Ransomware has been a sad fact of business life for some time now. It has proven to be an effective money maker for cyber-attackers, and so is constantly being developed and improved by the bad guys. We think of the typical ransomware attack as someone compromising your network, encrypting your data and demanding ransom payment for the key to decrypt it again. But credit unions are one of those businesses that are regulated; they must protect private Member information according to FFIEC and NCUA 748 recommendations and requirements. That makes them especially sensitive to another, enhanced type of ransomware attack in which the attackers also threaten to release private information to the public unless paid off. This type of coercion bypasses incident response and business continuity measures. It doesn’t matter if you can restore your systems from backup if you already have a public data breach.
Even if a compromised credit union has kept an average information security program in place and therefore is not heavily trod upon by the regulators, the business will still be damned by the court of public opinion if data breach occurs. This loss of reputation could seriously affect the credit union and could also lead to large expenditures in credit monitoring and spin doctoring efforts. So, for credit unions, the best answer is to protect your network and private information from being compromised in the first place.
First, strong encryption and key management are a must with this type of regulated information. Private member information should be well encrypted not only when being transmitted, but also when at rest on all systems. Over years of security testing, we have noticed many businesses that do a pretty good job of encryption, but then miss something crucial like databases or backups. This is like building a safe with a screen door in it! Another encryption problem we have noticed is poor key management practices. We have seen keys stored on production systems and not properly protected in other ways. An encryption system is only as good as its key management system. If you do the encryption and key management part correctly, the attackers won’t be able to read Member data even if they manage to get their hands on it.
Next is network security mechanisms and monitoring practices. It’s not good enough to simply build a series of walls to keep the bad guys out; you need to post guards to keep an eye on things as well. It’s the same with network security; you not only need to have effective security mechanisms in place, you need to have humans in the loop to add that detection ability that no machine can truly equal. That is why we recommend that credit unions don’t spend all of their infosec dollars on extravagant machines or software, and ensures adequate resources are set aside to properly staff the information security department. A decent, well configured firewall, full logging and log aggregation, an adequate AV package and egress filtering and monitoring can go a long way when properly employed and monitored by competent staff.
Configuration and privileged access control are also key. In most ransomware attacks, cyber-criminals employ phishing techniques or exploit network vulnerabilities to gain a foothold on businesses’ internal networks. But to mount a successful ransomware attack, they must also be able to maneuver around the network and to elevate their network privileges. On most networks, unfortunately, this is not a daunting task. Attackers can crack password hashes on user machines looking for admin passwords that they can then use to access other hosts and repeat the exercise. They can do this because most networks use common admin passwords on multiple machines. They also have generally “flat” networks that are not properly segmented according to the principles of least privilege and need to know. These practices can allow attackers to gain domain admin-level access to the system, and that is game over. In addition, many businesses are lax when it comes to privileged access control. Many sys-admins use the same password for simple network access as well as for admin access to the system. Plus, when a new admin user is added to the system, or privileges have been highly elevated for a normal user, no alerts are made and nobody is monitoring the access control list. All of these practices should be curtailed if you want to get serious about network protection.
The final control I’ll mention in this blog is user education and buy-in to the information security program at your credit union. Employees and partners can be your worst security enemy or your greatest security asset. To be truly effective, personnel not only should receive infosec training and awareness reminders regularly, they should also be actively enlisted by the credit union as troops in the fight against network compromise. Their worth to the company in this effort should be extolled, and good performance should get praise and recognition. Even little perks like a good parking spot or small bonus can really motivate personnel.
Implementing these kinds of effective controls can seriously increase your resistance to all type of network attacks including ransomware. However, I don’t mean to say that these controls can replace the need for decent incident response and business continuity programs; you need those too. This is because, as we all should know by now, no information security program is or can be perfect!