CUNA is now America's Credit Unions.
A stronger voice to advance the credit union industry.
We’ve seen a shortage of workers, a shortage of supplies, and even a shortage of inventory for many businesses in recent months. But two things are in abundant supply: cybercriminals and their schemes.
These criminals and their attacks are becoming more sophisticated and more calculated. That became very apparent just before the end of 2021 with the discovery of the Log4j vulnerability, a zero-day vulnerability hackers used to exploit code in various Java-based logging software.
Without going in to all the technical details of the situation, suffice it to say that cyberattackers found a flaw in the code of the logging software and manipulated the code to embed malicious information called Log4Shell.
Once deployed, that malicious code can install trojans, ransomware, and a host of other malware that can affect all businesses, credit unions included.
The proof is in the pudding, as they say, and Log4j was a heaping spoonful of pudding. That’s because it’s estimated to appear in more than 100 million uses of software the world over.
It has a huge reach, especially because Java is a widely used form of code. Despite everything we know about cybersecurity and the many schemes that are out there, it’s clear there will always be new avenues for cyberattackers to find.
Because financial institutions are a major target for scams to gain member information and funds, we always need to be on guard.
Log4j isn’t the only vulnerability that falls into the zero-day category. In fact, a zero-day vulnerability is any flaw hackers find and attempt to exploit even before the software’s developers become aware of the problem.
In other words, there are zero days to act or prevent exploitation by cybercriminals before they introduce the malware.
Generally, patches and updates are created when vulnerabilities are found in a system or software. This isn’t possible with zero-day vulnerabilities, as the issue isn’t discovered until after malicious activity has already occurred and is made public as information theft.
And there’s more to it. Zero-day vulnerabilities turn into zero-day attacks when cybercriminals act on those vulnerabilities and deploy their malware. The key point there is that the attacks are successful, meaning they gained access to sensitive data or systems.
Some notable examples of zero-day attacks, in addition to the Log4j attack, include Heartbleed (2014), Shellshock (2014), BlueKeep (2019), and Kaseya (2021).
There are also zero-day exploits, which refer to the technique of—you guessed it—exploiting the vulnerabilities they find. Many times, as zero-day vulnerabilities are unknown to the developers who created them, hackers sit on those flaws and lie in wait to establish their attack.
The more time they have to fine-tune their attacks, the more successful they tend to be.
Types of zero-day exploits include:
In the instance that a zero-day vulnerability, such as Log4j, is exploited and an attack is imminent, what can your credit union do to stay secure?
The answer is twofold: be proactive and have a plan. Work now to guard against attacks as best you can before they occur, but also have a series of actions in place in case an attack does occur.
It’s not always possible to protect against vulnerabilities, especially if you use outside vendors for services. However, there are several steps your credit union can take to protect your information, systems, networks, and servers from zero-day attacks:
1. Provide social engineering and security awareness training to every staff member, executive team member, and board member.
Awareness is a fundamental piece of the puzzle in protecting your institution. Knowing what attacks might look like—whether they come in the form of phishing emails or malicious links and so on—means your staff is more likely to spot red flags and not fall for the scams.
2. Implement a consistent patch management program. Create a schedule that includes patches and updates for all of your systems and networks, and perform these processes often.
Also, stay apprised of any new patches or updates that are available to stay as up to date as possible. A good patch management program will not guarantee protection against a zero-day attack, but a process will already be in place when the vulnerability becomes known and a patch becomes available.
3. Implement a strong vendor due diligence program. This will allow you to build good working relationships with your vendors, which leads to better communication in the event a zero-day attack occurs.
In that communication, your credit union and your vendor can determine vulnerabilities on both ends and implement mitigation tools together. In addition, a vendor due diligence program means you’ll have policies and processes in place to review contracts for the outside party’s security controls and service level agreements.
4. Use the rule of least privilege so only people who absolutely need to have access to a particular system or application receive those permissions.
Tellers may not need the same access as loan officers and vice versa, and the fewer people who can access sensitive information, the fewer opportunities cyberattackers will have to enact their malicious schemes.
5. Take a layered approach to security. The more security measures you have in place, the stronger buffer you create between your data and hackers. Install firewalls, use anti-virus software, deploy threat detection, monitor user activity, and more.
6. Put in place a disaster recovery/incident response plan in the event a zero-day vulnerability is successfully exploited despite your protective security controls. This will help you determine how to act quickly and recover your data and/or control of your systems.
There’s no sugarcoating it: Zero-day vulnerabilities are going to happen, and attacks are inevitable. Log4j is just one in a string of many.
The best advice anyone in the security world can give you is to be knowledgeable, be proactive, and have a plan to face zero-day vulnerabilities and attacks.
JOHN CUNEO is information security director at Vizo Financial.