DENVER–“Password guessing” and theft of passwords through network domain name servers (DNS) and broadcast protocols were the focus of some of the discussion during the second day of the NASCUS/CUNA Cybersecurity Summit here.
Participants were given insights into how hackers use such techniques to infiltrate computer networks.
Brandon Henry of TrustCC provided a hacking demonstration for the participants at the meeting, and discussed tips for detecting and resolving attempted hacks. Among the advice shared by Henry:
• Look at your broadcast traffic, and know it.
• Enforce the Microsoft NT LAN Manager version 2 (NTLMv2) authentication protocol, or – if possible – use open-sourced Kerberos authentication.
• Do not give users local administration rights.
• Enforcement by networks of SMB (Server Message Block) security signing protocol (which “signs” data at the packet level).
In other presentations on day two of the symposium:
- Mark Berman of Horsetail Tech outlined “what credit union board members need to know” about cybersecurity, urging credit union boards to simplify their response to any security lapses, talk strategy (not solutions) in addressing future lapses, and ensure that the IT staff and board are speaking the same language in addressing the strategy (i.e., tech talk versus business talk).
- Jay Isaacson of CUNA Mutual Group gave an overview of the vulnerabilities of “chip and PIN,” Apple Pay and other aspects of the evolving payments system. He noted that member convenience, fraud, and technology investments should be considered in a credit union’s strategic plan when considering adopting new payments systems methods, but so should the inherent risks of the new methods. Isaacson reminded that no matter what new methods are selected, fraudsters will continue to focus on the weakest links.
- Neil Archibald of Members Trust Company urged attendees to ensure that vendor due-diligence is a central feature of a credit union’s compliance management and cybersecurity program, noting that an ongoing assessment by a credit union of the purpose, structure, and execution of vendor relationships is vital to safeguarding member information in a shared environment.
- Tim Segerson, deputy director for examination and insurance at NCUA, provided a two-hour overview of how NCUA plans to incorporate the new FFIEC “cyber assessment tool” into its exam procedures.
The conference concluded Tuesday.