Ransomware-Proof Your Credit Union: A Checklist of NCUA Guidance

In today’s digital landscape, credit unions face numerous cybersecurity threats, including the rising risk of ransomware attacks and vulnerabilities in their information and communications technology supply chain. To help credit unions protect themselves against these risks, the National Credit Union Administration (NCUA) has compiled an FAQ. This checklist covers the essential steps to safeguard against ransomware attacks, additional resources for cybersecurity, understanding supply chain risk management, developing effective practices, mitigating risks associated with using a Managed Service Provider (MSP), and other insights based on their FAQ. By following this checklist, credit unions can enhance their overall security posture and minimize the potential impact of cyber threats.

1. Protect against ransomware attacks:
– Update software and operating systems regularly with the latest patches.
– Avoid clicking on links or opening attachments in unsolicited emails.
– Follow safe browsing practices.
– Replace equipment running older unsupported operating systems.
– Verify the security practices of vendors and third-party service providers.
– Maintain complete and tested backups of critical systems and data.

2. Additional resources for cybersecurity:
– Use the Ransomware Self-Assessment Tool (R-SAT) from the Conference of State Bank Supervisors.
– Read the Center for Internet Security white paper on ransomware.
– Visit the cybersecurity pages of the National Security Agency Central Security Service and the Cybersecurity & Infrastructure Security Agency. (CISA)
– Refer to the Treasury Department’s advisory on potential sanctions risks for facilitating ransomware payments.

3. Understand Technology Supply Chain Risk Management (SCRM):
– Recognize that technology supply chain vulnerabilities can pose risks to the entire institution.
– Consider the risks associated with third-party vendors and the entire technology supply chain.
– Identify vulnerabilities in all phases of the product life cycle.

4. Develop an effective Technology Supply Chain Risk Management Practice:
– Build a team with representatives from various roles and functions.
– Document policies and procedures based on industry standards and best practices.
– Create a list of technology components and understand their criticality and remote access capability.
– Identify suppliers and verify their security practices.
– Assess and evaluate the SCRM program regularly.

5. Risks associated with using a Managed Service Provider (MSP):
– APT actors actively attempt to infiltrate IT service provider networks.
– Conduct proper due diligence and ongoing monitoring of MSPs.
– Understand the risks of centralizing information with an MSP.
– Recognize that compromises in an MSP’s network can have cascading effects.

6. Mitigate the risk of using an MSP:
– Manage supply chain risk by working with the MSP to address security concerns.
– Implement architecture measures to restrict access and protect networks.
– Use dedicated VPNs for MSP connections and restrict VPN traffic.
– Ensure proper authentication, authorization, and accounting practices.
– Implement operational controls, such as continuous monitoring and software updates.

7. Additional references for Information and Communications Technology Supply Chain Risk Management:
– Refer to guidance from the NCUA, NIST, and CISA.
– Evaluate third-party relationships and outsourcing technology services.
– Learn about supply chain threats and cyber supply chain risk management.

Note: This checklist is a summary of the information provided. For more detailed guidance, refer to the full content on the NCUA website.

 

* We used some AI tools to gather the information for this article.

Inventorying Organization Authentication Points

Are you looking for threat-proactive ways to secure your enterprise? One of the best ways to do this is by inventorying all of the points of authentication within your organization. In this blog post, we’ll discuss the steps you need to take to properly inventory and secure your Internet-facing authentication points. While you should have a complete and accurate inventory of these exposures, starting the process with a focus on critical systems is a common approach.

Inventory Process

1. Identify the different types of authentication used by the organization for remote access (e.g. passwords, two-factor authentication). If possible, use vendor data to include cloud-based critical services as well.

2. List all of the systems and applications that require remote access within the organization. External vulnerability scanning data and Shodan are both useful sources for this information.

3. For each system/application, document the type of authentication used and any additional security measures or policies related to remote access (e.g., password complexity requirements). Vendor management risk data can be useful here, if available.

4. Check with user groups to ensure that they use secure authentication methods and follow security policies when accessing systems/applications remotely.

5. Monitor access logs for signs of unauthorized access attempts or suspicious activity related to remote access authentication.

6. Regularly review and update existing remote access authentication processes as necessary to ensure the continued security of organizational resources over the Internet.

Why This Is Important – Credential Stuffing & Phishing

Inventorying all of the points of authentication within an enterprise is essential as protection against credential stuffing and phishing attacks. Credential stuffing is a type of attack where malicious actors use stolen credentials to gain access to different accounts, while phishing attacks are attempts to acquire confidential information through deceptive emails or websites. In both cases, it is important that organizations have proper authentication measures in place to prevent unauthorized access. Inventorying all of the points of authentication within an organization can ensure that the right security protocols are in place and that any suspicious activity related to authentication can be quickly identified and addressed.

In addition, having a detailed inventory of all points of authentication can help organizations identify any weak spots in their security measures. This allows them to take steps to strengthen those areas and further protect themselves from potential credential stuffing or phishing attacks. By regularly reviewing and updating their authentication processes, organizations can ensure that their resources remain secure and protected from any malicious actors.

Lastly, ensure that you feed this inventory and the knowledge gained into your enterprise risk assessment processes, incident response team, and other security control inventories. Make a note of any security gaps identified during the inventory process and ensure complete coverage of the logs and other intrusion detection systems at each potential point of authentication. By following these steps, you can ensure that your enterprise remains secure and protected from any potential threats associated with credential stuffing and credential theft associated with common phishing attacks.

 

3 Threats We Are Modeling for Clients These Days

Just a quick post today to discuss three threat scenarios we are modeling frequently with clients these days. #ThreatModeling

1) Ransomeware or other malware infection sourced from managed service providers – this scenario is become a very common issue, so common that DHS and several other organizations have released advisories. Attacker campaigns against managed services providers have been identified and many have yielded some high value breaches. The most common threat is spear phishing into a MSP, with the attackers eventually gaining access to the capability to push software to the clients. They then push a command and control malware or a ransomware infection down the pipe. Often, it is quite some time before the source of the event is traced back to the MSP. The defenses here are somewhat limited, but the scenario definitely should be practiced at the tabletop level. Often, these MSPs have successfully passed a SOC audit, but have very little security maturity beyond the baselines.

2) Successful credential stuffing attacks against Office 365 implementations leading to wire/ACH/AP fraud – This is another very common scenario, not just for banks and credit unions, but a lot of small and mid-size organizations have fallen victim to it as well via account payable attacks. In the scenario, either a user is phished into giving up credentials, or a leaked set of credentials is leveraged to gain access to the Office 365 mail and chat system. The attackers then leverage this capability to perform their fraud, appearing to come from internal email accounts and chats. They often make use of stored forms and phish their way to other internal users in the approval chain to get the money to actually move. Once they have their cash, they often use these email accounts to spread malware and ransomware to other victims inside the organization or in business partners – continuing the chain over and over again. The defenses here are to MFA, limited access to the O365 environment to require VPN or other IP-specifc filtering, hardening the O365 environment and enabling many of the detection and prevention controls that are off by default. 

3) Voicemail hacking and dial-system fraud – I know, I know, it’s 2020… But, this remains an incredibly impactful attack, especially against key management employees or employees who traffic in highly confidential data. Often this is accessed and then either used for profit via trading (think M&A info) or as ransom/blackmail types of social engineering. Just like above, the attackers often hack one account and then use social engineering to get other users to follow instructions around fraud or change their voicemail password to a given number, etc. Larger corporations where social familiarity of employees and management is low are a common attack target. Dial system fraud for outbound long distance remains pretty common, especially over long weekends and holidays. Basically, the attackers hack an account and use call forwarding to send calls to a foreign number – then sell access to the hacked voicemail line, changing the destination number for each caller. Outbound dial tone is also highly regarded here and quite valuable on the underground markets. Often the fraud goes undetected for 60-90 days until the audit process kicks in, leaving the victim several thousand dollars in debt from the illicit activity. The defenses here are voicemail and phone system auditing, configuration reviews, hardening and lowering lockout thresholds on password attempts. 

We can help with all of these issues and defenses, but we love to help organizations with threat scenario generation, threat modeling and attack surface mapping. If you need some insights into outside the box attacks and fraud potential, give us a call. Our engagements in this space are informative, useful and affordable.

Thanks for reading, and until next time, stay safe out there! 

The First Five Quick Wins

The Top 20 Critical Controls for Effective Cyber Defense have been around for half a decade now, and are constantly gaining more praise and acceptance among information security groups and government organizations across the globe. One of the main reasons for this is that all of these controls have been shown to stop or mitigate known, real-world attacks. Another reason for their success is that they are constantly being updated and adjusted to fit the changing threat picture as it emerges. 

One of these recent updates is the delineation of the “First Five” from the other “Quick Wins” category of sub-controls included in the guidance (Quick Wins security controls are those that provide solid risk reduction without major procedural, architectural or technical changes to an environment, or that provide substantial and immediate risk reduction against very common attacks – in other words, these are the controls that give you the most bang for the buck). The First Five Quick Wins controls are those that have been shown to be the most effective means yet to stop the targeted intrusions that are doing the greatest damage to many organizations. They include:

  1. Application white listing: Application white listing technology only allows systems to run software applications that are included in the white list. This control prevents both external and internal attackers from implementing malicious and unwanted applications on the system. One caveat that should be kept in mind is that the organization must strictly control access to and modifications of the white list itself. New software applications should be approved by a change control committee and access/changes to the white list should be strictly monitored.
  2. Secure standard images: Organizations should employ secure standard images for configuring their systems. These standard images should utilize hardened versions of underlying operating systems and applications. It is important to keep in mind that these standard images need to be updated and validated on a regular basis in order to meet the changing threat picture.
  3. Automated patching tools and processes: Automated patching tools, along with appropriate policies and procedures, allow organizations to close vulnerabilities in their systems in a timely manner. The standard for this control is patching of both application and operating system software within 48 hours of release.
  4. Removal or replacement of outdated software applications: Many computer networks we test have outdated or legacy software applications present on the system. Dated software applications may have both known and previously undiscovered vulnerabilities associated with them, and are consequently very useful to cyber attackers. Organizations should have mechanisms in place to identify then remove or replace such vulnerable applications in a timely manner just as is done with the patching process above.
  5. Control of administrative privileges and accounts: One of the most useful mechanisms employed by cyber attackers is elevation of privileges. Attackers can turn simple compromise of one client machine to full domain compromise by this means, simply because administrative access is not well controlled. To thwart this, administrative access should be given to as few users as possible, and administrative privileged functions should be monitored for anomalous behavior. MSI also recommends that administrators use separate credentials for simple network access and administrative access to the system. In addition, multi-part authentication for administrative access should be considered. Attackers can’t do that much damage if they are limited to isolated client machines!

Certainly, the controls detailed above are not the only security controls that organizations should implement to protect their information assets. However, these are the controls that are currently being implemented first by the most security-aware and skilled organizations out there. Perhaps your organization can also benefit from the lessons they have learned.

Thanks to John Davis for writing this post.

What YOU Can Do About International Threats

Binary eye

With the addition of RedDragon Rising (@RedDragon1949) to the blog, we are now pushing forth a new stream of threat data and insights about the growing problem of international threats. Since we added that content to the site, many of you have written in or asked me on Twitter, what is it that YOU can do about these threats? I wanted to take a few minutes and expand on my responses.

First of all, you can remain aware and vigilant. Much of the information we post here isn’t directly actionable. It isn’t designed to be a roadmap of actions for you to take. It’s designed to be a continual source of data that slowly helps you see a clearer picture of the threat, the actors and their capability. It’s designed to keep you AWAKE. It’s custom made to help you understand your adversary. Knowledge is power and insight is key. We make this content to give you both!

Second, you can communicate the threat and knowledge to your management. This helps them remain aware. It also presents to them that you are monitoring the threats and keeping your eye on the rising tides, even as you help them steer the ship through safe waters. You can use this information to build rapport with them, to give them new insights into your decisions when you explain to them various risks and to help them understand the changing nature of the interconnected world.

You can use the information here as an impetus to get the basics of information security right. While there aren’t any panaceas to fight off the threat and there isn’t a single thing you can buy to make it better ~ we do know that focusing on the basics of infosec and getting them done efficiently, effectively and well is the best defense against a variety of threats. That said, consider doing a quick and dirty review of your security initiatives against our 80/20 Rule for Information Security. This is a set of simple projects that represent the basics of information security and map easily to other standards and baselines. Simply judging your maturity in these areas and following the roadmap to improvement will go a long way to getting the basics done right in your organization. 

Invest in detection and response. If your organization is doing the basics of prevention, that is you have hardening in place and are performing ongoing assessment and mitigation of your attack surfaces, then the next thing to do is invest in detection and response capabilities. Today, one of the largest advantages that attackers enjoy is the lack of visibility and effective response capabilities in our organizations. You should have some visibility into every segment and at every layer of your environment. You should be able to identify compromises in a timely manner and move to isolate, investigate and recover from any breaches LONG BEFORE they have become widespread and heavily leveraged against you. If you can’t do that today, make it your next major infosec goal. Need help?Ask us about it.

Lastly, share information with your peers. The bad guys are good at information sharing. They have excellent metrics. They openly share their experiences, successes, failures and new techniques. Much of crime and espionage (not all, but MUCH) is “open source” in nature. The cells of attackers free float in conglomerations of opportunity.  They barter with experience, tools, data and money. They share. The more we begin to share and emulate their “open source” approaches, the better off we can be at defending. If knowledge is power, more brains with more knowledge and experience equals MORE POWER. Be a part of the solution.

That’s it for now. Just remain calm, get better at the basics, improve your visibility and stay vigilant. As always, thanks  for reading State of Security and for choosing MicroSolved as your information security partner. We are striving to dig deeper, to think differently and to give you truly actionable intelligence and threat data that is personalized, relevant to your organization and meaningful. If you’d like to hear more about our approach and what it can mean for your organization, get in touch via Twitter (@lbhuston), email (info(at)microsolved/dot/com) or phone (614-351-1237 ext 250). 

HoneyPoint Wasp is Almost Ready to Leave the Nest

As many of you may know, the MSI team has been hard at work the last several months finishing the beta of our new compromised workstation detection product, HoneyPoint Wasp. It is a fully integrated component of HoneyPoint Security Server, capable of executing distributed detection and threat monitoring on Windows workstations across enterprises. The initial feedback by the beta group have been absolutely amazing. We are finding bots, malware and compromised hosts in a variety of locations, once thought to be “clean” and “safe”.

Wasp accomplishes this mission by being deployed as a service on workstations and by monitoring for the most common signs of compromise. It can watch for changes in the users, admins, port postures and such. It does white list detection of the running processes and it is even capable of detecting DNS tampering and changes to selected files on the operating system.

Even better, it does this work without the need for workstation event logs, signature updates or tuning. It “learns” about the workstation on which it is deployed and adapts its detection techniques to focus on important changes over the long run.

We designed Wasp to be easy to install, easy to manage and to be transparent to the end – user. As such, it is deployed as a 0-interface piece of software. There are no pop-ups, no GUI and no interaction at all with the user. All alerts are routed to the HoneyPoint console and the security team, eliminating any chance of increased help desk calls, user push back and confusion.

In the next couple of weeks, we will be making some announcements about the general availability of the Wasp product. I hope you will join me in my excitement when we announce this launch. In the meantime, think about what you are doing today to protect against initial stage compromises and congratulate the MSI development team and our beta testers on a job well done. I think you are going to be amazed at how easy, capable and advanced Wasp is, when it is released. I know I continue to be amazed at what it is detecting and how much stuff has evaded current detection techniques.

In the meantime, while we await the full release, check out this PDF for some more information about where we are going with Wasp and our HoneyPoint product line. I think you are going to like the diagrams and the explanations. If you would like to book a special sneak preview of Wasp and the rest of HoneyPoint, give your account executive a call. We will be happy to sit down and discuss it with you. As always, thanks for reading!