Ransomware attacks raise the stakes for CU security.
The hostile-attack headache keeps getting worse.
The successful ransomware attack on Kaseya, which reportedly has credit union clients, over the July 4 holiday raises new concerns, says Heath Stanley, director of virtual advisory services at Vala Secure, Plano, Texas.
“It was an attack on a vendor linked to payment systems,” he says, “and that’s a scarier vulnerability” than an attack on a credit union, which is just an attack on an end point. “The tech community is still trying to figure out how to deal with supply-chain breaches” that occur when business suppliers are hit.
The bad guys are getting more sophisticated, picking more lucrative targets and investing in deeper reconnaissance, reports security consultant Jim Benlein, owner of KGS Consulting, Silverdale, Washington. The Kaseya attack is evidence of that strategy, he notes.
Kaseya sells computer management software to big players and provides computer management services by selling the software to managed service providers that may have CU customers. If Kaseya and the MSP failed to stop the attack from spreading, it could have encrypted data in some CU computers, Benlein speculates, but he has not heard that to be the case.
Cybercriminals also have escalated their objective, notes Paul Love, chief of information security and privacy officer for CUES Supplier member CO-OP Financial Services, Rancho Cucamonga, California,. Instead of trying to break in and encrypt data, they’re trying to break in and exfiltrate or steal the data and threaten to use it in ways the victim would hate so much that they will pay an even higher ransom than they would pay for decryption, he explains.
“They threaten to expose things like sensitive customer information or executive emails and addresses, sometimes even going to the victim’s customers with the threat of exposure to pressure companies into paying the ransom. We’re seeing reports that 70% to 90% of ransomware attacks no longer just encrypt data.”
Backup files are still useful, still necessary, he says, but they don’t provide sufficient protection when they are the only countermeasure.
Hackers who hit and hide are more dangerous than those that hit, encrypt and leave, Stanley suggests. They could map out a CU’s networks and know them better than the CU does, he points out. They could encrypt massive amounts of data or, even worse, download the data and then demand much bigger ransoms. They could plant their virus in the backup and not encrypt it so the CU assumes it is safe. If they get to a CU’s financial records, they can see exactly how much ransom it could afford to pay, he warns.
Supply Chain Weak Links
New players are bringing payment innovations to the edges of the system, and that raises concerns about whether supply chain vendors will be able to sufficiently protect themselves from attacks, Benlein observes. Vendor security has always been a priority—like requiring vendors to complete SSAE 18 audits and verifying that they have done so, he explains.
“Work only with trusted vendors,” Benlein advises. But when your vendors use vendors and those vendors use still other vendors, it gets complicated, he concedes. “You try to figure out how far up the chain you need to go within reason.”
Staying under a core processor’s umbrella can provide protection, notes payments consultant Richard Crone, founder/CEO of Crone Consulting LLC, San Francisco, California. “The apps that have been approved and certified by the core processor and incorporated in its package are hardened,” he explains, “but apps that a CU builds on its own or buys from an unaffiliated vendor are more vulnerable. The weak spot is usually a stand-alone computing device that is not connected to the core.”
Targeted attacks may be growing, but random attacks are still constant. Crone reports spending time with a greater-than-$1-billion CU that was detecting hundreds of attacks per hour with its monitoring tool. “That’s pretty common today,” he notes. “Financial institutions are prime targets. CUs, regardless of size, can assume they are being attacked continuously by the bad guys’ bots.”
Those bots work randomly and frequently, probing for a weakness, Stanley says. That makes the least protected financial institutions the most likely victims.
“It’s like a car thief walking through a parking lot pulling on door handles until he happens on one that opens,” he explains. So keep as small a footprint as possible, he recommends. Don’t use more sites than you absolutely need. Avoid access points on the Internet whenever you can.
The damage of a ransomware attack depends on how deeply a virus penetrates, according to Crone. If it’s a general ledger or transaction-processing system that gets hit, the damage could be extensive. If it’s a stand-alone specialized one-use program that’s backed up, there may be no need to consider paying a ransom.
Backups need an “air gap” to keep viruses from reaching them, he adds. “They need to be stored in a system that is not connected to the internet.”
Importance of Segmentation
Network segmentation is critical for containing damage, Benlein notes. If a virus gets into a CU, due to a slip by an employee or a vendor, it may get into a single computer instead of 20 because it hits a segmentation wall, he explains. Or if it spreads from PCs to a server that is segmented, the CU may be able to close and scrub the server and repopulate it from a current backup file, reconnect it to scrubbed PCs and be back in business in minutes. If the virus can get around a network segmentation wall, the trouble could spread exponentially or be somewhat contained by other segmentation walls, he notes.
Building an information infrastructure that is both segmented and integrated, Stanley points out, has become the Holy Grail.
The one constant in the attacks is that criminals will go where they think they can get the most money for the least effort, Love points out. “So, defense is shifting back from recovery to prevention, keeping attackers from ever getting in. You still have to be prepared to recover,” he says, “but you have to be even more vigilant to close off the smallest cracks and anticipate where the attacks could come from.” The attackers keep changing their tactics, so organizations need to keep changing their defenses, he observes.
Keeping protection up-to-date with the constantly changing threats can seem daunting, but Love says that starting with basic security hygiene creates a good basis on which to build more advanced protections. He recommends using established third-party frameworks to identify basic controls if credit unions need a place to start. Frameworks like FFIEC requirements, PCI-DSS, ISO 27001 and others, he says, are good baselines to help credit union security teams set a foundation.
Benlein points out that The National Institute of Standards and Technology recently released a document that describes the steps and activities organizations like CUs could use to manage ransomware risks.
After consulting with the frameworks, CU security teams should identify when and where to go above and beyond, Love says, based on their risk tolerance.
The best tools for doing that, according to Stanley, are zero-trust models and application blacklisting. These tools block CU staffs from adding services or tools that haven’t been specifically reviewed and authorized. But even the best tools will never be good enough, he warns. If a CU becomes the focus of a sustained, targeted ransomware attack, the crooks will get in eventually.
“There’s no stopping them,” he says. “It’s just a matter of limiting the damage and recovering as soon as possible.”
Do CUs sometimes pay ransom? Nobody knows or will say. Even busy cybersecurity pros like Benlein have not heard of cases where CUs have paid ransomware attackers, but he notes, “I suspect concerns about reputation risk are why CUs may not say if they have been hit.”
The payments system is pretty safe from hostile attacks for now, Benlein agrees. Cybersecurity is a thriving market with plenty of tools available to help corporations stay secure, and the payments system has always received special attention, he observes. “The big players have the resources and the motivation to stay well-protected,” he says, “but nothing can ever be 100% secure, and it will only get harder to keep up.” cues icon
Richard H. Gamble writes from Grand Junction, Colorado.