Using intelligence-driven security and filling internal gaps is necessary to defend against today's cybercriminals. That is what security experts affirmed at the CU InfoSecurity 2015 conference in Las Vegas, Nev.
“If we intend to have a shot at staying equal [with cybercriminals], we've got to do things differently,” Gene Fredriksen, chief information security officer for the St. Petersburg, Fla.-based PSCU, said. “What we've been doing for the last 20-plus years as security technology isn't working.”
Highly organized, well-funded criminal organizations are actively engaged in cybercrime activities. Many of these organizations are funded by foreign governments, and focused on finding and exploiting weaknesses in the U.S. financial infrastructure.
As a result of their organized efforts and high levels of funding, these organizations are able to create and deploy sophisticated malware at an alarming pace, Fredriksen pointed out.
Cybercriminals want to unleash the kill chain, a systematic process designed to target and engage an adversary to create the desired effects. The kill chain concept has been adopted to describe the attack and exploitation process used by computer criminals.
This is an integrated, end-to-end process, Fredriksen said, and any one deficiency can interrupt the entire process. Rather than focusing all cyber-protection efforts on one point (i.e. the perimeter), PSCU network and information defenses are designed to interrupt the kill chain at multiple layers in the system.
Intelligence-driven security, Fredriksen explained, yields a much more robust security infrastructure than traditional methods do.
“The whole idea of building tech walls and hoping the bad guys stay out has not worked since the city of Troy,” he said.
Erik Gustafson, president and chief technology officer at the Chicago-based Xamin, said in a CU InfoSecurity presentation, “Where I find a gap in the market is internal hardening, especially from a network standpoint, as well as PCs and servers.”
Gustafson recommended credit unions look at their network strategy and focus on the non-obvious factors that could trigger a breach.
“Most focus on only the obvious, the external pieces,” the Xamin executive said, adding, “Internal hardening almost always goes ignored, except for at audit time.”
Xamin scans reveal between 3,000 and 8,000 instances of vulnerabilities during onboarding. Updates to third-party software, such as Java, Acrobat and Flash, bear responsibility for 75% of the issues.
He said many organizations tell you they have proper patch management, but some of the tools they used have holes in the patching. Other vulnerabilities come from third-party hardware and a network with holes.
Credit unions also need to perform third-party audits that include a hardware and software configuration review, experts said.
“Once a year scans/audits are no longer good enough,” Gustafson advised. “Don't get laser focused on just buzz words or hot topic items. Establish a security team [internally or outsourced].”
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
