You can beat ’em if you join ’em.

Now that one of the biggest threats credit unions face are thieves reaching into their coffers via cyber doors inadvertently left open, security depends on thinking like the hackers to block their next move.

That’s the essence of “ethical hacking,” the practice of authorized professionals testing data vulnerability using the latest methods employed by nefarious actors.

Some credit unions hire third-party ethical hacking firms to occasionally check their network fortifications.

Michigan State University Federal Credit Union (MSUFCU) in East Lansing does that and more: Sean Verity, ethical hacking manager, and his assistant protect from outside threats from in-house, full-time.

Verity, who joined the $5.7 billion asset credit union in 2011 as an internal information technology (IT) auditor, was curious about ethical hacking and sought out the skills and certifications in his free time. It wasn’t long before he made this his sole focus.

Now a decade in the role, Verity shares the credit union’s unique approach to getting inside the criminal mind.

Artificial vs. human intelligence

MSUFCU uses automated scanners that search for cyber leaks as well as an outside ethical hacking firm and its in-house expertise for a three-pronged hacking defense.

“It’s all about protecting the organization’s ‘crown jewels,’” says Verity.

While scanners “look very thoroughly at systems on an individual basis,” he explains, it’s only human hackers who can analyze inter-related threats to truly assess an organization’s exposure to cyber theft.

“Imagine a network with two systems,” he explains. “One is very secure and contains data that are the ‘crown jewels.’”

While the other system is less secure, it’s doesn’t hold precious cargo. “The scanner will tell you the insecure system should be the focus and rightfully so,” Verity says. “But the human will know [criminals] will want to access the insecure system only to pivot to the secure one to steal the ‘crown jewels,’ and focus on that.”

Verity and his assistant continually penetration test based on a three-year plan.

“We have a catalog listing various types of technical risks to either internal or external networks,” he says. “We rate the risk, and that matches how often we test.”

Current thinking

Social engineering hacks, often conducted through phishing emails to members or staff, as well as ransomware to grab data and hold it hostage until an institution buys it back, are the prevalent threats to all businesses, not just credit unions, Verity says.

He keeps up with current attacks through articles published by organizations like the SANS Institute and the Information Security Media Group.

Recently, he found an actual example of a phishing email that pried on recipients’ curiosity about the incidence of COVID-19 in their area to test MSUFCU staff’s gullibility.

“We like to think of a layered defense,” Verity says. If an employee does fall for a phishing scam, “we look at what other layers we can put in place.”

Following each project “we prepare a report on what was tested, when, and what we found,” Verity says.

He hands off the reports to the IT security team. If a vulnerability was discovered, its severity, nature, and location are documented to determine the best way to remediate.