Confessions of A White Hat Hacker
What do hackers know about your credit union's security that you don't?
That's the question that keeps CEOs and CIOs up late at night, according to one person who has seen what those
Mark Eich, principal with LarsonAllen eSource, Minneapolis, and a consultant on online security issues and audits,
"I'm convinced that if President Bush tomorrow said we're abolishing the NCUA tomorrow, we're abolishing all
Penetration testing, or what Eich called "white hat hacking," is a service offered by his firm. In the three years
* Identifies security flaws.
* Verifies all security patches and updates.
* Verifies network monitoring procedures.
Along the way, he said, it has learned five lessons:
No.1 Social Engineering Works.
Social engineering means using non-technical means to get technical information, including so-called dumpster
Case in point: a penetration test at a local bank in Minnesota. The only information given LarsonAllen was the
Lesson No. 2. Protect Dial-up Connections.
"There has been a lot of protection dedicated to high-speed connections," he said, but noted he has seen examples of
Lesson No. 3: Poorly Designed Infrastructure
"The fact of life in credit unions is that very few can afford to have the kind of people who understand these security
He reported it took his firm just 20 minutes to hack into one $500-million Midwest credit union.
"Beware of outsourcing," said Eich. "Unnecessary services are often left open. One third of all companies that use a
Eich said one term that drives him "over the edge" is "computer solution," the suggestion that one product can
Lesson No. 4. No Network Mointoring.
Eich said that on average, in eight of 10 occasions his firm has "hit" a client that uses managed security services, the
"That leves us vulnerable to brute force attacks," said Eich, pointing to an FBI opinion that for every hack that is
Lesson No. 5: Insider Security
"Insider security issues are still more numerous and more costly," said Eich. One case he cited was a $900,000 fraud
The average external attack costs a firm $57,000, he said. The average internal attack costs $2.7 million.
One credit union IT officer in attendance agreed, saying a problem he frequently sees is passwords written on a Post-
"A password should be difficult to guess, but easy to remember," said Eich, who advocates burying a password in a
At the highest level, the security strategy must have four prongs, according to Eich: protect, detect (must monitor the
The three domains are policies, physical access and logistical access. The strategy must be applied to each domain:
"All these strategies start with a risk assessment, and then we proceed," said Eich.