Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #34 - Cybersecurity for Credit Unions, Banks, Insurance, and FinTech

Cybersecurity is critical for financial services organizations, but many mid-market and emerging companies struggle tremendously with their cyber risk management programs.

Not anymore with Fintech Cybersecurity. This week, the guys talk about credit union cybersecurity, bank security, and any other issue in the industry including staffing, risk assessment, penetration testing, and compliance. Financial services companies are an attractive and highly targeted sector for cyber criminals. It is also an industry where Zach, Mike, and Lauro have a deep history.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Microsoft has a bad week……

In other news…

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals and now  here's your hosts mike rotondo zach fuller and  
lauro chavez hello and welcome to the cyber rants  podcast this is your co-host zach fuller joined by  
mike rotondo and lauro chavez and today we are  talking about financial services cyber security  
silent sector our firm has done work for  banks and credit unions and insurance  
companies and companies that are kind of like  insurance companies but not really insurance  
companies we've worked with private equity firms  fiduciaries this is a topic that is important  
it's a very critical sector for obvious reasons  in a very targeted sector for obvious reasons the  
cyber criminals want to go after those people  that control the money so that's what we're  
talking about today but mike before we do do you  have some good news for us no or just bad news  
why don't you kick us off with the bad news then  the bad news i'm just i'm not gonna go in depth  
on some of these headlines it's just uh here we go  microsoft has a bad week that's a headline for you  
another one another one seems like a trend  yeah microsoft admits to have mistakenly  
signed a software driver loaded with rootkit  malware attackers breach microsoft customer  
service accounts microsoft successfully hit by  a dependency hijacking attack again researchers  
leaked poc exploit for for a critical windows rce  vulnerability microsoft translation bugs open edge  
browser to trivial ux ss attacks and windows  10 emergency update fixes pdf opening issues  
and finally in microsoft's very bad week  700 million linkedin accounts uh records  
which linkedin is owned by microsoft for sale on  hacker forum and as of june 22nd second massive  
linkedin breach reportedly exposes the date of  700 million users which is more than 92 percent  
of the total 756 million users on linkedin and the  database is on sale for the dark on the dark web  
it includes phone numbers physical addresses  geo location data and inferred salaries it  
does not include passwords so just keep that  in mind i think it was laurel correct me if i'm  
wrong but it was a bot scraping thing it wasn't  a actual hack but still yeah that's right still  
still frowned upon still illegal certainly  yeah scraping i was gonna say to add insult to  
injury there's all these articles out slamming  bill gates for stuff that apparently he did  
during his time there so it's just not not  good overall for them not at all and um  
yeah then there's also discussions of  the antitrust stuff for tech which uh  
congress is talking about for amazon google  apple facebook twitter um and microsoft who also  
happens to be one of the advisors of the federal  government on security maybe they should work on  
their own house a couple other critical ones the  cisco asa vulnerabilities actively exploited uh  
the cisco the specific cisco asa vulnerabilities  of cross-site scripting vulnerability track to cve  
2020-3580 it was originally fixed in october of  2020 and then found popped up again and fixed  
again in april 2021 um just a heads up on our  evil are real evil our evil ransomware's new  
linux encryption targets esxi virtual machines  uh the arrival ransomware operations now using  
a linux encrypter that targets and encrypts  vmware esxi virtual machines by targeting  
virtual machines this way are able to encrypt  many servers at once with a single command so  
lock your esxi machines down and further proof  ittown is in short supply ransomware gang is now  
creating websites to recruit affiliates at least  two ransomware gangs in need of hackers to run the  
attacks have been using their sites to advertise  features of their encryption tools to attract new  
recruits to attract partners lockpick claims to  offer the fastest encryption of file stealing  
tools all over the world and another game  promoting their ransomware as a service  
operation on their website recently is  himalaya an actor that started this it  
started its activity this year so that's the news  good luck microsoft we'll talk about you i'm sure  
laurel gosh man well that's okay you know crush  and burn yeah nothing nothing nothing surprising  
there anyway so for exploits this week a couple  things i want to talk about they both both have  
to do pretty much the same thing yeah yet  again or talking about wordpress plugins  
so if you're using wordpress be careful if you've  got the x cloner if you need to use the xcloner  
plug-in make sure you're upgrading beyond 4-2  there's a remote code execution uh exploit  
payload ready to go for that version and versions  below it so again if you if you must you must use  
the if you must use this for functionality make  sure you keep you keep your your plugins updated
the other one is a polls plugin for also for  wordpress allows you to do polling and that sort  
of activity from different types of sites there's  a stored cross-site scripting there so pretty  
vulnerable especially if people are coming to the  site for poll uh information and if there's a you  
know stored cross-site scripting that's reflecting  them to something like malware so again make sure  
if you must you must date a wordpress person and  update your plugins and that's uh that's all the  
interesting exploitable activity that we've got  for payloads this week zach what are we talking  
about baseball i was gonna say it sounds like  it sounds like microsoft and wordpress are good  
buddies they must hang out a lot i didn't even  talk about the google exploits this week because  
you know at a certain point it's just like enough  is enough being with microsoft's like dayton it's  
like dating somebody you know and it's it's fun  for a while it's a lot of fun then you find out  
they're doing heroin in the bathroom and you come  in with a spoon and the lighter and right around  
that time sancho kicks open the door talking  about the prostitute and how much money that  
now you now owe so it's a big risk you know what  i mean wow it's a good good analogy to microsoft
it definitely catches you unexpectedly and  costs you a lot of money but hey that's  
a lot of fun it's almost like you need a news  hiatus and uh and a lot of effects got pretty  
colors it's got pretty colors it's so much fun to  use it look at the latest version want even more  
cyber rants be sure to subscribe to the cyber  rants podcast get your copy of our best-selling  
book cyber rants on amazon today this podcast is  brought to you by silent sector the firm dedicated  
to building world-class cyber security programs  for mid-market and emerging companies across the  
us silent sector also provides industry-leading  penetration tests and cyber risk assessments visit and contact us today let's get  to it then shall we talk about financial services  
cyber security so if you're working in a  bank or credit union or insurance company  
or private equity firm or vc group or any  other variant of somebody that deals with  
money quite a bit you're a major target so um  in fact i forgot to list vc groups and in the  
companies we've worked with in the past um  but uh that said um we've seen some pretty  
crazy circumstances in those environments and no  two are created equal right especially when you  
get into things like credit unions for example  you know you have credit unions with um you know  
thousands of employees and you have credit unions  with 50 employees so very different environments  
different considerations but like we talked  about last week and when we talked about  
healthcare cybersecurity and financial services  cybersecurity the fundamentals still remain  
right don't forget the fundamentals  the basics apply to all organizations  
um but there are some considerations and  and compliance requirements that that apply  
to financial services so mike and lauro you have  extensive extensive backgrounds with fortune 500  
financial services companies down to uh  startups and mid markets so what are the  
pitfalls you see or considerations what  advice would you have right off the bat for  
people uh concerned with cyber security in the  financial services industries well i think a lot  
of times there's the perception especially  in the small players that we don't really  
have anything anybody wants to steal and that's  something that we continually have to overcome  
we're not big enough we don't have a big enough  portfolio and what the reality is is that you know  
the cyber criminals are out there because you have  data and you have money and that's what they want  
they either want data or they want money or they  want to take your data and ransomware for money  
and money is in these financial institutions so  i think due to the target on the back of most  
of these financial institutions you have to take  your due diligence to do care to a higher level  
than many many other types of companies simply  because of the quantity and quality of data that  
you have and the reputational risk of being hacked  is greater when i worked for a very large bank  
doing compliance we were actually told if someone  breaks in and steals twenty thousand dollars over  
the internet that we weren't you know hacks in and  steals 20 grand we're not even going to say a word  
because we're more concerned about reputational  damage than we are about our you know the 20  
grand i don't know if that's changed that  philosophy changed that was a while ago but  
anyway um that's the concern right now is that  you have to keep a greater level of due diligence  
so that means you have to be your sanitation  of your cyber environment has to be cleaner  
your training has to be better uh your pen  tests have to be more frequent uh you need to  
do internal and external i'm sure lauro will talk  about more of that but um that's what i see from  
the bank perspective is those kind of pitfalls  of not truly understanding the threat landscape  
that's a that's always a big that's always  a big thing for and and we're you know and  
here's the other thing i think to consider about  this conversation is that you know these these  
institutions usually don't have a team most  of them unless they're like bcc or something  
right they'll have a team of cyber security  individuals and like mike said they'll have  
a team of compliance individuals that are doing  various things so now you've got the bureaucracy  
and politics that unfortunately can slow  certain things down and also convolute certain  
information you know regarding risk because  now you've got individuals that may be more  
concerned with you know continuing their career  and you know said location versus doing the right  
things to protect you know consumer data and the  data that the banks own around the you know the  
financial information and things like that but um  i think that uh you know the challenge typically  
you know we see is the you know aside from all the  all the crazy stuff you have to do from a from a  
program management perspective right like mike  was was alluding to you you've also got the people  
problem right and i think that's where i think  you know we see a lot of challenges with with team  
maintaining team um resilience i guess  if you if you want to call it that so  
um just getting just having enough people to  do the jobs that you need and so i think it's  
it's causing that shortage that we're seeing in  professionals um is causing some organizations  
to have to you know reach out to partnerships  and so those types of processes now have to be  
um gone through from that third-party vendor  management perspective right because now you're  
you're outsourcing parts of the business that you  can't support because of you know whatever right  
um not enough minds or whatever the case may be  right can't hire the right talent in your area  
and so now you're you're stuck with a partnership  or you know you're you're you're going to you know  
large you know organization to bring you know  rent-a-people down to assist you but you've got  
to do that vendor management process and so mike  was you know talking about that that due diligence  
elevation now increases because the the risks  are higher right around the because we're talking  
about you know money not just we can ransom you  they can actually get access to you could get  
access to money that belongs to you know the  people that you're holding on behalf of so i  
think that's that's where that due diligence step  increases and so i think that's where we see some  
vendor management program uh places like slip for  financial institutions where they're not really  
managing the supply chain very well at first it's  not something that they're considered from a risk  
makers they're working really hard to protect the  vitals of the the business systems right which is  
all you know obviously needs to be protected as  well but you can't forget about that those other  
parts of the puzzle too and they don't always  understand the internal attack vector that's  
a good idea you know that's a great con point  laurel um that they have to look at those vendors  
yeah absolutely and that's why we do those those  internal pin tests and you know i think a lot of  
that you know the risk assessment requirements  for the financial regulations will you know  
when you do a risk assessment you can certainly  scope it out but you can't just keep it the same  
thing every year you can't look at one box  every year right you have to start you can  
start that way sure but it starts to look like  you're hiding things keep it that way right yeah  
go ahead oh no no i don't i was just gonna say  yeah you have to you certainly have to just keep  
you know keep looking around internally and  external on another note you need to switch  
auditors every couple years and we've come across  some companies that are just comfortable with  
their their auditor and they've had them for 10  or 15 years and i think at a certain point that  
relationship will supersede the do the you know  the the intensity of the review simply because  
you have a relationship with this vendor for  10 or 15 years that's doing your auditing um  
so even though we are in this business we would  still recommend you change you know every couple  
years just to make sure that some different  set of eyes are looking or bring somebody in to  
check somebody's work check the existing vendors  work just to ensure that you're taking the proper  
precautions um because you know we've seen that  with large companies with pci and we've seen that  
with you know where you know we know the vendor  we know the auditor we get the same auditor every  
year we go out for drinks have a nice dinner  and then you know they give us a you know nice  
soft audit so that stuff needs to be checked and  you really need to management needs to take active  
control of this and make sure that things are  properly audited and uh looked at um on another  
note this is not necessarily a technology thing  but what we found is that some of the smaller  
banks and actually some of the larger banks they  don't pay very well um to be honest with you  
um so they have a hard time they really don't  no they don't they have a hard time retaining  
talent because of that so you're going to bring  in a mercenary consulting company who doesn't  
have the same level of concern i mean other than  selling sector but it doesn't have the same level  
of concern for your enterprise that your employees  would have because they're not invested in it  
they're just getting paid they're mercenaries so  i would recommend highly to any of our you know  
millions of listeners uh that they would if you  work in a banking industry bump that pay a little  
bit pay for training yeah if you count the bots  that are listening to us it's like a quadrillion  
that's awesome how many fans we have um it's like  celebrity status oh yeah i didn't realize that  
but yeah you know spotify reached out to us  because they're tired of that joe rogan guy  
and i thought we would do better like man  these guys cyber security it's a hot topic  
well you know one of the things we get  a lot of calls a lot of uh outreach from  
um these i you know i'd put them on the kind of  smaller realm of financial services firms like  
credit unions for example with that have ncua  compliance right because we've done a bunch of  
that they're looking for risk assessments for ncua  and for the organization as a whole um and and  
it's it's interesting you know in the conversation  it's tough i feel for them because they have  
they're a few hundred people essentially a small  business you know a couple locations or whatever  
but they're they're you're exactly right and that  they they are struggling to you know bite off the  
extra expense of getting you know paying their  security people better right so or they're they're  
and they're saying with their i.t staff right  so they see a lot of turnover meanwhile they're  
trying to maintain compliance and security and  all that but i i unfortunately don't know that  
there's a way around it i mean we always recommend  you know for financial services companies i mean  
they should be doing quarterly pen testing right  they should they need to be doing continuous  
vulnerability scanning all these other activities  but they're in essence for a small business to  
to you know to do that and allocate budget  for that it's it's difficult so um it's and  
unfortunately when when they don't and something  happens then they're you know then their breach  
expenses are much much higher than what they  would have paid just being proactive and then  
it takes some often years to get proactive  after that because now they just had all this  
overhead and expense that they're they're you know  licking their wounds from for the next year or two  
so it's a tough dilemma but i think we you know  it comes down to education what we're doing here  
you know they need to be doing um regular pen  testing internal and external right a lot of  
organizations it's not the case if you're you're  a construction company and you get hacked you're  
probably still going to be putting up uh two  by fours the next day you know it it's just the  
nature of the business right but with financial  services i mean you get hack all the notification  
requirements all the legalities lost clients  on and on um you know nobody wants to hear that  
you know the place that their money is sitting uh  is not secure right it's probably the worst thing  
reputational damage is what they're really  concerned about in a lot of ways and  
as far as i know you can't put ransomware on  two by fours or uh pvc pipe so that's true no  
but you can put fungus and that's kind of what  ransomware is right it's like like a moles that  
just spreads ransomware spreads quicker  but yes you're you're right i pick it up
well here's an example right so we had a financial  institution that does that we you know spoke with  
that they do weekly penetration tests uh they  use an automated platform right so it's not he  
doesn't have some manual steps but they at least  do an automated sweep um you know with with the  
commercial products on a weekly basis which  is pretty impressive and then as an example  
in in my hometown in tejas uh there was a a small  local bank that had a chief information security  
officer opening uh for a whopping salary of 47 000  a year and so um i thought that was an interesting  
an interesting thing now this was a couple years  ago so um but you know again you're not going to  
receive you know talent from other places right if  you're not going to be competitive at a nationwide  
market level which is i think necessary for at  this point right for these types of for these  
types of talents and these types of um you know  positions that you're asking individually and not  
only that the amount of risk you're asking them to  juggle right and resolve for you you know cso gig  
is not a son-in-law job unless your son-in-law is  really good you know it's not one of those things  
you just throw someone in that you know they're  reading the cissp book so they're obviously a cso  
you know you gotta have experience and you gotta  have um talent and unless you do you know you may  
only be worth 47k but you are you're not any good  and you really need that true experience and so  
to be competitive unlock those purse strings yeah  and if you get if you get moved into one of those  
positions you know and you're not you know you  kind of it's either one it's gonna be two things  
right there's gonna be a there's gonna be an ego  based response there's gonna be the opposite right  
where it's like i you know i realize i'm in a  place where i need help reach out for help you  
know find the help that you need you know it's not  you know we don't do anything on our own right we  
we all require others to help us and so csos are  no different right you may be great at leadership  
great at obtaining budgeting you may be great with  working with the business leadership to get budget  
you're still going to need talent to you know  do those work and i think that that's important  
to you know i think a lot of the smart the smart  ones out there understand that that's what they're  
looking for or find a consultant that's willing to  mentor you you know it's like you know for a price  
you know get with a consultant that you know  by 30 hours or whatever their time so you can  
ask them questions get their guide and get  some input get some so you're not you know  
bouncing everything off yourself and you know an  ethical chamber one is not a good echo chamber  
yeah youtube will only get you so far yeah  and the books only get you so far right i mean  
there's a whole lot of stuff in the cissp books  and the serious books that you know that's nice  
but you know you can't unless you have a massive  organization you're not going to be able to follow  
you're not going to have an audit committee  a steering committee a security committee  
blah blah blah it's going to be a committee of  one on a lot of those things so um depending  
on the size of your company yeah well you know  it's it's one of those things i mean i think  
it's clear that any kind of mid-market and smaller  type financial services firms of any kind really  
require outside help i mean generally speaking  they're not going to afford be able to afford or  
be willing to afford a full security department  um so generally what we see is they usually have  
some pretty good i.t people that kind of take  the bull by the horn so to speak and and try  
to implement as much as they can within the time  they have with all the other operations going on  
to align with the various compliance requirements  and and and get that done but um they're not going  
to be doing it you know unbiased testing risk  assessments um all of that there's also you  
know considerations around the complexity of  environments with a lot of uh organizations  
have you know multiple locations scattered  all over the state or all over our region  
um so you know consideration about that a lot  of times the the it resources are strapped then  
just i'm chasing down all the problems and and  all the you know help desk function they kind  
of handle everything so in these companies a  lot of times we see you know the it team is  
two to maybe six people in a lot of cases and um  and yet generally no security professionals or  
maybe they have one very junior security analyst  which is an outstanding asset to have but they're  
not going to really build maintain the formalized  security program for you so get outside help  
and um you know we won't go into all the  compliance requirements of things like you know  
finra and socks and ncua and all these things that  organizations organizations have to chase down  
but the same the same is true and what we talked  about what we've talked about previously when  
we've discussed compliance which is you have to  operationalize it you have to build it into your  
processes day in and day out and if you can't do  that again get outside help right but um you can't  
be putting everything on hold for the i.t side of  the company um for you know a couple months before  
the audit and and then trying to pick up back up  afterward it just doesn't work that well and then  
you know finally you got you know obviously social  engineering uh is a huge huge threat the human  
element is a is very susceptible and their massive  target and financial services companies so make  
sure you're running ongoing security awareness  training test phishing campaigns there's great  
platforms out there like know before that you can  basically set it up and and in a fairly automated  
fashion and and run those campaigns but make  sure your people uh adopt a security conscious  
culture because without that no matter what else  you do you're going to be highly susceptible  
any other final thoughts or smart or  snarky remarks as laurel likes to say  
i think you need to have one one key piece is  you need to have at least one dedicated security  
person your ktlo people can have security tasks  but they cannot perform the function of security  
officer and ktlo and do both effectively and  that's you know you can't do that dotted line  
it has to be you need at least one dedicated  resource that's all that's all they function  
and do and they're going to cost more than 54  000 a year yeah exactly and then i mean even  
if you're outsourcing your security function to  somebody else you still want an internal security  
function so that they know what you're talking a  security resource so they know what this outside  
company is telling you because you really don't  want the security company telling you that you  
know the problem is that your flux capacitor isn't  working properly and that's why you're not secure  
you need to have an understanding of exactly what  they're talking about wait so the the flux of  
passer has to do i didn't realize that man because  mine's been broke for some time it's no wonder
microsoft and wordpress have both been having  that problem too seems to be a trend maybe we  
should get the flux capacitor we'll get in  the flux capacitor repair business here yeah  
soon but um we'll do the doors are falling off  that delorean let me tell you how many times  
do you think flux capacitor has been mentioned  in cyber security podcasts throughout the years
yeah maybe but if you keep saying it we're going  to start popping up next to back to the future  
things that people are googling flexible  
some great great seo strategy for us right well  well great thank you everybody for listening  
we'd love to hear your comments feedback go to there's a little web form  
and you can just tell us your thoughts suggestions  or reach out on linkedin to any of the posts here  
and um we'd love to take your uh thoughts  and ideas on what you'd like to talk about  
uh in the future and be sure to subscribe to the  podcast let people know about it if you like it  
uh thank you so much for listening and we will  connect again next week and good luck to everybody  
in financial services space uh especially if  you're heavily heavily reliant on microsoft  
and wordpress extra good luck to you  check your flux pastor thanks everyone