CUNA Mutual Group: An industry pioneer, chartered to protect the financial well being of credit unions, teams with NetSPI to better secure their IT infrastructure

Credit Unions are member-owned, non-profit financial cooperatives. They exist all over the world and are operated for the purpose of providing members lower-cost, more personalized banking and financial services. CUNA Mutual Group, a global company headquartered in Madison, Wisconsin, has delivered insurance and other financial products that meet the unique needs of credit unions and their members for over 75 years. In 2011, CUNA Mutual Group generated more than $3 billion in total revenues and paid nearly $2 billion in benefits to policyholders with property, casualty, life, health, and disability claims. The company employs over 4,000 employees.

Unfortunately for CUNA Mutual Group, a number of third-party security vendors had introduced unstructured approaches and poorly documented results that were
affecting the company’s overall security posture, regulatory compliance efforts, IT staff time, and costs. To CUNA Mutual Group’s benefit; however, a separate PCI consulting engagement with NetSPI had returned notable benefits and significant cost savings when the recommendations were compared to the previous PCI QSA’s approach. At that same time, CUNA Mutual Group was actively building out new IT-enabled services for its members and recognized the need for a trusted third-party firm to help them with their on-going security assessment work.

Based upon the strong initial success with the NetSPI consultants on the PCI project, and after the company had completed a second round of due diligence on NetSPI’s overall capabilities and reputation, CUNA Mutual Group decided to augment its security assessment/vulnerability program by aggressively expanding its existing service agreement with NetSPI. In addition to the original PCI compliance work started under the initial NetSPI agreement, the final security services agreement between CUNA Mutual Group and NetSPI includes regular ongoing penetration testing, application code reviews and the affiliated reporting and risk assessment consultations naturally associated with each of those individual tasks. As to the expanded contract, the customer put it this way, “We use NetSPI in more places, for more things, now more than ever.”

Vulnerability assessment is core to maintaining a strong security posture

Early on, CUNA Mutual Group recognized that effectively managing the security risks to their IT infrastructure required routine vulnerability assessments and penetration testing services to discover, assess, prioritize and mitigate both internal and external threats to their environment. This included manual code reviews and the testing of critical environments.

Following a disciplined methodology is key

Because NetSPI isn’t tied to any particular tools or tool vendors, the company has been able to develop an engagement methodology that ensures consistent, extremely in-depth, highly-effective vulnerability assessments for each and every one of its clients – project after project. To ensure the consistent use of this proven methodology by every one of NetSPI’s expert consultants on each and every engagement, the methodology is disciplined through the use of NetSPI’s industry leading vulnerability management and correlation technology. The use of the platform results in the most comprehensive testing and customer-centric reporting in the industry. Furthermore, by utilizing the platform, NetSPI’s consultants are also maximizing the efficiency of their testing efforts for CUNA Mutual Group. NetSPI teams spend the majority of all available work time focused directly on identifying, verifying and prioritizing vulnerabilities. This has resulted in more in-depth assessments in far less time for CUNA Mutual Group.

A big tool box helps

NetSPI’s security consultants are comfortable and competent using a wide variety of open source, proprietary and commercially available tools that best meet the unique needs of each engagement. With the recognition that effective penetration testing programs involve much more than the use of a single tool looking for “known” vulnerabilities, NetSPI utilizes the right tool for the right technology and situation. This approach, coupled with broad security knowledge, extensive field experience and deep technical expertise, allows NetSPI’s penetration testing professionals to more effectively evaluate environments and applications for vulnerabilities, and provide the feedback and guidance to remediate effectively.

Documentation and reporting

An absolute requirement of any well-managed vulnerability assessment program is thorough, consistent documentation, and the reports generated by NetSPI for CUNA Mutual have proven to be perfect for the group’s uses. For example, any time that penetration tests and vulnerability assessments are completed by NetSPI for CUNA Mutual Group, all of the findings for each engagement are clearly documented in a consistent/consumable approach, including a detailed “statement of opinion” with prioritized suggestions appropriate to and in full alignment with CUNA’s business mission. And to the delight of their sales and marketing teams, the unique NetSPI statements of opinion have also proven helpful in providing tangible evidence of the company’s due diligence in ensuring their clients’ sensitive information is secure. As CUNA Mutual Group’s PCI partner, NetSPI provides PCI-related reporting which can be handed over to the internal governance team and external auditors for review and acceptance.

“While you may not like receiving some of the findings in the reports produced by NetSPI, you won’t be disappointed with the NetSPI team, their process, and the end results. Above and beyond the reporting, I found the NetSPI team easy to communicate with, and I was able to talk to them to pull out contextual information that is typically extremely difficult to capture in any report.”

Mark Glass
Sr. Manager of Information Security at CUNA Mutual Group

Targeted application security assessments are key to managing risk

At the same time that they were performing their network security assessments with NetSPI, CUNA Mutual Group was also performing targeted application security tests with another code review vendor. Due to a large number of false positive findings, NetSPI was asked to take on that vendor’s role within the overall security program. In particular, the NetSPI team was tasked with doing manual code reviews and pentesting of software that delivers business-critical web services. NetSPI’s code reviews for CUNA Mutual Group, which are performed within the same overall methodology as the rest of NetSPI’s services, have been proven to produce far fewer false positives than the previous code review vendor.

“Fewer false positives has meant less time wasted on CUNA’s side to validate/deny each item identified, which is why we brought NetSPI in as a replacement to the incumbent code review provider…In addition, we found that NetSPI’s written reports on their work helped make our software development engineers that much better at writing code.”

NetSPI’s trusted advisor approach results in a long term relationship

NetSPI has quickly grown to become the true vulnerability assessment partner and trusted advisor that CUNA Mutual Group was seeking. NetSPI has become a full and active part of the CUNA team under an extended multi-year agreement – which falls outside of CUNA Mutual Group’s normal business practice of swapping out certain third-party security providers after no more than two years under contract.