By: David Bryant, Chief Information Security Officer, PSCU

The majority of cyberattacks and high-profile vulnerability announcements occur due to data identity information — such as name, user ID, password and other information — being compromised. According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches include the human element, 83% of breaches involve external actors and 95% of breaches are financially motivated. Basically, bad actors are leveraging identity data to steal money. 

The report also revealed that the top three ways that cybercriminals attack organizations are via stolen credentials, phishing and through the exploitation of vulnerabilities — all of which rely on obtaining stolen identity data. 

Protecting identity data is key to helping stop cyberattacks. As we close out our two-part blog series for Cybersecurity Awareness Month, here are ways to help your credit union staff protect their identity data against the top cybercrimes. 

1. Stolen Credentials: If an attacker steals an employee’s user ID and password, they have the keys to get into your credit union – so protecting credentials should be the first line of defense. This can happen a variety of ways, including when a data breach occurs, and even if there is no direct business relationship. For example, if an employee signs up for something at any outside company with their credit union email (and potentially the same password they use on the corporate network), those login credentials could be exposed in a data breach that occurs at the outside company. Bad actors will use a technique called credential stuffing — taking data from other breaches and trying the user IDs and passwords at multiple organizations to see if they get lucky. Often they do. 
   
   The best mitigation strategy to prevent credentials from being stolen is to have a policy that prohibits password reuse. It is also a good idea to utilize a service that regularly checks known hacker areas for credentials belonging to your credit union, or it can be as simple as checking sites such as www.haveibeenpwned.com for email addresses that have been leaked. Make sure your credit union has strong password policies that require complex and difficult to guess passwords. Your password policy should also require regular password changes, as the more you can limit the amount of time passwords are exposed during a leak, the better.
   
    
2. Phishing: This is a very common tactic in which an attacker pretends to be someone they are not with the intent to steal the credentials (mentioned above) or implant malware under the context and rights of the user. This type of attack is getting tougher to combat every day as attackers become more sophisticated in digital impersonation. Many ransomware attacks and breaches start with a successful phishing attempt, usually focused on obtaining the user ID and password of someone at the organization. Once they get that information, they typically use the email system to dig themselves in deeper, usually resulting in what is called Business Email Compromise (BEC). Once in, they now have access to the company address book, including external addresses, to further spread the phish.
   
   While technology controls that get patterns from known phishing campaigns can be helpful, strengthening human awareness is usually the better defense. Constant phishing awareness education and training is the best prevention strategy. Regularly test your employees for awareness and give feedback. Track failure rates and be sure to focus on those areas. Keeping humans aware and looking for phishing attempts will help those technology controls to be effective and provide in-depth defense.
    
3. Exploitation of Vulnerabilities: The data identity piece involved in the exploitation of vulnerabilities might not be as obvious as it is with stolen credentials and phishing, but if a cybercriminal successfully phishes to obtain credentials, the attacker is now able to access your credit union’s systems. After exploiting, the attacker will usually move about your network under the context of a user on the compromised system. Exploiting the vulnerability usually just provides a foothold, while the role of the user used in the exploit provides the ability to move around and actually do something. Attackers will also try to elevate whatever privileges they have to a role that has an administrator level of access.
   
   To stop or at least slow these attackers down, protecting the role of the administrator is critical. Do not allow any account to have admin level access that does not absolutely need it. Make sure those accounts that do require admin-level access have long and complex passwords, are closely guarded and monitored, and only have as few in number as possible. Additionally, inventory and monitor any service accounts and ensure those roles are clearly mapped out and understood by the owners. Prohibit the ability to use those service accounts by humans by blocking the ability for those accounts to be interactively used.

While having a mature and effective technical cybersecurity program is very important, keeping an eye on the human part of the equation is equally important. Doing a regular review of your user ID and password practices, along with a strong identity management practice that uses roles as a foundation, will go a long way to protecting the information assets of your organization.

As the Chief Information Security Officer, David Bryant is responsible for the systems and processes that protect PSCU and Member data. He leads the teams that implement and support information security technology and architecture as well as technology focused compliance programs. David also develops Information Security strategy for PSCU to reduce and manage risk and integrate cyber protections into business functions. His teams publish and maintain all security policies, standards and processes, as well as measure the effectiveness of the programs on a regular basis. 

David has worked in the Information Security space for over 20 years in a variety of positions both in operations, strategy, and architecture for several large, multi-national companies in a variety of industries with a focus on financial services. He has certifications as a Certified Information Security System Professional (CISSP), Certified Pen Tester (CPT) and Certified Ethical Hacker (CEH), among others. David has spoken at several large Information Security focused events and participates in multiple industry security forums and advisory boards.

David attended State Technical Institute at Memphis and Tampa College with majors in Electronics Technology and Information Systems.