July 23, 2014
Up. Down. You know it.
Up. Down ... OK, you know it all.
It may not top the charts for its lyrical strength, but as a quirky way to look at important aspects of your credit union’s cybersecurity program, this little verse is a three-hit wonder.
With limited resources, CUs want to focus their cybersecurity efforts on areas where they get the most bang for their buck. Figuring out which areas deserve the most attention can be tricky, but the mantra at the top of this article can provide some insight.
Up. Keep software up-to-date. Make sure to patch your desktop and server operating system software whenever necessary, and don't forget to apply the appropriate updates to all of your applications (Microsoft Office, browsers, Adobe Flash, PDF viewers, Java, etc.). Don’t assume patches are being applied! Verify, then trust, then verify again.
Take a risk-based approach when it comes to testing updates before installation. For example, if updates are low risk and there's little chance of them interfering with critical credit union tasks, they can be applied with minimal testing. If you expect updates to be medium or high risk, test to verify they don’t pose problems with important operational tasks or other software. Additionally, use a centralized, server-based system to automate deployment and reporting on installed (or neglected) updates, if possible.
Down. Give administrative-level login credentials only as needed, using separate IDs. This applies to administrative rights for servers, software and even desktops. For example, employees with multiple roles can use a regular account to perform general duties, logging into a separate administrative account only when they need to. So, an IT employee who occasionally acts as a database administrator would have one user account for regular daily tasks and another account for performing database administrative tasks. For additional protection, limit or prohibit access to the Internet on administrative accounts.
You know it. This last bit of advice has two important aspects. The first involves maintaining a current inventory of approved hardware and software needed or used by the credit union. Know what you have and what you are using. What hardware is connected to your network? What hardware and software is used by your employees to perform CU-related tasks like checking email, storing files, writing or updating policies and procedures, and providing daily reports?
Once you know what is being used, determine if it is authorized and approved. Are you comfortable with employees using cloud storage systems like DropBox, Google Drive or MS SkyDrive to support their working from home? Is it all right for your employees to check email on their personal iPads? Take inventory of what is being used so you understand the nature and extent of the network you need to control.
Once you understand the systems your employees use, you can move on to the second aspect, which involves application "whitelisting." Application whitelisting is a technical process where only approved applications are allowed to be installed and run on a system. Unauthorized software, or malware, is prevented from running. While there are a number of vendors that offer application whitelisting products, this can also be done using MS Windows Group Policy.
If your CU starts an application whitelisting initiative, it is important to understand what software the CU needs to function and also to test and be sure the whitelist includes all the necessary applications and programs.
Following the steps outlined here may seem simple, but it can make a measurable difference in your CU's cyber security. Work done by the Australian Signals Directorate, an intelligence- gathering agency for the Australian Department of Defense, found that 85 percent of targeted cyber intrusions against government and military systems could be prevented by these kinds of controls.
These aren’t the only controls you need to deploy at your credit union and they won’t stop all the various cyber attacks, but if you are looking to spend limited resources while providing a good return on managing your CU's cybersecurity, these areas are a solid starting point.
Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and offers insight on issues involving information technology governance, information security, and technology risk management.