July 6, 2021

The Cyber Rants Podcast

Episode #34 - Cybersecurity for Credit Unions, Banks, Insurance, and FinTech

Cybersecurity is critical for financial services organizations, but many mid-market and emerging companies struggle tremendously with their cyber risk management programs.

Not anymore with Fintech Cybersecurity. This week, the guys talk about credit union cybersecurity, bank security, and any other issue in the industry including staffing, risk assessment, penetration testing, and compliance. Financial services companies are an attractive and highly targeted sector for cyber criminals. It is also an industry where Zach, Mike, and Lauro have a deep history.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Microsoft has a bad week……

In other news…

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo zach fuller and

lauro chavez hello and welcome to the cyber rants podcast this is your co-host zach fuller joined by

mike rotondo and lauro chavez and today we are talking about financial services cyber security

silent sector our firm has done work for banks and credit unions and insurance

companies and companies that are kind of like insurance companies but not really insurance

companies we've worked with private equity firms fiduciaries this is a topic that is important

it's a very critical sector for obvious reasons in a very targeted sector for obvious reasons the

cyber criminals want to go after those people that control the money so that's what we're

talking about today but mike before we do do you have some good news for us no or just bad news

why don't you kick us off with the bad news then the bad news i'm just i'm not gonna go in depth

on some of these headlines it's just uh here we go microsoft has a bad week that's a headline for you

another one another one seems like a trend yeah microsoft admits to have mistakenly

signed a software driver loaded with rootkit malware attackers breach microsoft customer

service accounts microsoft successfully hit by a dependency hijacking attack again researchers

leaked poc exploit for for a critical windows rce vulnerability microsoft translation bugs open edge

browser to trivial ux ss attacks and windows 10 emergency update fixes pdf opening issues

and finally in microsoft's very bad week 700 million linkedin accounts uh records

which linkedin is owned by microsoft for sale on hacker forum and as of june 22nd second massive

linkedin breach reportedly exposes the date of 700 million users which is more than 92 percent

of the total 756 million users on linkedin and the database is on sale for the dark on the dark web

it includes phone numbers physical addresses geo location data and inferred salaries it

does not include passwords so just keep that in mind i think it was laurel correct me if i'm

wrong but it was a bot scraping thing it wasn't a actual hack but still yeah that's right still

still frowned upon still illegal certainly yeah scraping i was gonna say to add insult to

injury there's all these articles out slamming bill gates for stuff that apparently he did

during his time there so it's just not not good overall for them not at all and um

yeah then there's also discussions of the antitrust stuff for tech which uh

congress is talking about for amazon google apple facebook twitter um and microsoft who also

happens to be one of the advisors of the federal government on security maybe they should work on

their own house a couple other critical ones the cisco asa vulnerabilities actively exploited uh

the cisco the specific cisco asa vulnerabilities of cross-site scripting vulnerability track to cve

2020-3580 it was originally fixed in october of 2020 and then found popped up again and fixed

again in april 2021 um just a heads up on our evil are real evil our evil ransomware's new

linux encryption targets esxi virtual machines uh the arrival ransomware operations now using

a linux encrypter that targets and encrypts vmware esxi virtual machines by targeting

virtual machines this way are able to encrypt many servers at once with a single command so

lock your esxi machines down and further proof ittown is in short supply ransomware gang is now

creating websites to recruit affiliates at least two ransomware gangs in need of hackers to run the

attacks have been using their sites to advertise features of their encryption tools to attract new

recruits to attract partners lockpick claims to offer the fastest encryption of file stealing

tools all over the world and another game promoting their ransomware as a service

operation on their website recently is himalaya an actor that started this it

started its activity this year so that's the news good luck microsoft we'll talk about you i'm sure

laurel gosh man well that's okay you know crush and burn yeah nothing nothing nothing surprising

there anyway so for exploits this week a couple things i want to talk about they both both have

to do pretty much the same thing yeah yet again or talking about wordpress plugins

so if you're using wordpress be careful if you've got the x cloner if you need to use the xcloner

plug-in make sure you're upgrading beyond 4-2 there's a remote code execution uh exploit

payload ready to go for that version and versions below it so again if you if you must you must use

the if you must use this for functionality make sure you keep you keep your your plugins updated

the other one is a polls plugin for also for wordpress allows you to do polling and that sort

of activity from different types of sites there's a stored cross-site scripting there so pretty

vulnerable especially if people are coming to the site for poll uh information and if there's a you

know stored cross-site scripting that's reflecting them to something like malware so again make sure

if you must you must date a wordpress person and update your plugins and that's uh that's all the

interesting exploitable activity that we've got for payloads this week zach what are we talking

about baseball i was gonna say it sounds like it sounds like microsoft and wordpress are good

buddies they must hang out a lot i didn't even talk about the google exploits this week because

you know at a certain point it's just like enough is enough being with microsoft's like dayton it's

like dating somebody you know and it's it's fun for a while it's a lot of fun then you find out

they're doing heroin in the bathroom and you come in with a spoon and the lighter and right around

that time sancho kicks open the door talking about the prostitute and how much money that

now you now owe so it's a big risk you know what i mean wow it's a good good analogy to microsoft

it definitely catches you unexpectedly and costs you a lot of money but hey that's

a lot of fun it's almost like you need a news hiatus and uh and a lot of effects got pretty

colors it's got pretty colors it's so much fun to use it look at the latest version want even more

cyber rants be sure to subscribe to the cyber rants podcast get your copy of our best-selling

book cyber rants on amazon today this podcast is brought to you by silent sector the firm dedicated

to building world-class cyber security programs for mid-market and emerging companies across the

us silent sector also provides industry-leading penetration tests and cyber risk assessments visit

silentsector.com and contact us today let's get to it then shall we talk about financial services

cyber security so if you're working in a bank or credit union or insurance company

or private equity firm or vc group or any other variant of somebody that deals with

money quite a bit you're a major target so um in fact i forgot to list vc groups and in the

companies we've worked with in the past um but uh that said um we've seen some pretty

crazy circumstances in those environments and no two are created equal right especially when you

get into things like credit unions for example you know you have credit unions with um you know

thousands of employees and you have credit unions with 50 employees so very different environments

different considerations but like we talked about last week and when we talked about

healthcare cybersecurity and financial services cybersecurity the fundamentals still remain

right don't forget the fundamentals the basics apply to all organizations

um but there are some considerations and and compliance requirements that that apply

to financial services so mike and lauro you have extensive extensive backgrounds with fortune 500

financial services companies down to uh startups and mid markets so what are the

pitfalls you see or considerations what advice would you have right off the bat for

people uh concerned with cyber security in the financial services industries well i think a lot

of times there's the perception especially in the small players that we don't really

have anything anybody wants to steal and that's something that we continually have to overcome

we're not big enough we don't have a big enough portfolio and what the reality is is that you know

the cyber criminals are out there because you have data and you have money and that's what they want

they either want data or they want money or they want to take your data and ransomware for money

and money is in these financial institutions so i think due to the target on the back of most

of these financial institutions you have to take your due diligence to do care to a higher level

than many many other types of companies simply because of the quantity and quality of data that

you have and the reputational risk of being hacked is greater when i worked for a very large bank

doing compliance we were actually told if someone breaks in and steals twenty thousand dollars over

the internet that we weren't you know hacks in and steals 20 grand we're not even going to say a word

because we're more concerned about reputational damage than we are about our you know the 20

grand i don't know if that's changed that philosophy changed that was a while ago but

anyway um that's the concern right now is that you have to keep a greater level of due diligence

so that means you have to be your sanitation of your cyber environment has to be cleaner

your training has to be better uh your pen tests have to be more frequent uh you need to

do internal and external i'm sure lauro will talk about more of that but um that's what i see from

the bank perspective is those kind of pitfalls of not truly understanding the threat landscape

that's a that's always a big that's always a big thing for and and we're you know and

here's the other thing i think to consider about this conversation is that you know these these

institutions usually don't have a team most of them unless they're like bcc or something

right they'll have a team of cyber security individuals and like mike said they'll have

a team of compliance individuals that are doing various things so now you've got the bureaucracy

and politics that unfortunately can slow certain things down and also convolute certain

information you know regarding risk because now you've got individuals that may be more

concerned with you know continuing their career and you know said location versus doing the right

things to protect you know consumer data and the data that the banks own around the you know the

financial information and things like that but um i think that uh you know the challenge typically

you know we see is the you know aside from all the all the crazy stuff you have to do from a from a

program management perspective right like mike was was alluding to you you've also got the people

problem right and i think that's where i think you know we see a lot of challenges with with team

maintaining team um resilience i guess if you if you want to call it that so

um just getting just having enough people to do the jobs that you need and so i think it's

it's causing that shortage that we're seeing in professionals um is causing some organizations

to have to you know reach out to partnerships and so those types of processes now have to be

um gone through from that third-party vendor management perspective right because now you're

you're outsourcing parts of the business that you can't support because of you know whatever right

um not enough minds or whatever the case may be right can't hire the right talent in your area

and so now you're you're stuck with a partnership or you know you're you're you're going to you know

large you know organization to bring you know rent-a-people down to assist you but you've got

to do that vendor management process and so mike was you know talking about that that due diligence

elevation now increases because the the risks are higher right around the because we're talking

about you know money not just we can ransom you they can actually get access to you could get

access to money that belongs to you know the people that you're holding on behalf of so i

think that's that's where that due diligence step increases and so i think that's where we see some

vendor management program uh places like slip for financial institutions where they're not really

managing the supply chain very well at first it's not something that they're considered from a risk

makers they're working really hard to protect the vitals of the the business systems right which is

all you know obviously needs to be protected as well but you can't forget about that those other

parts of the puzzle too and they don't always understand the internal attack vector that's

a good idea you know that's a great con point laurel um that they have to look at those vendors

yeah absolutely and that's why we do those those internal pin tests and you know i think a lot of

that you know the risk assessment requirements for the financial regulations will you know

when you do a risk assessment you can certainly scope it out but you can't just keep it the same

thing every year you can't look at one box every year right you have to start you can

start that way sure but it starts to look like you're hiding things keep it that way right yeah

go ahead oh no no i don't i was just gonna say yeah you have to you certainly have to just keep

you know keep looking around internally and external on another note you need to switch

auditors every couple years and we've come across some companies that are just comfortable with

their their auditor and they've had them for 10 or 15 years and i think at a certain point that

relationship will supersede the do the you know the the intensity of the review simply because

you have a relationship with this vendor for 10 or 15 years that's doing your auditing um

so even though we are in this business we would still recommend you change you know every couple

years just to make sure that some different set of eyes are looking or bring somebody in to

check somebody's work check the existing vendors work just to ensure that you're taking the proper

precautions um because you know we've seen that with large companies with pci and we've seen that

with you know where you know we know the vendor we know the auditor we get the same auditor every

year we go out for drinks have a nice dinner and then you know they give us a you know nice

soft audit so that stuff needs to be checked and you really need to management needs to take active

control of this and make sure that things are properly audited and uh looked at um on another

note this is not necessarily a technology thing but what we found is that some of the smaller

banks and actually some of the larger banks they don't pay very well um to be honest with you

um so they have a hard time they really don't no they don't they have a hard time retaining

talent because of that so you're going to bring in a mercenary consulting company who doesn't

have the same level of concern i mean other than selling sector but it doesn't have the same level

of concern for your enterprise that your employees would have because they're not invested in it

they're just getting paid they're mercenaries so i would recommend highly to any of our you know

millions of listeners uh that they would if you work in a banking industry bump that pay a little

bit pay for training yeah if you count the bots that are listening to us it's like a quadrillion

that's awesome how many fans we have um it's like celebrity status oh yeah i didn't realize that

but yeah you know spotify reached out to us because they're tired of that joe rogan guy

and i thought we would do better like man these guys cyber security it's a hot topic

well you know one of the things we get a lot of calls a lot of uh outreach from

um these i you know i'd put them on the kind of smaller realm of financial services firms like

credit unions for example with that have ncua compliance right because we've done a bunch of

that they're looking for risk assessments for ncua and for the organization as a whole um and and

it's it's interesting you know in the conversation it's tough i feel for them because they have

they're a few hundred people essentially a small business you know a couple locations or whatever

but they're they're you're exactly right and that they they are struggling to you know bite off the

extra expense of getting you know paying their security people better right so or they're they're

and they're saying with their i.t staff right so they see a lot of turnover meanwhile they're

trying to maintain compliance and security and all that but i i unfortunately don't know that

there's a way around it i mean we always recommend you know for financial services companies i mean

they should be doing quarterly pen testing right they should they need to be doing continuous

vulnerability scanning all these other activities but they're in essence for a small business to

to you know to do that and allocate budget for that it's it's difficult so um it's and

unfortunately when when they don't and something happens then they're you know then their breach

expenses are much much higher than what they would have paid just being proactive and then

it takes some often years to get proactive after that because now they just had all this

overhead and expense that they're they're you know licking their wounds from for the next year or two

so it's a tough dilemma but i think we you know it comes down to education what we're doing here

you know they need to be doing um regular pen testing internal and external right a lot of

organizations it's not the case if you're you're a construction company and you get hacked you're

probably still going to be putting up uh two by fours the next day you know it it's just the

nature of the business right but with financial services i mean you get hack all the notification

requirements all the legalities lost clients on and on um you know nobody wants to hear that

you know the place that their money is sitting uh is not secure right it's probably the worst thing

reputational damage is what they're really concerned about in a lot of ways and

as far as i know you can't put ransomware on two by fours or uh pvc pipe so that's true no

but you can put fungus and that's kind of what ransomware is right it's like like a moles that

just spreads ransomware spreads quicker but yes you're you're right i pick it up

well here's an example right so we had a financial institution that does that we you know spoke with

that they do weekly penetration tests uh they use an automated platform right so it's not he

doesn't have some manual steps but they at least do an automated sweep um you know with with the

commercial products on a weekly basis which is pretty impressive and then as an example

in in my hometown in tejas uh there was a a small local bank that had a chief information security

officer opening uh for a whopping salary of 47 000 a year and so um i thought that was an interesting

an interesting thing now this was a couple years ago so um but you know again you're not going to

receive you know talent from other places right if you're not going to be competitive at a nationwide

market level which is i think necessary for at this point right for these types of for these

types of talents and these types of um you know positions that you're asking individually and not

only that the amount of risk you're asking them to juggle right and resolve for you you know cso gig

is not a son-in-law job unless your son-in-law is really good you know it's not one of those things

you just throw someone in that you know they're reading the cissp book so they're obviously a cso

you know you gotta have experience and you gotta have um talent and unless you do you know you may

only be worth 47k but you are you're not any good and you really need that true experience and so

to be competitive unlock those purse strings yeah and if you get if you get moved into one of those

positions you know and you're not you know you kind of it's either one it's gonna be two things

right there's gonna be a there's gonna be an ego based response there's gonna be the opposite right

where it's like i you know i realize i'm in a place where i need help reach out for help you

know find the help that you need you know it's not you know we don't do anything on our own right we

we all require others to help us and so csos are no different right you may be great at leadership

great at obtaining budgeting you may be great with working with the business leadership to get budget

you're still going to need talent to you know do those work and i think that that's important

to you know i think a lot of the smart the smart ones out there understand that that's what they're

looking for or find a consultant that's willing to mentor you you know it's like you know for a price

you know get with a consultant that you know by 30 hours or whatever their time so you can

ask them questions get their guide and get some input get some so you're not you know

bouncing everything off yourself and you know an ethical chamber one is not a good echo chamber

yeah youtube will only get you so far yeah and the books only get you so far right i mean

there's a whole lot of stuff in the cissp books and the serious books that you know that's nice

but you know you can't unless you have a massive organization you're not going to be able to follow

you're not going to have an audit committee a steering committee a security committee

blah blah blah it's going to be a committee of one on a lot of those things so um depending

on the size of your company yeah well you know it's it's one of those things i mean i think

it's clear that any kind of mid-market and smaller type financial services firms of any kind really

require outside help i mean generally speaking they're not going to afford be able to afford or

be willing to afford a full security department um so generally what we see is they usually have

some pretty good i.t people that kind of take the bull by the horn so to speak and and try

to implement as much as they can within the time they have with all the other operations going on

to align with the various compliance requirements and and and get that done but um they're not going

to be doing it you know unbiased testing risk assessments um all of that there's also you

know considerations around the complexity of environments with a lot of uh organizations

have you know multiple locations scattered all over the state or all over our region

um so you know consideration about that a lot of times the the it resources are strapped then

just i'm chasing down all the problems and and all the you know help desk function they kind

of handle everything so in these companies a lot of times we see you know the it team is

two to maybe six people in a lot of cases and um and yet generally no security professionals or

maybe they have one very junior security analyst which is an outstanding asset to have but they're

not going to really build maintain the formalized security program for you so get outside help

and um you know we won't go into all the compliance requirements of things like you know

finra and socks and ncua and all these things that organizations organizations have to chase down

but the same the same is true and what we talked about what we've talked about previously when

we've discussed compliance which is you have to operationalize it you have to build it into your

processes day in and day out and if you can't do that again get outside help right but um you can't

be putting everything on hold for the i.t side of the company um for you know a couple months before

the audit and and then trying to pick up back up afterward it just doesn't work that well and then

you know finally you got you know obviously social engineering uh is a huge huge threat the human

element is a is very susceptible and their massive target and financial services companies so make

sure you're running ongoing security awareness training test phishing campaigns there's great

platforms out there like know before that you can basically set it up and and in a fairly automated

fashion and and run those campaigns but make sure your people uh adopt a security conscious

culture because without that no matter what else you do you're going to be highly susceptible

any other final thoughts or smart or snarky remarks as laurel likes to say

i think you need to have one one key piece is you need to have at least one dedicated security

person your ktlo people can have security tasks but they cannot perform the function of security

officer and ktlo and do both effectively and that's you know you can't do that dotted line

it has to be you need at least one dedicated resource that's all that's all they function

and do and they're going to cost more than 54 000 a year yeah exactly and then i mean even

if you're outsourcing your security function to somebody else you still want an internal security

function so that they know what you're talking a security resource so they know what this outside

company is telling you because you really don't want the security company telling you that you

know the problem is that your flux capacitor isn't working properly and that's why you're not secure

you need to have an understanding of exactly what they're talking about wait so the the flux of

passer has to do i didn't realize that man because mine's been broke for some time it's no wonder

microsoft and wordpress have both been having that problem too seems to be a trend maybe we

should get the flux capacitor we'll get in the flux capacitor repair business here yeah

soon but um we'll do the doors are falling off that delorean let me tell you how many times

do you think flux capacitor has been mentioned in cyber security podcasts throughout the years

yeah maybe but if you keep saying it we're going to start popping up next to back to the future

things that people are googling flexible

some great great seo strategy for us right well well great thank you everybody for listening

we'd love to hear your comments feedback go to cyberrantspodcast.com there's a little web form

and you can just tell us your thoughts suggestions or reach out on linkedin to any of the posts here

and um we'd love to take your uh thoughts and ideas on what you'd like to talk about

uh in the future and be sure to subscribe to the podcast let people know about it if you like it

uh thank you so much for listening and we will connect again next week and good luck to everybody

in financial services space uh especially if you're heavily heavily reliant on microsoft

and wordpress extra good luck to you check your flux pastor thanks everyone