The title of this post comes from a friend who liked to use that line in retelling the story of a bumbling IT department. It came to mind when reading Brian Krebs' account of Coast Central Credit Union's recent online banking hack and how they didn't take him seriously when he reported it.
Treat reports like this with urgency. I get it - your IT departments deal with penetration testing reports, vulnerability scans, audit findings, internal bug reports, emotional complaints and on and on. And sure, there are some false positives that come through but I believe most things that members point out to IT departments as needing attention are legit and should receive a follow up as well as a thanks.
Not taking ten minutes to sit on the phone with anyone (let alone Brian Krebs) who’s telling you that you've been hacked and offering to prove it to you seems, well, downright irresponsible. And this goes beyond the role of management; it's the responsibility of everyone in an organization, especially the ones trusted with fielding the calls and emails.
Keep your CMS patched. Krebs says it well: “[Alex] Holden said he’s discovered more than 13,000 sites that are currently infected with Web shells just like the one that hit Coast Central Credit Union, and that the vast majority of them are Joomla and WordPress blogs that get compromised through outdated and insecure third-party plugins for these popular content management systems…. If you run a Web site, please make sure to keep your content management system up to date with the latest patches, and don’t put off patching or disabling outdated third-party plugins.”
Encourage your community to find holes and tell you about them. Go as far as a bug bounty program. Why not?
I saw that CU Times covered this too, so I'm sure the story's out there among the credit union managers who follow that publication.
I hope no one's laughing; I'm not and I guarantee no one at Coast Central CU is either.