Sometimes it pays to trust a hacker—at least one who has dedicated his career to uncovering potential vulnerabilities living below the surface in credit union information systems.
David Anderson of CliftonLarsonAllen is just such an “ethical hacker,” and he gave CUNA Tech/OpSS Council Conference attendees a peek behind the curtain of today’s latest cybercrime techniques.
Anderson uses leading-edge hacking and testing methods, including network penetration, social engineering, and email phishing to expose potential areas of weakness in his clients’ networks.
Anderson says the No. 1 oversight “that makes a hacker’s life easy” is providing users with local administrative privileges. This action may enable hackers to locate the one system or application that has a vulnerable entry point, and it increases the range of possibilities of what the hacker can accomplish within the system.
Other practices that may expose sensitive data to hacker activity include not giving domain administrators separate user accounts, poor patching, weak encryption practices, and the widespread use of vendor systems and equipment.
Weak passwords are another key area of vulnerability. Anderson revealed that his team can crack an eight-character password in less than a day, while a 10- or 11-character password will take years to decode.
A general lack of security awareness among employees is another huge problem for credit unions and other organizations. Anderson said it’s critical to get employees on board through regular training and education.
He also shared some of the latest hacking trends that information security professionals are watching, including:
“I’m grateful there are some ‘white hat hackers’ out there to help us improve our breach protection,” said Bobby Matthis, vice president of information technology at $1.3 billion asset Westerra Credit Union in Denver. “It’s no longer a question of will you get hacked, but when.”
Click here for more conference coverage.