A new worm, EternalRocks that exploits Windows SMB (Server Message Block) vulnerabilities has been discovered by a security researcher. EternalRocks uses seven SMB-specific NSA tools, while WannaCry used only two. It is a much scarier worm because it does not have any weaknesses, including the kill switch used to contain WannaCry. EternalRocks uses EternalBlue, EternalChampion, […]

WannaCry, Wanna Crypt, WannaCrypt0r 2.0 is a type of Trojan virus called ‘ransomware’, which holds the infected computer hostage until ransom is paid by the computer owner. Over the weekend (May 13-14, 2017) the world has experienced a major impact by the WannaCry ransomware attack.  More than 200,000 systems across more than 150 countries were […]

NCUA Examiner Insight for 2017

by Brian Fischer on March 1, 2017

The 12th annual CUISPA (Credit Union Information Security Professionals Association) conference was held on February 21 & 22 in San Antonio. SCA routinely participates in this conference to network with credit union information technology and risk management professionals, and just as importantly, to engage NCUA examiners about items on their priority list. This year’s panel […]

Ransomware Survival Guide

by Brian Fischer on August 16, 2016

Malware and ransomware cases are on the rise. Cybercriminals are lured to the lucrative win of encrypting an organization’s files, then holding them for ransom. According to Security Intelligence by IBM, Q1 2016 saw a record high for ransomware. Kaspersky Lab noted a 30% increase in ransomware victims in Q1 compared to the one before. […]

Recently, I attended the annual CUISPA (Credit Union Information Security Professionals Association) conference in Austin, TX. As you can imagine, cybersecurity was a popular topic of discussion. Also in attendance was a panel of 5 NCUA IT examiners from across the country including the Director of ONES (Office of National Examinations and Supervision). A panel […]


Cybersecurity and Incident Response Top NCUA Focus in 2016

by Brian Fischer on January 12, 2016

The NCUA’s first Letter to Credit Unions in 2016 intensifies the cybersecurity concern which started in 2014 through an FFIEC cybersecurity exam pilot program. Topping the list of this year’s supervisory focus are Cybersecurity Assessments. The letter states “As in 2014 and 2015, NCUA will continue to carefully evaluate credit unions’ cybersecurity risk management”. This […]


Vulnerability Scan vs. Pen Test – What’s the Difference?

by Brian Fischer on September 2, 2015

The term “penetration test” is getting some attention lately. I’ve been hearing that auditors, not necessarily state or NCUA examiners, are asking for pen test results. Pen test is one of the most overused, and as a result misunderstood, terms in the information security industry. People say pen test just as easily as they might […]


There has been a lot of information all over the news about recent large breaches in the healthcare industry.  Millions of individuals have been affected by these breaches in the healthcare industry.  The healthcare market is the hottest place for cyber-criminals to attack.  There are many reasons for this… the simplest reason is they are […]


Getting Started With Cybersecurity

by Brian Fischer on May 12, 2015

To address cybersecurity threats to the Nation’s critical infrastructure systems, the President issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. The Order established that “it is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber-environment that encourages efficiency, […]


NCUA and FFIEC Online and Mobile Banking Security

by Brian Fischer on March 18, 2015

So you have performed due-diligence of your online and mobile banking vendors with hopefully at least an SSAE-16 in hand, and all is well. Not completely. Vendor due-diligence is crucial to help protect member data. The SSAE-16 they provide covers the security measures they take within their environment, but how does it address critical application […]