In a less headline-making but nevertheless worrisome report, Verisign released its Q3 2014 DDoS Trends Report that detailed observations about distributed-denial-of-service attack mitigations conducted in cooperation with Verisign DDoS Protection Services customers.

Notable observations included a rise in the average number of attacks per customer, exploitation of recently-publicized Simple Service Discovery Protocol vulnerability and malicious code trends that likely contributed to increased DDoS assault activity.

What does this all mean and what can credit unions do to protect its assets from these attacks?

Shahryar Shaghaghi, a partner for management consulting firm Kurt Salmon in its CIO Advisory Practice in New York, believed the Carpanac gang pointed to an uncomfortable reality.

“You will never stop the hackers from continually trying to get in. Hackers and bad guys look at the entire value chain and try to get to the weakest link. Every single exploit that happened in this breach has been through spear phishing,” said Jim Stickley, a cybersecurity expert and CEO of Stickley on Security, a security education firm in San Diego.

The gang started by sending emails to individuals in the organization. Emails used in spear phishing typically have attachments that look legitimate. It could be a Word document or PDF that appears to be safe to open because they are non-executable. Someone unwittingly opening the attachment compromised the computer by activating the malware.

Carpanac slowly and methodically sent emails from one compromised computer to another infecting more than 200 computers. This malware included surveillance capabilities and keystroke loggers. Then they recorded everything that was going on in the systems, Stickley explained. So, if a rep performed certain functions in a particular way, such as transferring funds, the gang later just mimicked those operations.

“You cannot stop that with technology in most cases,” Stickley said. “It is going to require new technology that is not available or else it is going to require true segmentation.”

While spear phishing seems like an easy intrusion to protect against, just as disturbing is the ease the gang negotiated into areas containing critical information. Stickley cautioned what took place was an incredible breach that should get the attention of all financial institutions and regulatory bodies.

“To organizations that have not been compromised yet this should be a gigantic wake-up call; they need to fully review who has access to what and how their network infrastructure is designed,” Stickley advised.

If tellers, for example, use the same PC for internet and email access and to pull up critical member data from the core system, that is a huge security threat. All it takes is for someone to receive an email with a malicious attachment to compromise that computer.

Anything that reps can access, the criminal now can access. Security officers will need to review which staff members must absolutely receive mail or go to any website.

That will be the start to eliminate that threat to reduce the spear-fishing risk and then you will see a much more segmented network,” Stickley said.

This involves separating non-critical access from vital information such as infrastructure, data, personal information, and access to ATM and can greatly reduce damage from compromised networks.

The truth is that organizations of every size are under siege. Hacking probes attack major financial institutions thousands of times per day but countless small and mid-sized organizations and financial institutions take hits across the U.S., sometimes as a result of a breakdown along the value chains.

“Small, local breaches may not garner the same headlines, but they can be just as damaging for smaller financial institutions like credit unions,” a NAFCU report released in fall 2014 read. “A wide majority of respondents (84.4%) were impacted by a local data breach during the last two years.”

Many perpetrators of DDoS attacks typically target banks, credit unions, and credit card payment gateways. Verisign's DDoS Trends Report also noted the increase in frequency of DDoS attacks exceeding 10 gigabits in size, accounting for more than 20% of all mitigations, with the largest observed attack experienced by an E-commerce customer.

In its basic form, a DDoS attack causes internet-based service outages by overloading network bandwidth or system resources. Perpetrators characteristically aim to disable a machine or network resources to users. To date, DDoS attack motives have appeared more politically provoked than financially motivated, since the cyberassaults have not directly pilfered funds or sensitive personal information.

However, as in the Carpanac spear-phishing attacks, that might not always be the case. Some DDoS attempts might divert attention or disable alerting systems in order to cover fraudulent activity from such account-takeover attacks. DDoS attacks against bitcoin exchanges appeared connected to thefts of the virtual coins. In the 2014 bitcoin attack, hackers inserted bad code to disrupt the virtual currency programs.

Given the current tempo of technological evolution, it's even more important that credit unions become proactive rather than reactive when it comes to cyberprotection, Shaghaghi said. It is incumbent upon every credit union today to step back and take an overview of where it is in terms of cybersecurity.

Shaghaghi suggested some foundational and fundamental procedures. To fully understand the vulnerabilities, map out the business process clearly in terms of the transactions that support products and services. This includes the roles of people internally and externally such as third-parties and embedded processes. Look at holistic and cybersecurity strategy supported by a proper plan in order to stay on top of this.

“[It] comes down to protecting the most valuable assets, protecting the core business,” Shaghaghi said.