Sally Beauty is the latest to fall victim to a data breach, and the PR nightmare has begun. This happened of course at the time I started writing this blog post. It looks as though retailers are getting slammed with data breaches, a factor, no doubt, due to the lack of regulations they have to follow.
It's no secret who will incur the financial burden of this. This was a theme echoed at the last Governmental Affairs Conference. So make sure to document your losses on all breaches and report them to your representatives in congress.
Given that, let me address a regulation your credit union needs to follow to further reduce the chances of a data breach. Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect their customers’ information against security threats. Log management can be helpful in identifying possible security violations and resolving them effectively. Furthermore, per NCUA Regulation 748 Appendix A. III. C. 1.d., change control procedures should be in place designed to ensure that system modifications are consistent with the credit union's information security program.
On May 17th 2013, both www.federalnewsradio.com and www.wtop.com were compromised. The websites were infected by an exploit kit type virus via a fake Flash installer. This problem could have easily been avoided via an effective patch management program.
Credit unions should be able to answer the following questions to demonstrate a strong patch management program:
- Is a patch management program written, practiced, and reviewed on a regular basis?
- Does management have a formal process to determine the types of changes to the information system that are allowed?
- Do you have written change management procedures addressing management approval, scheduled upgrades, testing, and implementation?
- Is there a change control log kept to reflect the most current status of the updated/patched environment?
- How often are patches and updates applied to operating systems, antivirus applications, spyware removal application, data processors, etc?
- Does the credit union subscribe to alert systems such as us-cert.gov?
- Are software updates to patch critical security holes in Microsoft Windows, Apple, Flash Player, Java, Adobe Acrobat and PDF Reader products monitored? (Microsoft, alone, addressed 23 vulnerabilities in the March 2014 patches.)
- Are software updates to patch critical security holes in hardware devices (e.g. firewalls, routers, switches)?
- Are updates installed and tested in a test environment prior to deployment? If a test environment is not applicable based on the size and complexity of your credit union, have you ensured the updates are certified by your respective vendors?
Retailers sharing the financial burden of breaches and having more regulatory oversight and standards is definitely an issue, and your voice should be heard by your local political representatives. However, it is important not to forget that we, as an industry, should continue to lead by example and demonstrate how to balance regulatory responsibility with a strong security posture.
By Idrees Rafiq, Jr., AVP IT Consulting, Credit Union Resources, Inc.