So where do credit unions need to be right now?

"One of the areas credit unions need to move away from is this silly username/password world, which is not a particularly good authentication mechanism, doesn't actually prove that you are who you say you are, and is hard to remember," Drake said. "It puts the onus of security on the weakest link in that equation without any real thought behind it."

The first step is moving away from username/password login and into biometrics or a multifactor authentication method.

Organizations need to take a step back and re-architect with modern security controls – Drake emphasized that what he sees as the biggest impediment to moving away from usernames and passwords is not the users, but online banking and core system providers that are still reliant on username/password authentication methods. 

"They have never re-architected or redelivered their solution to play in the modern world," he said. "We keep pushing our vendors in the industry and picking the tools on the front-end to move us in that direction."

Drake said his involvement with the conference stems from helping credit unions get better technical and IT security education.

"We're big proponents of strong corporate cultures and building organizations to be resilient and adaptive," he said.

David Trepp, president at the Eugene, Ore.-based information security assessment firm Info@Risk, focused on configuration management issues (CM) in his presentation.

"We are not configuration management experts, we are experts in exploiting weaknesses in configuration management," Trepp explained. "We bring the hacker's eye view of configuration management rather than the system administrator's view of configuration view."

Trepp revealed, "Configuration management, depending on the size of the credit union, may be the single biggest area of vulnerability."

This is especially true for smaller credit unions.

"If a credit union has more than six branches, is $200 to $250 million in assets, then we find that social engineering tends to take over the number one spot as the biggest risk to the institution's information assets," he said.

Trepp added that configuration management directly conflicts with vendor default configurations.

"Third party vendors build and deploy systems to optimize profits," he said. "That often works in direct opposition to secure configurations. Default configurations are rarely secure configurations."

He maintained that default configurations are easier to design, develop, deploy, remotely manage later, patch and update for vendors.

"All of those things are easier and more profitable for a vendor if they are done in a simple, straightforward default setting," he said.

Unfortunately hackers gather this information about default configurations and exploit weaknesses in the default configurations. Trepp described a dozen exploits of weak configuration management controls involving devices such as sprinters, storage arrays, and core and surveillance systems. He also suggested credit unions adopt NIST, the Framework for Improving Critical Infrastructure Cybersecurity, released in February 2014. This framework provides a blueprint that firms of all sizes can use to evaluate, maintain and improve the resiliency of their computer systems.