Identify security gaps with testing

‘Purple team testing’ brings defenders and attackers together.

September 11, 2019

Peter Misurek, Royal Credit Union, explains how testing can identify security gaps during the CUNA Technology Security Summit Tuesday in Chicago.

Certain testing exercises can enable credit unions to gauge their internal controls, and find and fill their security gaps, according to two security experts.

Peter Misurek, information security engineer at Royal Credit Union in Eau Claire, Wis., and Dave Rebman, cybersecurity engineer at Alliant Credit Union in Chicago, addressed the CUNA Technology Council’s 6th Annual Security Summit Tuesday in Chicago.

They cited three types of testing exercises credit unions can employ to identify security gaps:

1. Blue team testing, where internal security personnel must react to simulated security attacks to provide insights into the credit union’s defensive capabilities.

2. Red team testing, where internal or third-party security professionals conduct targeted attacks on the credit union to test its security technologies and staff readiness.

These attacks can be something as simple as calling the credit union’s call center to obtain sensitive information or attempting to access a branch after hours, Rebman says.

Alliant, for example, conducts fake email campaigns each month to see how staff responds to phishing messages.

“Testing your defenses is very important,” Rebman says.

3. Purple team testing, or when defenders and attackers work together to identify vulnerabilities.

“This is more collaborative,” Misurek says, “and it’s more of a learning process. It brings people together instead of against each other.”

‘Testing your defenses is very important.’
Dave Rebman

Other highlights from the Security Summit included a panel discussion on identity and access management and roundtable discussions about information security issues facing credit unions.

The summit concludes Wednesday, followed by the start of the co-located CUNA Technology Council and CUNA Operations & Member Experience Council Conferences.

Click here for more conference coverage from CUNA News, and get live updates on Twitter via @cumagazine, @CUNA_News, @CUNACouncils, and by using the #TechCouncil and #OMECouncil hashtags. Learn more about the CUNA Councils, a member-led professional society for credit union executives, at