Are we prepared for Cyber Warfare?
Tensions are rising in Eastern Europe between Russia and Ukraine (among others). As that happens, malicious cyber activities are happening as well. A ransomware attack was made on Belarusian Railways which was intended to stop the inflow of Russian troops to Belarus. Russia and Ukraine have shown that they have some pretty good prowess at making cyber attacks. These actors not only have historical activities of website compromises, defacements, data destruction, and ransomware but they have shown the capacity to actually disrupt infrastructure systems. There is evidence of using cyberattacks to shut down power grids and attempting to poison water supplies that have happened. Government support - in diplomatic, financial, or material manners - may lead a nation to also be drawn into the cyber warfare that is going on. No matter what side of the conflict that a government chooses, the other may find that they want to discourage that support by coordinated cyber attacks.
In this case, most of the world is backing Ukraine. The US and NATO have provided written statements and warnings to Russia. It is unclear whether Russia will continue any negotiations with the US and NATO. The US and the European Central Bank have warned that there are likely to be substantial sanctions against Russia. These sanctions are not likely to have an immediate effect, just these statements alone have caused a serious fall in the Russian stock market causing the Russian Central Bank to have to intervene.
Not only should our governmental agencies be extra vigilant during this time, but all organizations and businesses should be on heightened alert for malicious activity as any adversaries are not likely to distinguish between a governmental and private organization. Further, when malware is deployed, it has a tendency to spread and infect vulnerable systems beyond the borders of countries, companies, or organizations. In 2017, when Russia deployed NotPetya into the Ukrainian software MeDoc (basically TurboTax for Ukrainian businesses) it infected anything it could touch with no regard for boundaries. It spread and infected and destroyed all data it could come across with no ransomware decryption available. This attack in 2017 affected many systems throughout Europe, not just the Ukraine.
For us in the Credit Union industry, that leaves us as pretty valid targets. Targets of opportunity to either affect the infrastructure and cause awareness of the conflict, to disrupt our infrastructure, or to fund their efforts through fraud. As we work through our internal Cyber Maturity, we often implement tools such as endpoint management, malware detection, SIEM (Security Information and Event Management), MDR/XDR (Managed Detection and Response / eXtended Detection and Response), and even Artificial Intelligence Detection and Response. These tools give us better visibility but they do require us to watch for activities that are indicative of potential issues. We need to take the time to actually maintain vigilance of the tools at our disposal and participate in information-sharing organizations like the NCU-ISAO. Organizations like the NCU-ISAO actively watch the traffic, on the Dark Web looking for Indicators of Compromise to help guide us on what to be watching for, your participation either consuming or sharing information makes the entire industry better protected.
And just as we have needed to build out new ways to work when the pandemic and lockdowns occurred, we might be forced to consider other alternatives if a cyberwar is able to disrupt or affect large portions of the Internet as a whole.
Some questions your credit union might want to ask of itself.
- Could you operate the Credit Union on paper for an extended amount of time? Consider Credit Cards, Account Actions, and Money Transfers.
- How would you communicate with your Core Financial System? Consider what types of connections do you have to the Core.
- Could you cover staffing in the branches if all the ATMs were offline?
- How much and where are the cash reserves to handle potential cash run on branches?
Look at your key business processes and how they would fare in the light of some of the different stages shown below:
Does your Incident Response Plan contemplate various scenarios and have plans and ideas on how to respond? Run through different tabletop scenarios regularly (more often than annually) and contemplate these ideas and note them in the plan.
Does your Business Continuity Plan allow for continuing to run the business in the face of drastic losses? These might be scenarios we have never considered before. The complete loss of the use of the Internet and all VPN-based services. The complete loss of access to the Microsoft Cloud services. Or even the loss of the membership having Internet access at home.
Does your Disaster Recovery Plan contemplate many different belts and suspenders ways to recover from data destruction? If we were to lose our data or access to our data and we need to recover, how can we do that? If our data is lost AND our backup systems are lost, is there an immutable copy of the data also kept for long-term retention? If we had to build our servers over from scratch, including our Active Directory, how would you go about making that happen?
All of these things are items we are always needing to keep working on, but events like those in Eastern Europe provide us further incentive to make improvements now versus putting it off a little longer. Our Cyber awareness needs to be in proportion to our risk. As these events unfold, our risk is increasing.
Fear not, the credit union is not alone. You have an entire fleet of trusted partners standing by to assist your team. The Credit Union Service Organization is waiting in the wings with strategic advising and unbridled commitment. Don't have a CUSO partner? Our team is here to help. Email CISO@pureitcuso.com, or call our team at (281) 378-7797.