Security Awareness

1
Security Awareness

• Protecting the credit union in the new millennium

2
Table of Contents

• Security Awareness defined
• NCUA Part 748 and GLBA
• New and Emerging threats
• Information Security Policy
• Password Security
• Physical Security
• Social Engineering
• Member verification
• Business computer usage

3
Why Security Awareness ?

• Many security incidents occur due to internal and
  human weaknesses. Ensuring that a credit unions
  sensitive information and critical customer data
  remain confidential is the responsibility of
  every employee.
• It is estimated that as much as 75 of the threat
  to sensitive data is from inside the credit union!

4
NCUA Part 748 and the GLBA

• From Part 748, Appendix A
• Each federally insured credit union will
• develop a written security program within
• 90 days of the effective date of insurance.
  The
• security program will be designed to
  Protect
• each credit union office from robberies,
• burglaries, larcenies, and embezzlement

5
Information Security

• Ensure the security and confidentiality of member
  records, protect against the anticipated threats
  or hazards to the security or integrity of such
  records, and protect against unauthorized access
  to or use of such records that could result in
  substantial harm or serious inconvenience to a
  member.

6
Incident Response

• Respond to incidents of unauthorized
• access to or use of member information
• that could result in substantial harm or
• serious inconvenience to a member.

7
Forensics

• Assist in the identification of persons who
  commit or attempt such actions and crimes

8
InformationProtection

• Each federally insured credit union must prevent
  destruction of vital records, as defined in 12
  CFR part 749.
• Each Federal credit union, as part of its
  information security program, must properly
  dispose of any consumer information the Federal
  credit union maintains or otherwise possesses, as
  required under 717.83 of this chapter

9
Gramm-Leach-BlileyAct

• Gramm-Leach-Bliley ActEach agency shall
  establish appropriate
• standards to
• Ensure the security and confidentiality of
  customer records and information.
• Protect against any anticipated threats or
  hazards to the security or integrity of such
  records.
• Protect against unauthorized access to or use of
  such records or information which could result in
  substantial harm or inconvenience to any
  customer.

10
What is sensitive information?

• From 38CFR748 Appendix B
• For purposes of this Guidance, sensitive member
  information means a member's name, address, or
  telephone number, in conjunction with the
  member's social security number, driver's license
  number, account number, credit or debit card
  number, or a personal identification number or
  password that would permit access to the member's
  account. Sensitive member information also
  includes any combination of components of member
  information that would allow someone to log onto
  or access the member's account, such as user name
  and password or password and account number.

11
The NCUAs IST Program

• The Bottom Line
• Create an environment of strong
• Information Security Awareness!

12
Emerging threats

• Hackers are becoming more organized and a wealth
  of tools are available to them.
• Phishing and other social engineering scams are
  increasing at an alarming rate.
• Spam continues to infect thousands of business
  computers with key loggers, viruses, and hybrid
  threats.
• Malicious websites can install spyware and other
  Trojans on your machine simply by you visiting
  their site.

13
Security Awareness includes

• Information Security Policy
• Password security
• Physical security
• Phishing, Pharming and social engineering
  awareness
• Responsible use of business computer
• Mobile technology security

14
Change Your Perception

• Every employee shares the
• responsibility of maintaining a secure
• environment and securing sensitive
• information!
• Security is a necessity, not a burden
• Be proactive, adopt good security habits

15
Information Security Policy

• A strong Security Policy provides the basis for
  the credit unions entire security program.
• A well-developed Security Policy is the result of
  collaboration among stakeholders drawn from many
  departments.
• The Security Policy will be the first thing
  Information Security Auditors will ask to see.
• It is critical that all employees read and fully
  understand the Credit Unions Security Policy

16
Information Security Policy

• A Few Things a Security Policy Must Address
• Access Rights
• Password Construction Rules
• Password Rotation Rules
• Password Protection Policy
• Backup and Disaster Recover Procedures
• Virus Protection
• Log review, Intrusion Detection, and Response
• Legal Logon Banner
• Staff Security Awareness
• Appropriate Technology Use
• And much more.

17
Password Security

• Perhaps the most mundane yet all important
  counter measure to hacking is strong passwords.
• Enforcing a security policy that includes strong
  password construction and rotation rules will
  help to alleviate many potential problems.

18
Password Security

• Teach your old password some new tricks!
• The more complex, the better
• Use 1wUZb0rn19G8 instead of 04021968
• Never write your password down! Remember, even
  the cleaning crew has full access to your office.
• Change your password every month
• Dont reuse your old password!

19
Password Security

• Passwords should be at least eight characters in
  length
• Passwords should be difficult to guess (i.e.,
  should not be words in a dictionary, derivatives
  of the Users ID, or common character sequences)
• Passwords should contain at least one of each of
  the following character types upper case
  letters, lower case letters, and numerals
• Passwords should contain at least TWO
  non-alphanumeric characters such as !_at_.

20
Physical Security

• Physical security is an underestimated and often
  overlooked aspect of securing sensitive data.
  Physical safeguards are powerful ways to protect
  sensitive information and assets.
• Failure to adopt secure behaviors leaves your
  data and all computers connected to the network
  vulnerable.

21
Physical Security Questions

• Who was in my office and why?
• Could they or did they read my e-mail?
• Did they go through my electronic files, paper
  files or trash can?
• Was sensitive information accessible?
• What applications were open on my desktop?

22
Securing Your Environment

• Always escort guests
• Use door and drawer locks
• Shred sensitive materials
• Always secure sensitive materials when leaving
  your office
• Secure portable devices with passwords and
  encryption

23
Physical Security
Things weve learned.

• Smokers will usually allow us in the back door.
• Employees wont stop you if you have a clipboard.
• Administrative areas are not restricted.
• Shredding policies are not enforced (Dumpsters
  contain loan applications, credit reports, etc).
• PCs are left logged in. Unused network jacks are
  not unplugged in server room.
• Wiring closets not locked.
• PCs in the lobby for home banking access are
  behind the firewall and unrestricted.

24
Phishing and Social Engineering

• Phishing is a common social engineering tactic
  whereby a hacker attempts to fraudulently acquire
  sensitive information such as usernames,
  passwords, social security numbers and account
  numbers.
• Phishing is typically carried out using email or
  an instant message, and often redirects users to
  a fraudulent website created to mirror the
  legitimate site.

25
Sample Phishing e-mail
-----Original Message----- From Jack
SMTP_at_cu.org Sent Wednesday, April 11,
2007 1037 AM To Sue Employee Subject Confident
ial Please Read Immediately! Unfortunately we
had a member of management leave us and as a
security precaution we need a few individuals to
give us an account of this persons actions.
Since we need this information in writing, per
our security and compliance policy, we've setup a
template of questions that requires you to login.
Please use your normal network login and
password. http//68.153.63.169/secured.asp Thank
s! Jack
26
Sample Phishing e-mail
-----Original Message----- From Jack
SMTP_at_cu.org Sent Wednesday, April 11,
2007 1037 AM To Sue Employee Subject Confident
ial Please Read Immediately! Unfortunately we
had a member of management leave us and as a
security precaution we need a few individuals to
give us an account of this persons actions.
Since we need this information in writing, per
our security and compliance policy, we've setup a
template of questions that requires you to login.
Please use your normal network login and
password. http//68.153.63.169/secured.asp Thank
s! Jack
27
Phishing avoidance

• First and foremost, never give sensitive
  information to ANYONE via e-mail.
• Be aware of suspicious URLs. Always compare the
  link in the e-mail to the link youve been
  redirected to.
• In the previous e-mail, the hacker asks you to
  click on the following link and provide username
  and password
• http//68.153.63.169/secured.asp
• Dont do it!!

28
Phishing Response Plan

• If you believe youve been Phished, immediately
  notify your IT department.
• Contact Law Enforcement www.ic3.gov. (But dont
  expect them to do anything).
• Immediately notify members (usually via website).
• Contact your Anti-Phishing provider.

29
Social EngineeringPhone scams

• Hackers will call you pretending to be
  management, members or other officials.
• Verify identity of each caller!
• Report scam attempts to authorized department or
  individual.

30
Social EngineeringThe answer?

• Policy Employees must read and sign (and
  understand!)
• Training/Education At Orientation
• and Continuing.
• Checks Such as the ones described previously.

31
Member Services

• Make certain you are talking to the actual member
• If you ask too many questions members get
  annoyed.
• If you dont ask enough questions other members
  get annoyed.
• SSN, Mothers Maiden, address are easy to get.
• Loan balance, loan payment date, etc. are
  difficult to remember.

32
Member ID Verification

• Solution Passwords using a Challenge and
  Response System.
• What was the name of your elementary school?
• What was your first car?
• What was your childhood pets name?
• What is your fathers middle name?
• What is your favorite (or least favorite) food?
• What is your birth city?

33
Business Computer Usage

• The internet can be your friend or foe
• Internet worms, bot-nets and trojan programs can
  be installed on your PC simply by accessing a
  malicious web site!
• Limit internet usage for business purposes only!
• Internet chat services should be off-limits,
  except as explicitly outlined in your credit
  unions security policy

34
Business Computer Usage

• Never open or preview any e-mail from an unknown
  source.
• E-mail can contain viruses, trojans, bot-nets and
  fraudulent links
• If you suspect you have opened a malicious
  e-mail, report the incident to your IT staff
  immediately!

35
Security Resources

• www.cudefense.com
• www.ncua.gov
• www.sans.org
• www.securityfocus.com
• http//online.securityfocus.com/bid
• www.ntbugtraq.com
• www.cybercrime.gov
• www.cve.mitre.org
• www.gocsi.com
• www.zone-h.org (under crime archive)
• A Web search for hacking will return lots of
  information.