According to the FFIEC IT Examination Handbook, "High-risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.

Frantz, a sort of Sherlock Holmes of hackers, answers questions about threats to credit unions using the very same techniques a hacker would use.

CUT: What type of work does your company do for financial institutions?

Frantz: We do penetration testing of applications and network infrastructure. We assume the role of an attacker in many different situations, whether it is a remote attacker or an insider threat. While this testing is done in a controlled manner, our goal is always to gain some kind of access or obtain some kind of information that we shouldn't be able to. I myself have been a professional ethical hacker for the last 13 years, and have worked primarily in the financial services space.

CUT: Have you worked with any credit unions?

Frantz: We work for a number of credit unions on the east coast, but also work with an assortment of much larger institutions.

CUT: What type of security threats are on the horizon that could affect credit unions?

Frantz: It's worth noting that credit unions have a slightly different risk profile than most financial organizations. Smaller credit unions often have to rely heavily on vendors to provide online services to customers. While this makes it easy to provide customers with online banking applications, it can be difficult to obtain security assurance when dealing with third parties. At the end of the day, there's a lot of trust that vendors are doing their due diligence to protect customer data.

Some of the biggest threats to credit unions are only themselves. Many operate with very limited budgets for security, and view security testing as an unwanted expense. Security testing is a necessary value add and a crucial process for running a sustainable business.

CUT: What type of security should credit unions be installing?

Frantz: It's difficult to recommend specific products, but having systems that can monitor, detect, and respond are critical capabilities to have. It's also important to be realistic about the tools and systems that are installed, being over reliant on any one particular solution can be dangerous. I recommend that security is implemented in layers, where there's always multiple mechanisms in place to mitigate risks.

In addition to detection, many progressive financial institutions now focus on "deceptive" security controls. These systems create a large number of fake targets to widen a line of sight into attacks that may be occurring within a network.

CUT: What are some of the worst hacks that you have seen in the last few years involving financial intuitions that could have been prevented?

Frantz: The worst hacks have been the ones that are never truly resolved. Sometimes breaches can be traced back for years, all the way until the last of logs are recorded. In those situations there often no way to accurately assess the damage, and it can only be assumed that there has been a complete and total compromise of data for years on end.

CUT: Do you have any final thoughts? 

Frantz: There's no shortage of fear and uncertainty in the security world, and I can't stress enough how important it is to stick to industry standard security practices. It's important to add layers of security and really understand risks as they apply to each organization.