For the last several months, news has been coming from the various security vendors that attacker focus has shifted away from banks and other financial institutions to the credit unions. The attackers probably assume that credit unions are an easier target than the banks. In our experience this is simply not true. Though credit unions do have risks, they do not seem to be larger than banks and other financial organizations.
Primarily, credit unions face three key areas of risk by attackers today, in terms of information security. These risks are discussed below:
1) Network, application or database compromises – This is the most common form of attack when we think of information security in relation to computer data. The fears here are that an attacker could exploit a weakness in our computer systems, networks or applications and steal important member/customer data that they could use for fraud or identity theft. Common attacks include penetration of the Internet exposed network, application security issues like SQL injection or the introduction of malware/spyware into the the user’s systems to gain illicit access. To defend against these attacks credit unions should be performing ongoing security testing, using detection and prevention technologies like firewalls, IDS/IPS, honeypots, etc. They should also have strong security policies, hardy authentication, great anti-virus/malware tools and excellent patching mechanisms. These are the primary steps for protecting the electronic systems of a credit union against compromise.
2) Physical security compromises – These are the often forgotten security issues, but a breech of physical security is often among the most devastating of attacks. Items like unshredded member data, identify information, loan applications, checks or the like making their way into dumpsters is a common cause. Attackers using combinations of physical attacks and social engineering to install hardware devices on the network, gain access to sensitive areas or other forms of attack are also common. Credit unions are used to protecting themselves from outright robbery and theft, but the subtle methods of cyber-attackers leveraging the physical realm is often beyond their existing vision of security. The keys here are to have good processes for managing physical assets in the computing environment, having good employee awareness of security procedures and performing assessments to know where your weak points lie so that you can address them. Awareness is the primary tool here, as employee of the credit union must have good procedures and remain ever vigilant against breeches of these procedures and protocols. They must understand what data is confidential, and how it is to be handled, stored and discarded. Often, a risk assessment is an excellent tool for identifying issues around physical security and document handling. Credit unions would be wise to pursue a risk assessment as soon as possible, as it is has also recently become regulatory requirement.
3) Social engineering compromises – Social engineering attacks are probably the most common form of attack credit unions face. Social engineers often use trickery, deceit and trust to gain access to information that, at the time, may seem small or insignificant, but may lead to compromise on a wide scale. Social engineers may be overt, asking tellers for identify information or using phone calls to ask for passwords, or they may be subtle – like leaving CDs and USB keys in the parking lot that Trojan machines when used. No matter what form of social engineering the attacker chooses, the best defense is employee policies and awareness. Credit unions must make sure that each and every employee is aware of their security policies and the processes used to protect the environment from compromise. They must understand the risks, the current techniques in use by attackers and have a means of comfortably reporting suspicious behaviors. Only then will credit unions be well protected against social engineering.
Credit unions may be getting more scans against their firewalls and IDS/IPS systems now than banks, but the majority of credit unions are fairly well secured against Internet attacks thanks to the years of media attention and regulatory requirements. Obviously, some improvements could be made – but that is true for almost all organizations. Credit unions taking information security seriously should examine their current security posture, ensure that, at a minimum, they are performing the above tasks and then work toward identifying a means to improve. Attackers will follow money, and as such they will remain focused on credit unions, banks and other financial institutions for some time to come.
Overall, though, credit union members have no reason to feel that they are at increased risk just because they belong to a credit union. In our opinion, the risks to the average consumer show little difference between using a bank or a credit union. The average consumer risks far more by shopping using their credit cards or not using a shredder for their home trash than by choosing to do business with either financial institution, be it bank or credit union.