What do hackers know about your credit union's security that you don't?
That's the question that keeps CEOs and CIOs up late at night, according to one person who has seen what those hackers know and said credit union execs have reason for sleepless nights.
Mark Eich, principal with LarsonAllen eSource, Minneapolis, and a consultant on online security issues and audits, shared with the Midwest Technology Symposium here several lessons he and his firm have learned when it comes to online security. The symposium was sponsored by the Indiana, Iowa, Michigan, Ohio and Wisconsin leagues.
"I'm convinced that if President Bush tomorrow said we're abolishing the NCUA tomorrow, we're abolishing all other regulations, all the things we're talking about today would still make sense," he said. "Security is a business issue, it's NOT a technical issue. Security must be part of the culture. You can't eliminate the risk, can only imagine it."
Penetration testing, or what Eich called "white hat hacking," is a service offered by his firm. In the three years LarsonAllen has been offering to break into credit union websites, he noted the company has observed several security trends. The penetration test has three primary benefits:
* Identifies security flaws.
* Verifies all security patches and updates.
* Verifies network monitoring procedures.
Five Lessons
Along the way, he said, it has learned five lessons:
No.1 Social Engineering Works.
Social engineering means using non-technical means to get technical information, including so-called dumpster diving. Eich said that more than 50% of the time that his firm calls a credit union and identifies itself as being with some vendor and in need of the password or other information, the credit union gives it to them. "Social engineering involves poorly guarded passwords, easily guessed passwords, and poorly controlled physical access."
Case in point: a penetration test at a local bank in Minnesota. The only information given LarsonAllen was the location of the bank's conference room. A LarsonAllen employee put on a suit, walked right past the receptionist and headed straight to the conference room, where he plugged into the dataport and began "sniffing" the network for employee IDs and passwords. That employee then left the conference room, walked into the bank's computer room, and logged onto an NT server as an administrator using an easily guessed password. "Security isn't what we think. It is multi-faceted and involves a lot of different issues," said Eich.
Lesson No. 2. Protect Dial-up Connections.
"There has been a lot of protection dedicated to high-speed connections," he said, but noted he has seen examples of banks that are easily penetrated using dial-up connections. "Seventy-five percent of all U.S. companies have an unauthorized software security breach," Eich reported. Many software applications, such as PC Anywhere, come with security features, but the features must be activated at installation, he noted, and often aren't. The key issue here is weak authentication, he said, including default passwords, no intruder lockout and no monitoring.
Lesson No. 3: Poorly Designed Infrastructure
"The fact of life in credit unions is that very few can afford to have the kind of people who understand these security issues," said Eich. "In our penetration tests we often find weak firewalls and poorly configured netowkrs."
He reported it took his firm just 20 minutes to hack into one $500-million Midwest credit union.
"Beware of outsourcing," said Eich. "Unnecessary services are often left open. One third of all companies that use a firewall are still compromised."
Eich said one term that drives him "over the edge" is "computer solution," the suggestion that one product can provide all the security needs of a credit union. No one can, he argued.
Lesson No. 4. No Network Mointoring.
Eich said that on average, in eight of 10 occasions his firm has "hit" a client that uses managed security services, the managed security service (MSS) does NOT see or react to its penetration test.
"That leves us vulnerable to brute force attacks," said Eich, pointing to an FBI opinion that for every hack that is detected, 10 go unreported by firms and 10 more go unnoticed.
Lesson No. 5: Insider Security
"Insider security issues are still more numerous and more costly," said Eich. One case he cited was a $900,000 fraud enabled by poor application access privileges and tellers not logging off unattended workstations. The same threat is presented by members of management who exit for lunch, for instance, without loggin off.
The average external attack costs a firm $57,000, he said. The average internal attack costs $2.7 million.
One credit union IT officer in attendance agreed, saying a problem he frequently sees is passwords written on a Post- It note and attached to a monitor or keyboard.
"A password should be difficult to guess, but easy to remember," said Eich, who advocates burying a password in a phrase, such as I like to eat Oreo cookies at night, with the password being il2eoc@n.
At the highest level, the security strategy must have four prongs, according to Eich: protect, detect (must monitor the network), react (you will be hacked eventually), and remediate.
The three domains are policies, physical access and logistical access. The strategy must be applied to each domain: people, rules and tools.
"All these strategies start with a risk assessment, and then we proceed," said Eich.