The late August news of a data breach at JPMorgan Chase rocked the world of fintech info security: The huge money center bank was apparently hit by hackers said to be affiliated with a nation state.
Details remain scarce, but that does not matter to credit unions. What matters the question of whether credit unions could withstand a nation state level advanced persistent threat attack. Further, do credit unions really know if they have been penetrated already?
Fintech experts are abuzz with those questions.
Tighten your seatbelts because the ride gets bumpily pessimistic.
Advanced persistent threats, like those that hit JPMorgan Chase, differ from run of the mill hacks in a fundamental way.
Most hackers are opportunistic, not much different from a smash-and-grab crook who shatters a car window to scoop up an iPad left on a seat.
APT starts with a target. The hackers stick with the target until they penetrate it or are called off by their masters.
And they keep on coming.
Experts have described APT assaults that went on for many months before, suddenly, the attackers got in.
APTs use all manner of attack tactics, including phishing, social engineering, automated probing, zero day vulnerabilities and more.
“The attack sophistication has gone off the charts,” said Gene Fredriksen, global information security officer at St. Petersburg, Fla.-based CUSO PSCU. “Everybody now is seeing this kind of attack.”
The vast majority of credit unions, experts said, rely on a combination of a firewall and anti-virus tools for defense against hackers.
Believing they are too small to be on the radar is another defense.
But that just is not so, Kirk Drake, CEO of Hagerstown, Md.-based technology CUSO Ongoing Operations said.
“My general feeling is that credit unions greatly underestimate the potential for them to get caught up in a geo-political issue, and do not have any of the tools in place to detect or deal with something of this nature,” he said.
Just why might a nation state want access to the financial records of credit union members?
Keep in mind that in many cases, APT is not aimed at theft of money. It more typically focuses on theft of intellectual property and espionage.
Think about a credit union with a field of membership that works inside Washington’s Beltway. Perhaps members who work at large technology companies could become a target. Or, maybe members at a company negotiating a contract with a nation suspected of sponsoring APT attacks, such as Russia or China.
In days of yore, nation states devoted human resources – spies – to gather insights into the spending practices and bad habits of potential information sources. Who is cheating on his/her spouse? Who overspends? Who is facing imminent default on big bills? Who has substance abuse issues?
Much of that information can now be gleaned by using data analytics to sort through account activity.
Then what?
Nobody knows, because nobody is prepared to assert that there are known cases of APT at credit unions. But, insisted one very well-placed information security expert, “It is very possible that this has already happened at credit unions. Most would not know if it had.”
He requested anonymity because of the sensitivity of his position in the industry.
As far as the technical defenses credit unions have in place, experts quickly dismissed their value where APT is concerned:
“Credit unions are over relying on perimeter defenses. They are wide open to APT attacks,” said Tom Kellermann, a vice president at security company Trend Micro, with headquarters in Japan.
APT professionals have shown they can breach perimeter defenses. Therefore, tools are needed that monitor activity inside the firewall.
Few credit unions have such defenses in place, experts said.
These tools hunt for anomalies; specifically, behavior that does not fit the norm of user behavior. An anomaly is not proof of an attach, but it is cause for inquiry, experts said.
Chris Morales, an analyst with Austin, Texas-based information security company NSS Labs, offered an example of what else is needed to protect against APT.
“You need to start paying more attention to what’s leaving the network than on protecting the perimeter,” he said.
APT hackers, to gain their goals, have to export the information they have harvested. Therefore, he said, continuous monitoring of outbound traffic is needed.
“Credit unions are an easy target because they are cheap. They are known as an easy target,” he said.
Dana Wolf, an executive with OpenDNS in San Francisco, said while institutions can stop data from being siphoned out, they can’t defend the perimeter anymore.
“It would be foolish for credit unions to think they have not been penetrated,” she said.
Carl Herberger, a vice president with Israel-based security company Radware, insisted the fight against APT is a dynamic struggle and the enemy is continuously honing its skills.
For example, Herberger said, while much APT defense of a few years ago revolved around tracking particular IP addresses, that strategy no longer works.
Why not?
Hackers realized they were being hunted on the basis of their IPs, so many now continuously change them, Herberger said.
As a result, credit unions need to invest in continuous security upgrades to ward off APT because attackers are always sharpening their attacks.
Another step in fighting back is to enlist employees’ help, said Roel Schouwenberg, principal security researcher at Kaspersky Lab. Significant APT strategy involves phishing employees and tricking them into giving up login credentials.
“It is extremely important to educate employees and get them to be vigilant,” he said. “Encourage employees to reach out to security.”
Employees should be trained to tell IT right away if they have been tricked by a phish, he added. That quick warning could help a credit union short circuit an APT before it does a lot of harm.
By following advice from experts, can credit unions win the APT battle?
Experts who spoke with CUTimes said that’s not impossible. However, none said they believed more than a handful of credit unions had actively engaged in fighting against nation state level APT.
“I can’t believe there hasn’t been APT in credit unions already,” said a well-placed source. “Most operate in ostrich mode and that is no defense against APT.”