“You are the weakest link”
In recent television game show history this term was used and abused by its ornery British host Anne Robinson. Today this statement could be applied to a surprising amount of Credit Union employees as well. As the security intrusions in the Banking industry have been adequately documented and reported, the recent publication of the results of a true social engineering experiment within a Credit Union are not surprising and should be met with an equal amount of outrage and trepidation.
I believe it is not “if” a Credit Union is compromised but “when.” Daily, as an administrator of several IDS (Intrusion Detection Systems) for our Credit Union clients, I see my fair share of malware and spyware “phoning home” from CU employees’ desktop workstations. Additionally, in recent months we’ve seen an escalation in attempts to “phish” Credit Union members and separate them from their private financial data. We’ve even seen the “de rigeur” encryption of data on the backend being spurned because of the time it takes for a CU employee to deal with the apparent deluge of lost password requests. The metaphorical icing on the cake is the prevalent Credit Union reliance on Microsoft’s notoriously porous browser, Internet Explorer, for in-house web browsing.
In future posts, I will examine why I adamantly feel Education is a powerful countermeasure against these human engineering and phishing attempts. I also hope to offer some security suggestions (some glaringly obvious, others not) which I conceive will be useful for admins, managers, and employees alike. In the meantime, let’s all plug the USB Flash drive we found in the Target parking lot into our home PCs and see what damage ensues…