FORT LAUDERDALE, Fla. (11/17/15)--Self-assessment is key to any financial institution’s cybersecurity preparedness because that is how an institution can cover its bases without suffering a data breach.
Tom Schauer, a principal at CliftonLarsonAllen, spoke at the CUNA/National Association of State Credit Union Supervisors Bank Secrecy Act Conference Monday on how credit unions can self-assess.
Schauer’s company performs information technology and security assessments on financial institutions, and part of what it does is use tactics a hacker would use in order to gain access to an institution’s network.
According to Schauer, he has been able to access 63% of the internal networks for his banking clients, and once in the network he is able to obtain administrator-level access in 58% of them.
“It takes about 60 to 90 minutes, and is rarely detected,” Schauer said.
His recommendations to financial institutions include:
As an example, Schauer pointed to the Carbanak attacks, in which attackers in Russia, Ukraine and China took $1 billion over two years from banks in Russia, Europe and the United States.
The hackers sent malware as an email attachment and eventually gained access to computer systems, logging every keystroke and taking a screenshot of computer displays every 20 seconds.
The hackers were able to learn how the banks did business and were able to hack ATMs, transfer money to fraudulent accounts, transfer money using e-payments and inflated legitimate account balances and pocket the extra funds by mimicking staff.
(Editor’s note: For more coverage of CUNA’s BSA Compliance Conference, see the following stories in today’s issue: BSA Conference: FinCEN enforcement designed to educate, not just punish; BSA Conference: Exploring benefits, pitfalls of remote deposit capture; and BSA Conference: Finding red flags for trade-based money laundering; BSA Conference: Well-defined AML program essential for small FIs.)