ARLINGTON, Va. (11/17/14)--Many credit unions employ data security testing, but one expert says the testing might not be cutting it. Tom Schauer, CEO of TrustCC, a security company serving financial institutions, addressed several concerns at the inaugural Credit Union Cybersecurity Symposium Friday in Arlington, Va., an event hosted by the National Association of State Credit Union Examiners and the Credit Union National Association.
Traditional data security testing consists of an analyst sending phishing e-mails with bogus links to staff and officers, and then accessing the financial institution's network to search for vulnerabilities.
This limited approach to analyzing security gives management a false sense that there are only a few vulnerabilities that could be exploited.
|Information technology security expert Tom Schauer speaks at the Credit Union Cybersecurity Symposium Friday. (CUNA Photo)|
Schauer told his credit union audience that management's response to bad tests results pretty typically is: Human resources has a lot of work to do to train employees to look for social engineering attacks.
However, credit unions, he said, would be better served with more dynamic testing that more accurately simulated a hacker's approach.
"Here's the thing," Schauer said--the test is not a realistic simulation of how a hacker would attempt to gain access--a real hacker would be stealthy and invisible, covering his tracks as he infiltrates a network.
Companies like Schauer's perform a test that is much closer to reality, one where they are not supplied with any employee information or access beforehand.
This approach first uses a fictitious LinkedIn account of "an attractive female" human resources (HR) recruiter. The profile will connect with individuals at the credit union being tested, and most will accept the invitation, thinking it a networking opportunity.
"Our fake account has 400 first-degree connections and several thousand second-degree connections, all in the financial industry. A paid LinkedIn account lets you access the e-mail addresses of all first- and second-degree connections," he said, adding, "So now it's super easy for us to harvest e-mail addresses of our client credit union, without them giving us any information."
Then Schauer and his group will send an e-mail to four employees at a time, minimizing the chance of the fraud being discovered. The e-mail will supposedly be from someone in HR and will ask them to click a link.
If they don't get a response, they'll often start reaching out to employees via phone, saying they are from information technology (IT) and need employees to run a "diagnostic tool" to check for malware, giving them access to that employee's workstation.
Once they have access to the workstation, they will escalate attacks, measuring how well the credit union is protected from incidents.
For one credit union in Virginia, Schauer sent an e-mail purporting to contain a five-question survey about the effects of the Affordable Care Act on individual benefits. To top it off, participants in the survey are promised a Starbucks gift card for their trouble.
The credit union's chief financial officer directly infected two work stations with malware, after the gift card site said, "If this site is not working, try it on another computer." In addition, several employees called the IT department and were told the e-mail was completely legitimate.
Schauer and his company got full administrative access in 75 minutes.
According to Schauer, in 2013 this type of testing allowed them to breach a network 63% of the time, access sensitive data 79% of the time, and give them full administrative access 58% of the time.
Their 2013 testing saw 25% of employees falling for the fake e-mail, and an average of 60 to 75 minutes to obtain full administrator access.