Defending against Ever-Evolving Security Threats

Idrees Rafiq
August 1, 2011 | COMMENTS

Security threats are a topic all too familiar to credit unions. Moreover, the evolution of those threats is unmistakable, with organized criminals replacing computer whiz kids just looking for a thrill. New threats range from very technical in nature to tactics used by the most novice computer user, and defending against this diverse range of threats is daunting. 

The most fundamental approach to defend against these current security threats is to adopt a non-complacent attitude with a proactive approach to security. Complacency is caused by two major factors. The first and most detrimental factor is the adoption of the philosophy that compliance is equal to security. Credit unions should proactively identify vulnerabilities by performing a thorough security risk assessment, using industry standards, best practices and current security breach trends. 

The second factor that can lead to complacency is the threat of becoming numb to the substantial number of security breaches occurring. Breaches have now become commonplace in headlines around the nation, and as a result, the stories convolute the severity of a data breach and the lessons to be learned. Credit unions should heed the warnings of the recent breaches and learn how to defend themselves against similar vulnerabilities. 

To best defend the credit union from security breaches, the credit union should develop a strong foundation in security by proactively performing a compressive risk assessment. The goal of the security risk assessment is to identify and eliminate risks that leave the credit union most vulnerable. (All remaining vulnerabilities should be monitored and managed.) 

The security risk assessment should contain four major components as it relates to physical, operational, and technical security. 

• Determine assets
• Determine threats
• Determine vulnerability
• Determine current risk rating 

Although all areas should be evaluated in the security risk assessment, the current security trends suggest that credit unions place an emphasis on the following areas: 

1) Multi-layered approach. A multi-layered security platform should be deployed physically, administratively, and technically to supplement the primary security. Technical examples include: firewalls configured with intrusion prevention systems; automated alerts; a secondary firewall configured with an automatic failover; and strong activity reporting features. 
2) Rule of least privileges. The rule of least privileges should be adopted to limit access only to those individuals whose job responsibility requires access. Strong activity reporting and review also complements these security measures. Standards for data processing systems have established levels of access based on each employee’s role. This same methodology should be deployed to access software and networking components such as servers, firewall(s) and router(s). It is crucial that physical and administrative access controls also be in place to include limiting access to areas of the credit union containing confidential documents, such as file rooms, access to unlocked shred bins, server rooms, etc. 
3) Employee training. Training all employees on security is vital, as they are the front line of defense against data breaches. Along with the credit union’s Security Policy and Program, examples of security training include:           

• Social engineering—this is a non-technical way of hacking, in which a perpetrator acts as someone else in order to manipulate credit union employees into either giving them access or divulging confidential information. An example would be an AT&T imposter troubleshooting a network outage in efforts to plant a virus via USB thumb drive in a credit union computer. 
• Suspicious e-mails—training employees how to handle suspicious e-mails can be another vital step in protecting the credit union from a data breach. The first step is to train employees not to open or respond to e-mails when the sender cannot be identified. Even if the sender can be identified, employees should be cognizant of whether that person would send that particular message. The second step is to report it immediately. Other training tips would be never to click on a link to an external website. If the employee is interested in the link, he or she should open a web browser and manually type the URL in the web browser. 

4) Member education programs. Data breaches can also be prevented by educating the members against fraud and identity theft. An effective program should be evaluated using measurements that include:           

• Tracking the number of members who report suspicious activity on their accounts
• Recording the number of member visits on the ‘information security link’ if available on the website
• Recording the number of statement stuffers or other direct mail communications to the members
• Tracking the dollar amount of losses relating to identity theft before and after the member education program begins

5) Testing. Internal and external vulnerability assessment testing can play a vital role in preventing data security breaches. Although you can never eliminate all security vulnerabilities, it is imperative that credit unions take a proactive approach to minimizing and managing them. Bouncing back from a recession may prove to be easier than bouncing back from a loss of member confidence should a data breach occur. Demonstrating the management’s commitment to data security to both employees and members may be the most significant aspect of the credit union’s security posture.

Idrees Rafiq is assistant vice president of IT Consulting for Financial & Technology Resources. Reprinted with permission from the Texas Credit Union League (www.tcul.coop).