Small community banks and credit unions have unique challenges when it comes to cybersecurity. They manage systems and data that are some of the most desirable for attackers, such as customer or member financial account data, ATM controls, and electronic funds transfer services. While their needs for IT security controls can mirror the needs of regional or national financial institutions, it’s a strain for small banks and credit unions to maintain the same level of security staffing and systems as big institutions.
What are the risks?
Attackers target financial institutions for a number of reasons, but the reasons all have to do with converting unauthorized access into income for the attacker. Traditional bank and credit union attack paths have included ATM attacks, where account settings, transaction limits and other security controls were changed to permit substantial and coordinated ATM withdrawals, and electronic payment fraud, where ACH or wire transactions were misdirected to fraudulent outside accounts.
With the emergence of anonymous payments through cryptocurrencies, attackers have embraced cyberextortion as an attack method. After gaining access to a single employee workstation or account through phishing attacks or guessing remote access passwords, the attackers hide on the financial institution’s networks for weeks, stealing administrative passwords and collecting other sensitive data. Once they have enough of this information, the attackers destroy online backups, encrypt critical systems and data, post a sample of stolen sensitive data to “shaming sites” on the Internet, and then demand a cryptocurrency ransom.
What security controls are most important for these small financial institutions?
A financial institution’s cybersecurity program should be based on industry-accepted frameworks (such as the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and/or the Center for Internet Security (CIS) Top 20 Critical Security Controls (CSC)). The cybersecurity program should be updated annually, and that process should start with a risk assessment being performed to identify relevant threats to the institution’s assets and gaps in security controls. However, due to the similarities between financial institutions and the threats against them, there are a number of security controls that are almost always key to the financial institution’s resilience against cyber attackers.
MFA for email and remote access
Attackers make use of remote desktop services (RDS), virtual private network (VPN) services, and even online email access to gain access to private financial institution systems and data. This is often done by guessing passwords and/or using passwords found on other systems or stolen through phishing attacks. Financial institutions should make certain that all employee and third-party vendor remote access to company resources (including RDS, VPN, and email) is protected with multi-factor authentication (MFA).
Missing security patches can often allow an attacker who has gained access to one employee workstation or account to compromise other systems and administrative accounts on the network. Missing patches can also allow workstation virus infections just by visiting infected websites. Financial institutions should have a centralized tool that monitors and automatically applies operating system and key third-party software (including web browsers, Java, and Adobe software). Systems and processes should make certain that no servers are exempted from the timely application of security patches.
While anti-virus doesn’t stop all attacks, it can help prevent and detect many types of attacks. Financial institutions should have a centrally managed system and processes to make certain servers and workstations have up-to-date anti-virus software installed and running. Advanced anti-virus features, such as endpoint firewalls, host-based intrusion detection, heuristic detection, and threat prevention features should be enabled and tuned to help block activities that don’t match traditional known anti-virus signatures.
Once attackers gain a foothold on a bank or credit union network, they make use of many default and legacy settings of Windows systems to help steal privileged passwords or elevate privileges. Financial institutions should deploy a Windows hardening standard that accounts for these attacks. Sikich has worked to provide helpful resources regarding key hardening recommendations in several Sikich Insights posts, including two posts on Active Directory security as well as a post regarding PowerShell attacks.
Outbound traffic controls
Attackers maintain persistence (ie, the ability to break back in if their connection is lost) by establishing command-and-control channels out through the financial institution’s firewall, often impersonating website traffic or other common Internet protocols. Financial institutions should use a web content filtering solution at their firewall to block websites that fall into dangerous categories such as VPN services and malware sites. In particular, the web content filter should be configured to block any uncategorized sites, as phishing and command-and-control websites are often too new to have been categorized by the web filter. In addition, financial institutions should configure the firewall to deny all non-web outbound traffic by default, only permitting communication to known trusted destinations. This will block malware command-and-control channels that impersonate other protocols like file transfers, streaming music or chat traffic.
Attackers continue to aggressively target financial institution employees, because they are often successful in tricking employees into installing viruses, disclosing passwords, or initiating fraudulent transactions. One of the best protections against phishing attacks is using a service that conducts periodic phishing exercises against employees.
Protected or offline backups
During ransomware attacks, it is common for attackers to use stolen domain administrator, hypervisor, and storage appliance passwords to delete any backups connected to the network. Financial institutions should protect backups from this type of attack, placing a focus on critical systems like core processing systems, teller and banker applications and check and document image storage repositories. Some common methods for protecting backups include (a) writing backups to tape or other offline media that is not accessible from networked systems, (b) placing backup servers, hypervisor management consoles and storage system administration interfaces in a hardened network enclave that requires MFA, and (c) writing backups to a third-party or cloud service that restricts the ability to delete backups.
Logging and monitoring systems
When responding to an attack, many banks and credit unions find that log history covering the start of the attack is not available because systems were configured with default logging settings. For example, default logging on Windows systems may only store a few days of security events like network logins. In addition, if logs are available, they often show suspicious activities that would have raised awareness of the attack at the very beginning if someone were monitoring the logs for anomalous events. Financial institutions should implement a logging strategy that centralizes critical log data, makes certain sufficient historical data is retained and includes automated monitoring of log data for suspicious events. Many small banks and credit unions successfully outsource this log consolidation to a managed security service provider (MSSP) who has the staffing and skillset to tune log monitoring rules and monitor activity 24×7.
Even with all these controls in place, there are often gaps that attackers can take advantage of to compromise a network. Banks and credit unions should work to make sure that they can find and fix these cybersecurity gaps before attackers find them. Key testing activities include:
- External vulnerability scanning, which is generally done quarterly or monthly depending upon the risk and complexity of the organization, and can help identify weaknesses in services a financial institution has exposed to the Internet
- Internal vulnerability scanning, which is generally done annually, quarterly or monthly depending upon the risk and complexity of the organization and can help identify weaknesses, such as default passwords, missing patches, and weak configurations, on internal systems
- Penetration testing, in which a human tester simulates a malicious attacker and works to identify vulnerabilities and attack paths and demonstrate the resilience of the organization’s security controls
How to learn more
For more information about the cybersecurity services that Sikich provides to banks and credit unions, including Gramm–Leach–Bliley Act (GLBA) risk assessments, FFIEC IT security audits, policy and roadmap development, vulnerability scanning, and penetration testing, please reach out to the Sikich Cybersecurity practice.