LAS VEGAS-Randy Romes says there is a lesson for credit unions in an experience he recently had in taking his son to a Cub Scout camp.
Romes, principal-information security services, for LarsonAllen LLP, shared with NAFCU's Technology & Security Conference here the story of taking his son to Camp Tomahawk in Wisconsin. Despite the fact all campers had to study a 14-page manual on taking steps to avoid attracting black bears, a bear came wandering into camp one morning after a goat was left in an unsecured area.
"Audits find the things people forget to do," Romes said. "The counselors forgot to put the goat away. This had disastrous security consequences, especially for the goat."
According to Romes, the bear/goat analogy applies to credit unions and their security systems. He said the Boy Scout motto "Be prepared" is a good one to follow.
The list of legal and industry requirements in the security field is not getting any shorter, he continued.
"The regulatory requirements are not getting any easier," he said. "And now there is contractual compliance. More and more contracts include a requirement for PCI compliance."
The Enemy Is Us
A recent intrusion analysis report from TrustWave found several holes in security systems across all types of companies. Romes said while many people are focused on hackers coming from "outside in," firewalls have advanced to the point it is much easier for the bad guys to trick people into opening the virtual door.
An alternative entry method is simply guessing someone's password. In the case of remote access passwords, Romes noted many users fail to change the default vendor supplied password or have one that is too weak. He offered four examples: 1) The password is the word "password"; 2) the password is blank; 3) the password is the same as the user name; 4) the password is the company name.
"These four will get a hacker in far more than they should," he said. "The most secure systems are the ones a credit union controls. The vulnerable ones are those controlled by vendors."
And if hackers compromise a system, they sit quietly aggregating information until they have enough to steal from a large number of accounts at once, Romes told Credit Union Journal. On average, hackers steal stored data for 557 days before being detected.
"The bad thing is 85% of attacks are not considered difficult, and 96% of attacks could be prevented through simple controls," he said. "Everyone on a credit union's staff must be trained as to the importance of security, including how to recognize suspicious messages so they don't give away their passwords to outsiders."
A Rule of 'Thumb'
Popular social engineering efforts by hackers include leaving corrupted thumb drives at conferences or even at the front desks of companies, and a CD simply labeled "pictures" placed in a night deposit box of a bank. In all of these cases, if an unwitting person pops the drive or the CD into his or her workstation, the malicious code "phones home" and starts stealing data or logs keystrokes to swipe a password.
As more and more credit unions are outsourcing various functions, Romes warned they must maintain the security of their data. "Write it into the contract that the vendors must live up to the credit union's security standards, not the other way around," he advised.
