Ransomware-Proof Your Credit Union: A Checklist of NCUA Guidance

In today’s digital landscape, credit unions face numerous cybersecurity threats, including the rising risk of ransomware attacks and vulnerabilities in their information and communications technology supply chain. To help credit unions protect themselves against these risks, the National Credit Union Administration (NCUA) has compiled an FAQ. This checklist covers the essential steps to safeguard against ransomware attacks, additional resources for cybersecurity, understanding supply chain risk management, developing effective practices, mitigating risks associated with using a Managed Service Provider (MSP), and other insights based on their FAQ. By following this checklist, credit unions can enhance their overall security posture and minimize the potential impact of cyber threats.

1. Protect against ransomware attacks:
– Update software and operating systems regularly with the latest patches.
– Avoid clicking on links or opening attachments in unsolicited emails.
– Follow safe browsing practices.
– Replace equipment running older unsupported operating systems.
– Verify the security practices of vendors and third-party service providers.
– Maintain complete and tested backups of critical systems and data.

2. Additional resources for cybersecurity:
– Use the Ransomware Self-Assessment Tool (R-SAT) from the Conference of State Bank Supervisors.
– Read the Center for Internet Security white paper on ransomware.
– Visit the cybersecurity pages of the National Security Agency Central Security Service and the Cybersecurity & Infrastructure Security Agency. (CISA)
– Refer to the Treasury Department’s advisory on potential sanctions risks for facilitating ransomware payments.

3. Understand Technology Supply Chain Risk Management (SCRM):
– Recognize that technology supply chain vulnerabilities can pose risks to the entire institution.
– Consider the risks associated with third-party vendors and the entire technology supply chain.
– Identify vulnerabilities in all phases of the product life cycle.

4. Develop an effective Technology Supply Chain Risk Management Practice:
– Build a team with representatives from various roles and functions.
– Document policies and procedures based on industry standards and best practices.
– Create a list of technology components and understand their criticality and remote access capability.
– Identify suppliers and verify their security practices.
– Assess and evaluate the SCRM program regularly.

5. Risks associated with using a Managed Service Provider (MSP):
– APT actors actively attempt to infiltrate IT service provider networks.
– Conduct proper due diligence and ongoing monitoring of MSPs.
– Understand the risks of centralizing information with an MSP.
– Recognize that compromises in an MSP’s network can have cascading effects.

6. Mitigate the risk of using an MSP:
– Manage supply chain risk by working with the MSP to address security concerns.
– Implement architecture measures to restrict access and protect networks.
– Use dedicated VPNs for MSP connections and restrict VPN traffic.
– Ensure proper authentication, authorization, and accounting practices.
– Implement operational controls, such as continuous monitoring and software updates.

7. Additional references for Information and Communications Technology Supply Chain Risk Management:
– Refer to guidance from the NCUA, NIST, and CISA.
– Evaluate third-party relationships and outsourcing technology services.
– Learn about supply chain threats and cyber supply chain risk management.

Note: This checklist is a summary of the information provided. For more detailed guidance, refer to the full content on the NCUA website.

 

* We used some AI tools to gather the information for this article.

Some Thoughts on Security Policy Violation and Terminations

There was recently a discussion on one of my forums that I visited about whether or not employees should be terminated if they violate information security policies. 

The discussion was heated by some parties, and the threads grew long and multi-layered. 

I asked Frase.io to summarize that discussion and pull together a relevant set of ideas stemming from it. Here is what the AI tool created:

Following information security policies is crucial for the protection of sensitive data and the overall cybersecurity of a company. Therefore, it is important to discuss whether employees should face consequences for not adhering to these policies.
When employees fail to follow information security policies, it can put the entire organization at risk. The consequences of a data breach can be severe, including financial loss, damage to reputation, and legal implications. Therefore, some argue that firing employees who do not comply with these policies is necessary to maintain a secure work environment.
On the other hand, it is essential to consider the context and severity of the violation before deciding on termination. Employees may unintentionally make mistakes or be unaware of the policies, in which case education and training may be more appropriate than immediate termination.
Implementing a fair and consistent approach to enforcing information security policies is crucial. This includes clear communication of expectations, regular training programs, and providing employees with the necessary tools and resources to comply with policies.
Ultimately, the decision to fire an employee for not following information security policies should be based on a thorough assessment of the situation. It is important to balance the need for security with fairness and understanding, considering the employee’s intentions, previous behavior, and potential for improvement.

After all of the rhetoric and the flames, this seems to be a rational approach to me. I think that stripped of the emotions of the participating infosec practitioners; there is logic here that is useful. 

What do you think about termination for security policy violations? What have you seen that works, and what doesn’t in your experience? Drop me a line on Twitter (@lbhuston) or Mastodon (@lbhuston@mastodon.social) and let me know your opinion.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

ChatGPT and other AI Tools Corporate Security Policy Template

As artificial intelligence continues to advance, organizations are increasingly integrating AI tools, such as ChatGPT for content and code generation, into their daily operations. With these technologies’ tremendous potential come significant risks, particularly regarding information security and data privacy. In the midst of this technological revolution, we are introducing a high-level Information Security and Privacy Policy for AI Tools. This comprehensive template is designed to provide a clear, practical framework for the secure and responsible use of these powerful tools within your organization.

About the policy template

The purpose of this policy template is to protect your organization’s most critical assets—proprietary corporate intellectual property, trade secrets, and regulatory data—from possible threats. It emphasizes the principles of data privacy, confidentiality, and security, ensuring that data used and produced by AI tools are appropriately safeguarded. Furthermore, it sets forth policy statements to guide employees and stakeholders in their interactions with AI tools, ensuring they understand and adhere to the best practices in data protection and regulatory compliance.

Why is this important?

The importance of such a policy cannot be overstated. Without proper guidelines, the use of AI tools could inadvertently lead to data breaches or the unauthorized dissemination of sensitive information. An effective Information Security and Privacy Policy provides a foundation for the safe use of AI tools, protecting the organization from potential liabilities, reputational damage, and regulatory sanctions. In an era where data is more valuable than oil, ensuring its security and privacy is paramount—and our policy template provides the roadmap for achieving just that.

More information

If you have questions or feedback, or if you wish to discuss AI tools, information security, and other items of concern, just give us a call at 614.351.1237.  You can also use the chat interface at the bottom of the page to send us an email or schedule a discussion. We look forward to speaking with you.

Template download link

You can get the template from here as a PDF with copy and paste enabled.

*This article was written with the help of AI tools and Grammarly.

How Do I Know If My Company Needs a Risk Management Policy?

Risk management policies protect companies against financial losses due to various risks. These risks include legal issues, employee misconduct, environmental hazards, etc.

A company may implement a risk management policy to minimize these risks. However, several questions should be asked before implementing such a policy.

What Are the Risks That Could Lead to Financial Losses?

Many types of risks can lead to financial losses. Some examples include:

• Legal issues

• Employee misconduct

• Environmental hazards

• Product liability

• Cybersecurity threats

• Data breaches

• Other

It is important to understand what type of risk your company faces. For example, if your company sells products online, you will face cyber security risks.

Are There Any Existing Policies?

Before deciding whether or not to adopt a risk management policy, it is important to determine whether any existing policies cover the risks your company faces.

For example, if your company has an insurance policy, then you may not need to implement a separate risk management policy.

However, if your company does not have an insurance policy, then it is necessary to consider implementing a risk management policy.

Is Implementing a New Policy Worth It?

Once you know what type of risks your company faces, it is time to decide whether or not to implement a risk management plan.

Some companies feel that they do not need a risk management plan because their current policies already address their risks. However, this decision should be made carefully.

If your company does not have a formal risk management policy, then it is possible that some of the risks your company faces could go unaddressed. This means that the risks could become more significant problems down the line.

In addition, if your company decides to implement a risk management program, it is crucial to ensure that the program covers all the risks your company faces, including those currently unaddressed.

Do Your Employees Understand What Is Being Done?

When implementing a risk management plan, it is vital to ensure employees understand what is being done.

This includes explaining why the risk management plan was implemented, how the plan works, and what steps must be taken to comply.

The goal here is to ensure that employees understand your company’s risks and how the risk management plan helps mitigate them.

Will the Plan Be Cost-Effective?

Finally, it is essential to evaluate whether or not the risk management plan will be cost-effective.

Cost-effectiveness refers to the amount of money saved compared to the costs incurred.

For example, suppose your company spends $1 million per year to insure its assets. In addition, suppose that the risk management plan saves $500,000 per year. Then, the risk management plan would be considered cost-effective if it saves $500,000 annually.

In this case, the risk management plan is cost-effective because it saves $500,00 annually.

However, if the risk management plan only saves $100,000 per year, then the plan is not cost-effective.

In Conclusion

As discussed above, there are many reasons to implement a risk management strategy.

These strategies can help your company avoid potential financial losses caused by certain risks.

In addition, implementing a risk management plan can make your company more efficient and productive.

 

Should MAD Make its Way Into the National Cyber-Security Strategy?

Arguably, Mutually Assured Destruction (MAD) has kept us safe from nuclear holocaust for more than half a century. Although we have been on the brink of nuclear war more than once and the Doomsday clock currently has us at three minutes ‘til midnight, nobody ever seems ready to actually push the button – and there have been some shaky fingers indeed on those buttons! 

Today, the Sword of Damocles hanging over our heads isn’t just the threat of nuclear annihilation; now we have to include the very real threat of cyber Armageddon. Imagine hundreds of coordinated cyber-attackers using dozens of zero-day exploits and other attack mechanisms all at once. The consequences could be staggering! GPS systems failing, power outages popping up, banking software failing, ICS systems going haywire, distributed denial of service attacks on hundreds of web sites, contradictory commands everywhere, bogus information popping up and web-based communications failures could be just a handful of the likely consequences. The populous would be hysterical! 

So, keeping these factors in mind, shouldn’t we be working diligently on developing a cyber-MAD capability to protect ourselves from this very real threat vector? It has a proven track record and we already have decades of experience in running, controlling and protecting such a system. That would ease the public’s very justifiable fear of creating a Frankenstein that may be misused to destroy ourselves.

Plus think of the security implications of developing cyber-MAD. So far in America there are no national cyber-security laws, and the current security mechanisms used in the country are varied and less than effective at best. Creating cyber-war capabilities would teach us lessons we can learn no other way. To the extent we become the masters of subverting and destroying cyber-systems, we would reciprocally become the masters of protecting them. When it comes right down to it, I guess I truly believe in the old adage “the best defense is a good offense”.

Thanks to John Davis for this post.

State Of Security Podcast Episode 4

We are proud to announce the release of State Of Security, the podcast, Episode 4. This time around I am hosting John Davis, who riffs on policy development for modern users, crowdsourcing policy and process management, rational risk assessment and a bit of history.

Give it a listen and let us know what you think!

Thanks for supporting the podcast!

The Need for an Incident Recovery Policy (IRP)

Organizations have been preparing for information security issues for a number of years now and many, if not most, have embraced the need for an incident response policy and process. However, given the recent spate of breaches and compromises that we have analyzed and been involved in over the last year, we have seen an emerging need for organizations to now embrace a new kind of policy – a security incident RECOVERY policy.
 
This policy should extend from the incident response policy and create a decision framework, methodology and taxonomy for managing the aftermath of a security incident. Once the proverbial “fire has been put out”, how do we clean up the mess, recreate the records we lost, return to business as usual and analyze the impacts all of this had on our operations and long term bottom line? As a part of this process, we need to identify what was stolen, who the likely benefactors are, what conversion events have taken place or may occur in the future, how the losses impact our R&D, operational state, market position, etc. We also need to establish a good working model for communicating the fallout, identified issues, mitigations, insurance claims, discoveries and lessons learned to stakeholders, management, customers, business partners and shareholders – in addition to the insurance companies, regulators and law enforcement.
 
As you can imagine, this can be a very resource intensive process and since post-incident pressues are likely to remain high, stress levels can be approaching critical mass and politics can be rampant, having a decision framework and pre-developed methodology to work from can be a life saver. We suggest following the same policy development process, update timeframes and review/practice schedules as you do for your incident response policy.
 
If your organization would like assistance developing such a policy, or would like to work through a training exercise/practice session with an experienced team, please feel free to work with your account executive to schedule such an engagement. We also have policy templates, work sheets and other materials available to help with best practice-based approaches and policy creation/reviews.

Tips for Writing Security Policy

Almost all organizations dread writing security policies. When I ask people why this process is so intimidating, the answer I get most often is that the task just seems overwhelming and they dont know where to start. But this chore does not have to be as onerous or difficult as most people think. The key is pre-planning and taking one step at a time.

First you should outline all the policies you are going to need for your particular organization. Now this step itself is what I think intimidates people most. How are they supposed to ensure that they have all the policies they should have without going overboard and burdening the organization with too many and too restrictive policies? There are a few steps you can take to answer these questions:

  • Examine existing information security policies used by other, similar organizations and open source information security policy templates such as those available at SANS. You can find these easily online. However, you should resist simply copying such policies and adopting them as your own. Just use them for ideas. Every organization is unique and security policies should always reflect the culture of the organization and be pertinent, usable and enforceable across the board.
  • In reality, you should have information security policies for all of the business processes, facilities and equipment used by the organization. A good way to find out what these are is to look at the organizations business impact analysis (BIA). This most valuable of risk management studies will include all essential business processes and equipment needed to maintain business continuity. If the organization does not have a current BIA, you may have to interview personnel from all of the different business departments to get this information.
  • If the organization is subject to information security or privacy regulation, such as financial institutions or health care concerns, you can easily download all of the information security policies mandated by these regulations and ensure that you include them in the organizations security policy.
  • You should also familiarize yourself with the available information security guidance such as ISO 27002, NIST 800-35, the Critical Security Controls for Effective Cyber Defense, etc. This guidance will give you a pool of available security controls that you can apply to fit your particular security needs and organizational culture.
 

Once you have the outline of your security needs in front of you it is time to start writing. You should begin with broad brush stroke, high level policies first and then add detail as you go along. Remember information security policyreally includes policies, standards, guidelines and procedures. Ive found it a very good idea to write policyin just that order.

Remember to constantly refer back to your outline and to consult with the business departments and users as you go along. It will take some adjustments and rewrites to make your policy complete and useable. Once you reach that stage, however, it is just a matter of keeping your policy current. Review and amend your security policy regularly to ensure it remains useable and enforceable. That way you wont have to go through the whole process again! 

This post by John Davis.

Tips for Writing Good Security Policies

Almost all organizations dread writing security policies. When I ask people why this process is so intimidating, the answer I get most often is that the task just seems overwhelming and they don’t know where to start. But this chore does not have to be as onerous or difficult as most people think. The key is pre-planning and taking one step at a time.

First you should outline all the policies you are going to need for your particular organization. Now this step itself is what I think intimidates people most. How are they supposed to ensure that they have all the policies they should have without going overboard and burdening the organization with too many and too restrictive policies? There are a few steps you can take to answer these questions:

  • Examine existing information security policies used by other, similar organizations and open source information security policy templates such as those available at SANS. You can find these easily online. However, you should resist simply copying such policies and adopting them as your own. Just use them for ideas. Every organization is unique and security policies should always reflect the culture of the organization and be pertinent, usable and enforceable across the board.
  • In reality, you should have information security policies for all of the business processes, facilities and equipment used by the organization. A good way to find out what these are is to look at the organizations business impact analysis (BIA). This most valuable of risk management studies will include all essential business processes and equipment needed to maintain business continuity. If the organization does not have a current BIA, you may have to interview personnel from all of the different business departments to get this information. 
  • If the organization is subject to information security or privacy regulation, such as financial institutions or health care concerns, you can easily download all of the information security policies mandated by these regulations and ensure that you include them in the organization’s security policy. 
  • You should also familiarize yourself with the available information security guidance such as ISO 27002, NIST 800-35, the Critical Security Controls for Effective Cyber Defense, etc. This guidance will give you a pool of available security controls that you can apply to fit your particular security needs and organizational culture.

Once you have the outline of your security needs in front of you it is time to start writing. You should begin with broad brush stroke, high level policies first and then add detail as you go along. Remember information security “policy” really includes policies, standards, guidelines and procedures. I’ve found it a very good idea to write “policy” in just that order.

Remember to constantly refer back to your outline and to consult with the business departments and users as you go along. It will take some adjustments and rewrites to make your policy complete and useable. Once you reach that stage, however, it is just a matter of keeping your policy current. Review and amend your security policy regularly to ensure it remains useable and enforceable. That way you won’t have to go through the whole process again!

Thanks to John Davis for this post.

Touchdown Task for August – Change Management Audit

This month, we urge all infosec teams to engage in a quick 30 minute audit of your change management processes.

Here are some quick win questions to ask of the change management team:

  • How often does the change management team meet & what is the time frame for turning around a change order?
  • What percentage of actual changes to the environment went through the change process in the last 12 months?
  • Where can we locate the documents that specifically describe the change management process and when were they last revised?
  • Please describe how exceptions to the change management process are handled.
  • How are changes to the environment audited against what was provided to the change management team?
  • What happens if a change is identified that did NOT go through the change management process?

There are plenty of online guidance sources for additional questions and audit processes, but these quick wins will get you started. As always, thanks for reading and keep working on your monthly touchdown tasks. Be sure to touch base with us on Twitter (@microsolved) should you have any questions about the work plans.