By Ray Birch
SAN JOSE, Calif.—Fraudsters are using AI to develop faster, more sophisticated attacks targeting credit unions’ sensitive member data, warns one security expert who emphasizes that CUs must prioritize AI-enhanced defenses and also “lock-down” their software to keep pace with evolving threats.
“Implementing zero trust frameworks will be essential for credit unions to secure complex digital ecosystems and third-party vendor connections,” said Simone Sassoli, CEO and chief product officer at cyber-security firm Virsec. “Verifying every access point, from software to devices, can reduce risk and prevent breaches.”
But, perhaps, what could be even more concerning is third-party risk, an issue that NCUA has been emphasizing, Sassoli said.
“There are two third-party risks. One is where you're consuming a service through a connection to a third party, and unfortunately, you don't have a lot of control over how to run their security practices,” Sassoli said. “They only consume the service and if that connection gets impacted because the third-party supplier gets hacked…Unfortunately, the consequences are that you lose the service on your side. So, you don't have much that you can directly control, other than having a contractual obligation and making them responsible for certain practices or certain securities, which typically is just done through a simple security audit.”
But that is a paper exercise, Sassoli said.
“So, you don't necessarily know how secure and what is the implementation of the service. Through a contractual agreement, you can strengthen that and can ask for more evidence on the third-party suppliers, on how they are securing their services, he explained.
Then, there is another threat element, where the CU is consuming software, Sassoli noted.
“So, third-party software that is being run either in the cloud or on premise by the credit union. And the question really is, do you even know what software is running your infrastructure? Starting with visibility of the software, you can hold those vendors responsible because you can understand if the software is vulnerable, if the software follows practices, and how can you defend it,” Sassoli said.
'Technical Debt'
“Providing visibility on what runs is important for the credit union,” continued Sassoli. “And we've seen that lot of credit unions also have technical debt—legacy operating software that is either at its end of support or is not easily patchable. Many times you don't know the zero-day movement abilities or the zero-day attacks. So, how can you preempt instead of reacting?”
Sassoli emphasized that crooks’ offense is still outpacing defenses.
“And it doesn't matter if you're going to use AI-enhanced defense,” he explained. “You're still a step behind the bad guy, and you will be breached,” said Sassoli, who’s company offers solutions to protect software from cyber-threats.
What can a credit union do differently?
“The average enterprise has over 70 cybersecurity products,” Sassoli said. “The criminals are trying to find vulnerable software that they can exploit to run ransomware code in your environment, or they have stolen credentials through phishing attacks and other methods so they can gain control of good software that they can use to do bad things.”
Sassoli said a security defense that is solely based on looking for signs of a cyber-attack is too reactive. He added the CU industry has not done a good job of securing and locking down its software, which can thwart attackers even if they penetrate a CU’s systems.
“Typically, we are looking at detection and response in the industry,” said Sassoli, who added that credit unions are not that effective at defending against cyber-attacks. “I am seeing behavior that seems to indicate that a bad actor is trying to do bad things. It's a reactive model. But we know what the bad actor is after—it's software. You should think about an approach that locks down your software in such a way that you keep the bad guys out. That's a preemptive model. Is it perfect? No. But it's a very strong addition to a defense, that, for some reason, the credit union industry does not seem to want to embrace.”