Credit Union Resources, Inc
Hacking has again come into the limelight recently. The CIA, FBI, and the NSA have recently released findings that Russia may have been involved in the hacking of the DNC e-mails, as well the e-mails of Hillary Clinton’s campaign manager John Podesta. The influence this had on the election is far beyond the speculation of this blog post, but it does once again show how anyone can be vulnerable to hacking.
For obvious reasons, financial institutions will always be a high priority target for hackers. The financial reasons are a given, but some of the grey hat hackers might choose to attack financial institutions not for monetary gains, but to sow chaos. The hacking mentioned above shows that no institution is safe from hackers. So if you are a $10 million credit union or a $1billion plus credit union, it’s vital that you take the necessary steps to protect your members’ assets. In this blog we will discuss three main ways to protect yourself and your credit union from hackers; 1) Strong passwords, 2) a robust firewall, and 3) ongoing social engineering training.
Strong password security is an ongoing battle between users and administrators. If network admins had their way, all passwords would have to be at least 20 random characters required to be changed on a weekly basis. Most users would like to have to never change their password, which is most likely the name of their favorite child or pet. The ideal balance is something in between obviously. Good passwords start with having four out of four on complexity; meaning an uppercase character, lowercase character, number, and special character. One measure we teach is to use passphrases instead of passwords. Take this phrase, “My network admin does not like me and the feeling is mutual.” If you use the first letters from each word, make every other word capitalized, and change some letters to numbers you can get this, “MnAdNlM@Tf1m”. This is a password no one could possibly guess, except perhaps your network admin, who doesn’t like you.
Another security measure you should take is a having a robust firewall with a built-in intrusion detection/prevention system (IDS/IPS). Before any penetration is attempted on your network the hacker is most likely to attempt a probe on your system. A firewall is the first device that sees incoming data from the Internet. Like a security guard posted at your credit union entrance, a firewall receives, inspects and makes decisions about all incoming and outgoing data. But a firewall is not a “set and forget” device. Not only does it require constant monitoring (to include automated alerts), but proper patching is vital. Hackers are always looking for new loopholes to exploit, so if your firmware is out of date, you could be vulnerable to attacks.
Finally we get to social engineering. This is defined as a non-technical way to breach your security. Social engineering is just another form of ID theft, in which the hacker will try to gain access to a user’s full name, date of birth, SSN, account number, etc. Account numbers are especially attractive to hackers, since many online banking platforms require members to use this as their login ID. Some of the more common types of social engineering, and perhaps the best known, are phishing techniques, usually done through e-mail. As a rule, never click on a link in an e-mail that you aren’t 100% sure about. Especially ones asking you to log into something. A good rule of thumb if you aren’t sure is to hover your cursor over the link. At the bottom of your browser it will show you the actual location you’ll be directed to. In addition, always report suspicious e-mails to your IT personnel. Another method of social engineering would be someone attempting to infiltrate your branch disguised as someone else. This could be someone dressed as a technician or someone in authority (policeman, fireman, etc.). No matter who it is, always check for an ID and then check with your management to ensure this person has authorized entry.
These three are by no means all you need to do to protect yourself and your members’ data, but it’s a good start. Your IT personnel and/or your Security Officer should keep themselves up to speed on current and trending threats. However, it’s not their job alone. Every credit union employee must use common sense and situational awareness to keep your assets safe.