Haste of Digitization During COVID Opens Door for Security Vulnerabilities

The unplanned pivot to an expanded remote workforce compelled the financial sector (and many other verticals) to rapidly deploy infrastructure, hardware, software and support changes that may not have undergone rigorous configuration controls that would have otherwise occurred under normal circumstances. Most financial institutions, especially credit unions and smaller banks, don’t embark on this level of change all at once, if at all, and as a result, their attack surface expanded, leaving IT professionals to struggle with visibility into remote devices and home networks that have introduced potential vulnerable blind spots.

Malicious attackers quickly exploited this transition and continue to capitalize on the uncertainty and precarious “new normal” through phishing and malware campaigns, targeting widely-used products and platforms that connect remote workers. The hasty deployments last spring meant that many VPNs and cloud-based collaboration tools were deployed without the latest patches, leaving those vulnerabilities open for exploitation.

Common Security Attacks

The majority of attack campaigns exploit commonly used operating systems or application vulnerabilities even as they use techniques like phishing attacks for the initial compromise. For example, many ransomware attacks have vulnerability exploitation built into their overall campaigns.

Mobile banking has increased, driven by the closing of physical branches. Research by JD Power found that the four largest U.S. banks saw a jump from 63% of clients using mobile banking last year to 72% just in April.

Hardening Security Efforts

Below is a list of initial steps that credit unions can take to “catch up” in order to harden security:

• Security awareness training – always and often. CUNA (Section 748, NCUA Rules and Regulations, NCUA Letter 02-CU-1), GLBA Rule, 16 CFR 314.4, FDIC and PCI DSS r. 12.6 all require security awareness training because we know that insiders are the first line of defense and the weakest link against social engineering tactics like phishing and whaling. However, ongoing communication to supplement annual compliance-required training helps establish a culture of security that might not happen if employees are only exposed to security awareness for a short time once a year. During Cybersecurity Awareness Month in October, many vendors promoted free tips and tools to help educate employees and customers outside of scheduled-annual training. Like all cybersecurity, awareness is not just an annual box to tick, but an ongoing initiative.
• Increase vulnerability scanning frequency. Most vulnerability scanning is not done frequently enough, which limits security and IT teams’ understanding of their security posture and fails to help them with remediation prioritization. We recommend going beyond the compliance-required quarterly cadence and scan at least monthly and on-demand if your vulnerability management (VM) platform has that capability. Effective vulnerability management is about proactively identifying threats and prioritizing the vulnerabilities that have the greatest risk of exploitation.
• Do your due diligence on third-party cloud vendors connecting to your infrastructure, including having full visibility to entrance and exit points; investigate their APIs; ask for their SOC2 report or in the case of PCI DSS, their Report on Compliance or Attestation of Compliance; and require third parties who are going to access your infrastructure to take security awareness training to communicate that third-party employees are held to the same set of expectations as internal employees.
• Rely on network-based (agentless) scanning and supplement with agent-based scanning to ensure all network-connected assets are scanned and secured. Agentless scanning provides a much lighter footprint, less negative performance impact and drastically reduces false positives. However, security and IT teams have less oversight and control over remote endpoints, which places them at greater risk as they connect to corporate networks. Installing agents on laptops, mobile devices or even applications hosted in the cloud can fill in those gaps to provide a comprehensive real-time view of at-risk systems and ensures they have the right patches, security controls, software, etc., to protect them from being compromised and spread the infection to corporate networks.
• Use the advanced features in their VM platform, including the threat intelligence and machine learning functionality available to them, so they can focus on weaponized vulnerabilities that exist inside their networks first.
• Consider a “zero trust” approach and provide only application-level access to cloud and premises-based solutions and applications, and lock them down to only the access the user needs.

Most regional banks, credit unions, accounting firms and asset managers tend to be smaller and may not have the expansive IT or security staff to implement all of these recommendations like their large counterparts. However, security doesn’t have to be hard. Since vulnerability management is foundational, for effective cybersecurity, smaller financial institutions like credit unions should look for vendors that understand their challenges and have built their platform to be easy to install, own and use, or leverage the experience of an managed service provider or managed security service provider to bolster their ecosystem and take on more in-depth security monitoring and management.

Mieng Lim is Vice President of Product Management and security expert for Digital Defense, Inc., a provider of vulnerability management and threat assessment solutions based in San Antonio, Texas.