It’s Cyber Security Awareness Month. Do you know what data is leaving your credit union?

Did you know that it’s National Cyber Security Awareness Month (NCSAM)? This year Ongoing Operations has become a Champion of NCSAM, joining a growing global effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations and individuals to promote online safety awareness.

As part of our commitment, we’re sharing detailed information and technical advice to help your credit union improve its cyber security posture. The first key question we’d like to ask is: Do you know what data is leaving your credit union?

Another way to ask this same question more technically is: Does your Credit Union have Egress Filtering in Place?

Having been in security for as long as I have, I always ask the same questions over and over again. I usually get the same answers. Particularly when I ask if an organization has egress filtering in place on its perimeter. The answer is normally no or kind of, sort of. That is not the right answer.

First – What is Egress Filtering? Egress Filtering is a perimeter defense tool that restricts data from leaving your credit union to the outside world. This is great for creating a layered defense and making it tougher for sensitive data to get in the wrong hands. Think of it like a reverse firewall…

First and foremost, it is extremely risky not to strictly identify and control what traffic is leaving your network – period. Is it easy to retrofit a policy into an organization that has legitimate dependencies on resources that are on the Internet? Absolutely not, but given the risk reduction, it is worth the pain.

Of course the decision that it is worth the reduction in risk, even though you will break some things along the way, has to come from senior IT management. I kid not about breaking some things, I have yet to see a deployment of egress filtering not miss at least one application dependent on Internet access, regardless of how well it was planned, researched, and sniffed.

There are really only two types of policies that are normally used when deploying an egress filter: Default-allow or Default-Deny. I don’t spend much time on default-allow, to me it is pointless, at least in the financial services industry. I have seen where it might make sense in a certain use case, but not this one. Default-deny is by far the best way to deploy. It just makes sense. Short list of permit statements on top (well documented and backed by business justifications, of course) and a dead stop deny any at the bottom.

One common question that is: how do you handle operating system and software updates? At a minimum, restrict outbound access to Microsoft’s IP address ranges and subnets, but the real answer is have a Windows Update Server (or use a managed service provider) on your internal LAN. This is especially true for servers. For third party software, there are a number of vendors that provide secure ways of managing that aspect.

Here is why this matters:

I worked for a group service credit card provider that had a third party vendor for its loyalty program. I received a call on a Friday evening that a ransom email was received by the vendor with a snippet of their database, demanding cash or they would sell or publish the data they compromised. After further investigation it was determined the vendor recently deployed a new form on their web site that did not go through QA/security. This form had SQL injection vulnerabilities.

The SQL injection vulnerability on the web server was exploited, leading to a full compromise of their MSSQL server. The company did have a WSUS server on their DMZ, but was having issues connecting the MSSQL server to it based on VLAN ACL mis-configurations. Instead of fixing the ACLs the administrator decided to just allow full outbound Internet traffic from the MSSQL server to get the latest updates, intending to turn it off when they were complete. He forgot to turn it off.

Once the database was compromised there was nothing to stop the hackers from exporting the data using whatever protocol they wanted to wherever they decided. Very bad.

So, just like a double-sided deadbolt is safer than a single sided deadbolt – setting up Egress restrictions for your credit union is a much improved situation.

Learn more about how Ongoing Operations can help you with Egress filtering and other cyber security enhancements by contacting us at or visiting

Bob Miles

Bob Miles

Providing Credit Union clients with an expert, board-level resource that can help manage and steer their clients’ information security compliance, governance and/or regulatory program(s). Performing some or all ... Web: Details