done by providing a username and a password.
Sawtell: Consider multi-factor authentication. Usernames and passwords can be easily guessed or stolen multi-factor authentication means you have to provide some other proof of your identity besides just a password. Other valid forms include biometrics such as a fingerprint or something unique you have like a token. Combining a password with another form of authentication provides for strong security.
Sickels: Examine access. Access controls turning who should and who shouldn’t have access to a particular computer system or physical area.
What are the other types of cyber-attacks I should be aware of and how do I mitigate the risk?
Wordhouse: Denial of Service is a big one. If I siphon the gas out of your car, you’re stuck—I’ve just denied you the ability to drive your car. That’s a denial-of-service attack: an attacker performs actions that prevent you or your members from using an application such as home banking. Networks can be built using technologies that try to shun these attacks. However, to protect against an overwhelming flood of traffic, partnering with your ISP or a trusted third-party specializing in das protection is necessary.
Lawrence: Attacks can occur as a result of a Single Point of Failure (or SPF). SPF is any part of a system that if it should fail, can bring down the entire system. Examples of SPFs include servers with a single hard drive, offices with a single source of power, and networks with a single internet connection.
Sawtell: Be aware of your policy for Bring Your Own Device (BYOD). Allowing employees to connect their personal devices to the corporate network is becoming more and more common these days. BYOD is first and foremost a policy decision that the business should consider. There may be productivity improvements, but there are also risks. Things to consider include whether or not the flow of information will be controlled, how will it be protected, what information is permitted on an employee’s device, and what is not. BYOD should start first with a business analysis then a risk assessment followed by a written policy. The technical systems can be introduced to allow secure BYOD, but notice the technical systems come last in this process.
Wordhouse: Not a day goes by when social engineering attacks are not in the news. Social engineering is when attackers are playing the con. If I can trick you into giving me something that I shouldn’t have then I’m just a social engineer. Your defense against social engineering starts with employee training. Educate them on permissible actions and what to do if they think they made a mistake.
Credit unions should protect themselves with recovery points. What can you tell us about this?
Lawrence: When we talk about recovery points, we are referring to Recovery Time Objectives (RTOs) and Recovery Pont Objectives (RPOs). A Recovery Time Objective represents the maximum amount of time between a business disruption and the time the process is partially or fully restored. Accurate recovery time objectives help to ensure that recovery plans properly align with business requirements.
A Recovery Point Objective represents the maximum amount of data that can be lost without severely impacting a recovery of operations. Accurate recovery point objectives help to ensure that data is archived at the appropriate intervals and that vital records are not at risk.
Cybersecurity affects everyone
Nobody wants to be standing in front of smoking gun. Having the information to understand cybersecurity, the risks, and how to mitigate those risk in order to protect your brand, your members’ money, and their identities is integral. The best defense strategies against cyber-crimes are strategic investments in education for your board, employees, and members. Investing in professional cybersecurity staff is ideal. Be sure to reach out to me for additional information on how to make cybersecurity a part of your credit union’s strategic plan.