news.cuna.org/articles/108468-bsa-conference-self-assessment-crucial-for-strong-cybersecurity
111715Schauer
Cybersecurity expert Tom Schauer speaks about the importance of self-assessments at the CUNA/NASCUS Bank Secrecy Act Conference. (CUNA Photo)

BSA Conference: Self-assessment crucial for strong cybersecurity

November 17, 2015

FORT LAUDERDALE, Fla. (11/17/15)--Self-assessment is key to any financial institution’s cybersecurity preparedness because that is how an institution can cover its bases without suffering a data breach.

Tom Schauer, a principal at CliftonLarsonAllen, spoke at the CUNA/National Association of State Credit Union Supervisors Bank Secrecy Act Conference Monday on how credit unions can self-assess.

Schauer’s company performs information technology and security assessments on financial institutions, and part of what it does is use tactics a hacker would use in order to gain access to an institution’s network.

According to Schauer, he has been able to access 63% of the internal networks for his banking clients, and once in the network he is able to obtain administrator-level access in 58% of them.

“It takes about 60 to 90 minutes, and is rarely detected,” Schauer said.

His recommendations to financial institutions include:

  • Use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment tool, which can help institutions identify risks and gauge their preparedness. It can also measure progress and preparedness over time;
     
  • Use an internal report card that takes into account data standards, breach history and research;
     
  • Don’t rely on regulators, and never expect an examination to give any assurance of cybersecurity preparedness. Reactive compliance is a possible yet weak strategy, and reactive security is “absolutely foolish,” Schauer said;
     
  • Performing regular credentialed vulnerability scans and use the data as a prioritized action list; and
     
  • Recruit information technology specialists to serve on boards of directors and supervisory committees because regulations put responsibility for information security oversight on the board of directors.

11715Carbanak

Click image to enlarge. A diagram of how the Carbanak attack resulted in hackers stealing $1 billion over two years. 

As an example, Schauer pointed to the Carbanak attacks, in which attackers in Russia, Ukraine and China took $1 billion over two years from banks in Russia, Europe and the United States.

The hackers sent malware as an email attachment and eventually gained access to computer systems, logging every keystroke and taking a screenshot of computer displays every 20 seconds.

The hackers were able to learn how the banks did business and were able to hack ATMs, transfer money to fraudulent accounts, transfer money using e-payments and inflated legitimate account balances and pocket the extra funds by mimicking staff. 

(Editor’s note: For more coverage of CUNA’s BSA Compliance Conference, see the following stories in today’s issue: BSA Conference: FinCEN enforcement designed to educate, not just punish; BSA Conference: Exploring benefits, pitfalls of remote deposit capture; and BSA Conference: Finding red flags for trade-based money laundering; BSA Conference: Well-defined AML program essential for small FIs.)