CUNA News
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • Topics
    • Community Service
    • Compliance
    • Credit Union Hero
    • Credit Union Rock Star
    • Credit Union System
    • Directors
    • Human Resources
    • Leadership
    • Lending
    • Marketing
    • Operations
    • Policy & Issues
    • Sales & Service
    • Technology
  • Credit Union Magazine
    • Buyers' Guide
    • COVID-19
    • Digital Edition
    • Credit Union Hero
    • Credit Union Rock Star
    • Subscribe
    • Advertise
    • Contact
  • Advertise
  • Awards
    • Nominate Credit Union Hero
    • Nominate Credit Union Rock Star
  • Podcasts
  • Videos
  • Jobs
  • Contact

News

Home » Combat zero-day attacks: 6 steps
Operations

Combat zero-day attacks: 6 steps

Be knowledgeable and proactive, and have a plan to face zero-day vulnerabilities.

April 20, 2022
John Cuneo
No Comments
2022_04_six-steps

We’ve seen a shortage of workers, a shortage of supplies, and even a shortage of inventory for many businesses in recent months. But two things are in abundant supply: cybercriminals and their schemes.

These criminals and their attacks are becoming more sophisticated and more calculated. That became very apparent just before the end of 2021 with the discovery of the Log4j vulnerability, a zero-day vulnerability hackers used to exploit code in various Java-based logging software.

Without going in to all the technical details of the situation, suffice it to say that cyberattackers found a flaw in the code of the logging software and manipulated the code to embed malicious information called Log4Shell. 

Once deployed, that malicious code can install trojans, ransomware, and a host of other malware that can affect all businesses, credit unions included.

What Log4j taught us

The proof is in the pudding, as they say, and Log4j was a heaping spoonful of pudding. That’s because it’s estimated to appear in more than 100 million uses of software the world over. 

It has a huge reach, especially because Java is a widely used form of code. Despite everything we know about cybersecurity and the many schemes that are out there, it’s clear there will always be new avenues for cyberattackers to find. 

Because financial institutions are a major target for scams to gain member information and funds, we always need to be on guard.

More about zero-day vulnerabilities

Log4j isn’t the only vulnerability that falls into the zero-day category. In fact, a zero-day vulnerability is any flaw hackers find and attempt to exploit even before the software’s developers become aware of the problem. 

In other words, there are zero days to act or prevent exploitation by cybercriminals before they introduce the malware.

Generally, patches and updates are created when vulnerabilities are found in a system or software. This isn’t possible with zero-day vulnerabilities, as the issue isn’t discovered until after malicious activity has already occurred and is made public as information theft.

And there’s more to it. Zero-day vulnerabilities turn into zero-day attacks when cybercriminals act on those vulnerabilities and deploy their malware. The key point there is that the attacks are successful, meaning they gained access to sensitive data or systems. 

Some notable examples of zero-day attacks, in addition to the Log4j attack, include Heartbleed (2014), Shellshock (2014), BlueKeep (2019), and Kaseya (2021).

There are also zero-day exploits, which refer to the technique of—you guessed it—exploiting the vulnerabilities they find. Many times, as zero-day vulnerabilities are unknown to the developers who created them, hackers sit on those flaws and lie in wait to establish their attack. 

The more time they have to fine-tune their attacks, the more successful they tend to be. 

Types of zero-day exploits include:

  • Phishing emails, including spear phishing.
  • Social engineering.
  • Malicious advertisements and websites.
  • Brute force to compromise networks or servers.

How to combat zero-day attacks

In the instance that a zero-day vulnerability, such as Log4j, is exploited and an attack is imminent, what can your credit union do to stay secure? 

The answer is twofold: be proactive and have a plan. Work now to guard against attacks as best you can before they occur, but also have a series of actions in place in case an attack does occur.

It’s not always possible to protect against vulnerabilities, especially if you use outside vendors for services. However, there are several steps your credit union can take to protect your information, systems, networks, and servers from zero-day attacks:

1. Provide social engineering and security awareness training to every staff member, executive team member, and board member. 

Awareness is a fundamental piece of the puzzle in protecting your institution. Knowing what attacks might look like—whether they come in the form of phishing emails or malicious links and so on—means your staff is more likely to spot red flags and not fall for the scams.

2. Implement a consistent patch management program. Create a schedule that includes patches and updates for all of your systems and networks, and perform these processes often.

Also, stay apprised of any new patches or updates that are available to stay as up to date as possible. A good patch management program will not guarantee protection against a zero-day attack, but a process will already be in place when the vulnerability becomes known and a patch becomes available.

3. Implement a strong vendor due diligence program. This will allow you to build good working relationships with your vendors, which leads to better communication in the event a zero-day attack occurs. 

In that communication, your credit union and your vendor can determine vulnerabilities on both ends and implement mitigation tools together. In addition, a vendor due diligence program means you’ll have policies and processes in place to review contracts for the outside party’s security controls and service level agreements.

4. Use the rule of least privilege so only people who absolutely need to have access to a particular system or application receive those permissions. 

Tellers may not need the same access as loan officers and vice versa, and the fewer people who can access sensitive information, the fewer opportunities cyberattackers will have to enact their malicious schemes. 

5. Take a layered approach to security. The more security measures you have in place, the stronger buffer you create between your data and hackers. Install firewalls, use anti-virus software, deploy threat detection, monitor user activity, and more.

6. Put in place a disaster recovery/incident response plan in the event a zero-day vulnerability is successfully exploited despite your protective security controls. This will help you determine how to act quickly and recover your data and/or control of your systems.

There’s no sugarcoating it: Zero-day vulnerabilities are going to happen, and attacks are inevitable. Log4j is just one in a string of many. 

The best advice anyone in the security world can give you is to be knowledgeable, be proactive, and have a plan to face zero-day vulnerabilities and attacks.

JOHN CUNEO is information security director at Vizo Financial.

KEYWORDS cybersecurity

Post a comment to this article

Report Abusive Comment

Credit Union Magazine: Winter 2022

Winter 2022

Credit Union Magazine’s Winter 2022 issue highlights data-driven marketing, the board’s role in cybersecurity, elder abuse scams, credit unions’ auto lending advantage, and more.
Digital Edition •  Subscribe

Trending

  • House passes CUNA, League-led board modernization bill

  • CFPB issues CUNA-opposed proposal on credit card late fees

  • Key committee leaders supportive of credit union priorities

Tweets by CUNA_News

Polls

Vote for the 2023 CU Hero of the Year

View Results
More

Champion for the Credit Union Movement

Credit Union National Association is the most influential financial services trade association and the only national association that advocates on behalf of all of America's credit unions. We work tirelessly to protect your best interests in Washington and all 50 states. We fuel your professional growth at every level and champion the credit union story at every turn.

More CUNA

  • Membership
  • Contact Us
  • Careers

Resources for

  • Credit Union Advocates
  • Leagues
  • Press
  • Providers

Our Affiliates

  • American Association of Credit Union Leagues (AACUL)
  • Credit Union Awareness
  • Credit Union House
  • CUNA Strategic Services
  • National Credit Union Foundation
GET CUNA UPDATES
© 2023 Credit Union National Association | ADA Compliance Notice & Legal
Email Us