As criminals ramp up their attacks on financial institutions, they’re not just targeting the top U.S banks, but are also setting their sights on smaller community banks and credit unions. Cyber thieves are getting much more aggressive and creative in their attempts to find vulnerabilities that lurk undetected by standard IT security tools. In addition to making sure credit union customers can bank with full confidence, credit unions must meet complex federal, state and other industry-related compliance mandates such as GLBA, FFIEC, SOX, PCI, among others.
As daunting as the continuous task of meeting compliance and industry regulations might be, securing the credit union’s IT infrastructure from data breaches and vulnerabilities is equally, if not more, important.
There are a variety of IT security protections that credit unions should employ to protect against cyberattacks, including anti-virus protection, end-point security, firewalls, encryption, and technologies that provide for highly secure mobile and online banking. But there’s one security safeguard that doesn’t get the respect it deserves: vulnerability management.
To clarify, vulnerability and risk are not the same thing. Risk is the probability of the vulnerability being exploited multiplied by the cost of damage it will cause. This is required for risk evaluation and will help you focus your remediation efforts as well as define compliance boundaries. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities especially in software and firmware. It works by analyzing computer systems for known vulnerabilities such as open ports, insecure software configuration, susceptibility to malware, etc.
Vulnerability management is also a full-time and time-consuming endeavor, particularly for organizations that don’t always have the necessary staff they need to investigate detected vulnerabilities regularly. One of the most common ways for cyber-thieves to gain access systems is through software flaws and misconfigurations. This is just one reason that vulnerabilities must be detected and remediated quickly, before they can be exploited.
Unfortunately, there are several roadblocks that prevent financial organizations (including credit unions) from systematically monitoring for vulnerabilities:
- Scanning technology requires too much time and effort to deploy and manage
- IT personnel do not have the bandwidth to regularly scan and analyze the results
- It can be a major challenge to prioritize and follow up on vulnerability remediation
How Vulnerability Management Fits into a Compliance Program
Vulnerability management actually helps credit unions meet Payment Card Industry Data Security Standards (PCI DSS) that require the organization to establish a process to identify security vulnerabilities using reputable outside sources for security vulnerability information and assign a risk ranking to newly discovered vulnerabilities. It also supports compliance with another PCI DSS requirement that an organization must run internal and external network vulnerability scans at least quarterly and also after any significant change in the network.
The good news is that there is a time-tested process for continuously managing vulnerabilities, which encompasses the following:
- Discovery - The first step to finding vulnerabilities is to inventory and map all of the assets on the network then to build a network map to see what’s connected to what; after all, you cannot secure what you cannot see. Understanding all these different connections will help you understand how valuable something is. You might think a certain server is no big deal until you find it’s connected to something that if someone got access to, it would be a big problem.
- Prioritization of Assets–Assign a business value of each asset, for example, high, medium, and low, based on whether it’s an external or internal-facing, what data it holds. This will help you understand what the damage would be if it got breached.
- Assessment – Vulnerability assessment is then done via vulnerability scanning, which is dedicated technology that scans the IP addresses both inside the network as well as outside the network blocked by a firewall so you can see what your network would look like to an attacker — is it easy to access or not? Scans should be scheduled on a monthly or bi-monthly basis.
- Reporting – Once you do the assessment, you will receive a report with a description of the vulnerability, a Common Vulnerabilities and Exposures (CVE) number (CVE is a database that collects common vulnerabilities from around the world), a Common Vulnerability Scoring System (CVSS) score between one and 10 based on severity, 10 being the most severe. The report also details the threat, its impact, solution, and reference link.
- Remediation – The next step is to remediate and you have to know what to do first by classifying the risk of each vulnerability from high to low. If a patch is available, now is the time to obtain it, test it, and apply it. If no patch is available, you will need to find ways to mitigate the risk, for example by disabling the system. Either way, a ticketing system should be used to track and document the remediation. This can be a challenge for smaller teams who are constantly challenged to put out fires and prove to auditors that systems are compliant.
- Verification – The last step is to verify the fix and scan the asset after remediation to ensure the fix is applied. Be sure to document all steps.
Ideally, the network should be scanned twice a month, with approximately 20 minutes to three hours a day to review reports. Understand how severe your organization’s vulnerabilities are and which systems are affected. Cross reference the exploit database, document the security and business case for a patch, convince your system administrator to install patches, and verify the fix.
Two Approaches to Vulnerability Management
Vulnerability assessment technology is widely available, as on-premise software or software-as-a-service, and can be used to scan for vulnerabilities, but without investing in the right people and processes, the data does not provide much value. A typical vulnerability report consists of page-after-page of detail, but that is just the beginning of the vulnerability management process. A trained analyst needs to research and prioritize the vulnerabilities based on factors including:
- The business value of the IT asset
- The criticality of the IT asset within the network security design
- The availability of exploits targeting the vulnerability
- The exposure time of the system
No matter which approach is right for you, it’s high time to evaluate and implement vulnerability management. Not only does it add a critical layer of defense to bolster IT security infrastructure by uncovering vulnerabilities that may pose serious consequences if they aren’t assessed and remediated, it will provide peace of mind that uncovered vulnerabilities are not putting your data, assets, and customers at risk.
Kim Ann King is vice president of marketing for
