National Association of Federal Credit Unions l www.nafcu.org

Presented by

James Brooks

Cyveillance

Credit Unions in the Crosshairs

of the Latest Threats

National Association of Federal Credit Unions l www.nafcu.org

Overview

Latest threats explained

Existing defenses

Best practices

Agenda

National Association of Federal Credit Unions l www.nafcu.org

• Latest threats are very advanced

• Attack target selection will follow the pattern

of “traditional” phishing

• Credit unions need to act now

National Association of Federal Credit Unions l www.nafcu.org

• Social media has become a

mainstream attack vector

for fraudsters

• Both credit unions and

members have cause for

concern

New Threats

National Association of Federal Credit Unions l www.nafcu.org

• Fraud schemes targeting

smart phones on the rise

• Lack of security for ever-

growing amount of new

mobile applications create

a new set or problems for

companies

New Threats

National Association of Federal Credit Unions l www.nafcu.org

• Purpose-built for network infiltration and

corporate espionage

• Smaller, targeted attacks much harder to detect

• Direct financial losses are much more

significant than past smaller scams

Advanced Persistent Threats

National Association of Federal Credit Unions l www.nafcu.org

New Breed of Malware

• Stealthy

• Scalable

• Effective

National Association of Federal Credit Unions l www.nafcu.org

This variant of Phishing targets individual users, but for company specific information such as a network login, or financial information.

This example shows how an executive’s name (e.g. our CEO, easily garnered from our Web site) reinforces the seeming legitimacy of this classic “social engineering” attack.

Targeted Attacks

National Association of Federal Credit Unions l www.nafcu.org

• Targeted over 30

companies

• Criminals sought

highly sensitive

technical

information

Aurora

National Association of Federal Credit Unions l www.nafcu.org

• Targeted

organizations in

Europe, Japan, &

New Zealand

• Stole over 4 million

dollars in credits

Carbon Credits

National Association of Federal Credit Unions l www.nafcu.org

• 57 of 530 employees

targeted clicked on

malicious link – over

10%!!!

• Only a “few

megabytes” of data

were stolen before

the lab discovered

the breach

Is My CU Vulnerable?

National Association of Federal Credit Unions l www.nafcu.org

• Not designed to detect targeted attacks

• No security system can make up for human

error

• Most anti-virus applications takes days or

weeks to catch up to the latest threats

Existing Defenses Ineffective

National Association of Federal Credit Unions l www.nafcu.org

Anti-Virus Vendor Test Results 2H 2010

Source: Cyveillance

AV Performance

National Association of Federal Credit Unions l www.nafcu.org

Anti-Virus Vendor Test Results Over Thirty Day Period

Source: Cyveillance

AV Lag Time Study

National Association of Federal Credit Unions l www.nafcu.org

• Social Media Policy

• Proactive registration on top social media sites

• Monitoring of Web and social media

environment for potential threats

Best Practices

National Association of Federal Credit Unions l www.nafcu.org

• Ongoing employee training

• Staying abreast of latest threats and protection

technologies

Best Practices

National Association of Federal Credit Unions l www.nafcu.org

Questions?

Contact info:

James Brooks

Director, Product Management

jbrooks@cyveillance.com

(703) 351-2405