Ethical Hacking Manager Helps MSUFCU Discover Vulnerabilities
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security, cybersecurity and information governance to protect data and transactions at credit unions and other financial institutions.
If a surname helps define someone’s profession, then MSUFCU’s Ethical Hacking Manager Sean Verity has the right job. Verity, has been with the $6.5 billion East Lansing, Mich.-based MSUFCU for more than a decade, transforming from a systems auditor and penetration tester to running a two-person department that detects vulnerabilities.
Verity’s professional journey began after receiving a Bachelor’s degree in music education from Central Michigan University in Mount Pleasant, Mich. He taught high school and middle school band and choir for a year. “I realized that was not the career option for me,” Verity confessed.
Consequently, he joined the United States Marine Corps and served more than five and a half years as a communications officer. “That's where I got my experience and training. It is really IT management more than anything.” During his last year in the Marines, he started learning about the security side of things. In particular, hacking caught his attention, including how it works, as well as the tools and techniques used. “I just started learning and that's kind of how I ended up where I am now; a sense of curiosity for how to do it (hacking).”
Following his USMC tour, Verity returned to his home state in May 2011 and began working at MSUFCU as an IT auditor. “I didn't know exactly what that position was,” Verity said. At the time, he was consuming as much information about hacking as he could gather, including an online hacking magazine called Phrack. He thought the auditor position would allow him to look at source code and find vulnerabilities and exploit them. “I thought that sounds like fun. Maybe I'll be doing hacking in this job.”
Verity quickly learned that auditing does not include hacking. However, later he became involved in testing the security of a new online banking platform. That gave him the opportunity to take on a hobby — learning the details of hacking and detecting vulnerabilities — and turn it into “penetration testing,” which was new to MSUFCU at that time. “It wasn't completely foreign concept to them. I was fortunate (MSUFCU) let me give it a go. It just kind of morphed from there over time, it's grown to a more robust program since.”
What Is Ethical Hacking?
Ethical hacking, also known as penetration testing or pen testing, is legally breaking into an organization's defenses to detect vulnerabilities in an application, system, or infrastructure. “There's lots of different names you might hear, penetration testing, red team testing, ethical hacking, security assessment. They're all very similar in that you're attacking a system with the goal of uncovering a vulnerability,” said Verity, who took on the role of MSUFCU’s ethical hacking manager three-plus years ago.
He also explained the difference between penetration testing and vulnerability scanning, which involves bombarding a system with probes to look for a particular susceptibility. A penetration test often takes those scan results and actually exploits them. “(Hackers) might use that access if they compromise a critical vulnerability to try and access something else or access something sensitive on the system,” Verity said. This would prove some business risk exists.
What are MSUFCU’s current risks related to cyber and information security? “We have over 300,000 members and $6.5 billion in assets. That would make us an attractive target especially to criminals that are financially motivated,” Verity noted. He also listed potential vulnerabilities: in-house coding, a mobile banking app in the Google Play Store and Apple App Store, an online banking web application, other in-house solutions and other similar third-party solutions used by other financial institutions. “We want to find all the vulnerabilities in these things before criminals would so that we can fix them.”
Verity further explained he and the other ethical hacker on staff also work with third parties. “We manage those relationships; and help identify appropriate vendors to test.” In addition, they have other responsibilities that fall under the risk management division.
Dealing with the pandemic created more complications due to remote working and banking, Verity noted. “Right now, like everyone we're in kind of a hybrid state. Obviously during a good chunk of 2020, we were definitely mostly remote. There were a handful of positions that just absolutely had to be onsite. We've kind of migrated back with the new protocols that have been introduced in response to the pandemic and whatnot.”
A lingering concern revolves around virtual private network (VPN) utilization. “The VPN was used to handle several dozen clients at any given time before the pandemic,” he said. “And then obviously after the pandemic hit (and staff worked remotely), there were several hundred people on the VPN system at one time. We did do an upgrade to the VPN system.” However, Verity verified no actual incidents developed with everybody working at home related to the pandemic. Still, with so many people accessing the network, security risks persist.
Overcoming Overconfidence Bias
Verity acknowledged his position requires a balanced perspective; assurance in the credit union’s information security program with the ability to continuously adapt to threats. “I think we do have a very strong information security program because I'm testing it.” He admitted though his partiality could present a problem. “Overconfidence bias, that is a thing. If you become overconfident in what you have, it could lead to stagnation, and then something creeps up that we are not even paying attention to, and then you're vulnerable and you can get compromised.”
There is another reason to not get complacent when dealing with the credit union’s information security platform. Verity pointed to compromised organizations, such as Microsoft, T-Mobile and Equifax, that are exponentially bigger with more resources than the credit union but could not prevent intrusions to their systems. “So, we spend a lot of time testing, not just on prevention, but also reviewing our ability to detect attacks.”
Testing includes running “purple team” attack exercises, which are hands-on keyboard drills where red and blue groups work together to dissect cybercriminal techniques and defense expectations to test, assess, and enhance an organization's resilience to cyberattack. “We can detect these things faster,” he explained. “But overconfidence bias is probably the thing that I think about the most.”
Verity also cited recent scams involving cybercriminals draining a victim’s funds via peer-to-peer (P2P) payment service Zelle using a phishing scam with a spoofed text message. “With all the security technology that is available to organizations — web proxies, network firewalls, next gen firewalls, application control solutions, anti-malware — then you see some of these old school techniques are just as, if not more, effective and more efficient.”
Verity explained cybersecurity teams now must also look at these longstanding social engineering scams as well as the latest sophisticated threat actors. He referred to staying up-to-date on current threats by utilizing resources such as the MITRE ATT&CK, a web-based collection of information about malicious behaviors and advanced persistent threat (APT) groups active in real-world cyberattacks. “So that you can see if you have complementary detections or preventions for those specific threats.”
Verity added, “We have invested in cybersecurity significantly ever since I've worked here. For at least 10 years it has been a high priority for our board and leadership.”