Let's break all the rules. Accept a jump drive from someone youdon't know. Bring it to work and plug it into your workstation.Copy the files over, and if your computer warns that a programwants to communicate with a known malicious website, click'yes.'

Sound far-fetched? Perhaps. We'd all like to believe that no onein our credit unions would ever do anything like this. But they maynot have to.

Let's consider the incredible first. It is widely believed thatscientists carried jump drives infected with the Stuxnet worm intoa secret nuclear facility in Iran. Stuxnet, allegedly developed bya another country, succeeded in gumming up the Iranian nuclearenrichment program for a while. But in the process, Stuxnet alsosucceeded in escaping “into the wild.”

That means that several variants of the highly sophisticatedStuxnet worm could be knocking on our doors one day, using theirhighly advanced “zero-day” attack mechanism to spread from onecomputer to another.

Zero-day attacks are the hacking world's most potent weaponssince they exploit software vulnerabilities that neither thesoftware makers nor the antivirus vendors have seen.

Is your credit union ready for anything like a zero-day attackor advanced persistent threat? What would happen if yourinstitution were attacked? Do you have the basics of security inplace?

The most recent Verizon Data Breach Report noted that of thebreaches studied, roughly 80% were purely victims of opportunity.The hackers simply found a security shortcoming they could takeadvantage of. This is akin to a burglar walking the neighborhood,checking to see who forgot to lock the door to their house.

In the vast majority of the breaches it was rather simple tobreach the perimeter of the organization, and in most cases thebreaches could have been prevented by the use of relatively simplecontrols. This sounds eerily familiar. In 2006 I gave severalpresentations underscoring the importance of mastering the basicsin order to prevent security breaches. Six years later it seemsthat some organizations are still falling short with thebasics.

There are a variety of basic security controls that should bestandard operating procedure by now. Let's run through a shortlist:

• SystemConfiguration – Are all devices properly configured asrecommended by the vendor or some other reputable, independentsource such as NIST? Misconfigurations can often give an attacker afoothold.
• Antivirus/Antispyware –Although there will always be the threat of zero-day exploits,there is still a wealth of exploits for well-known vulnerabilities.Failing to protect the organization against known vulnerabilitiesleaves the organization unnecessarily exposed.
• Access RightsManagement – Do employees have access only to theinformation they need in order to perform their job function? Areadministrative rights restricted to those who truly need them?Often hackers will make use of existing IDs to carry out theirnefarious deeds. You can make it more difficult for them by tightlycontrolling access rights.
• Vulnerability Scanningand Patch Management – Keeping your systems updated is veryimportant. If a vendor releases an update that closes a securityhole, it should be applied as soon as possible. Frequent scanningof systems for known vulnerabilities is equally important. It'simportant to know where the holes are in the dike so you can plugthem as quickly as possible. Sources such as Secunia can help youkeep abreast of what's going on in this area.
• Firewall, IDS/IPS, WebFiltering – Traffic to/from the outside world should befiltered and inspected. Your network should not be completely opento the outside world. Network traffic should be scanned for knownmalicious traffic patterns. It's also important to filter the sitesthat your employees can visit.
• Log Review –It's important to be able to identify what has happened on acomputer network. This will give you the ability to detect a breachand help you investigate what has been compromised as aresult.
• Security AwarenessTraining – Last but certainly not least, it's important toeducate the human at the keyboard. Many breaches today leveragesome type of social engineering attack, and the amount ofinformation posted online in places like Facebook make it easierfor hackers to customize their attack. This makes it morechallenging for employees to identify what is suspect and what isnot. Employees should be very cautious when opening documents,surfing the Internet, and handling media they have been given orfound.

There is certainly no one silver bullet that will make all ourchallenges disappear. But ensuring that the basics are covered atyour institution will go a long way toward preventing a securitybreach. Your behavior at your credit union can make the differencebetween a mild annoyance and a catastrophe.

Kevin Hamelmanages security for COCC in Avon, Conn.