Why this bank CIO is not a fan of password managers

CNB20.jpg
Central National Bank in Waco, Texas has a three-person IT department for its roughly 100 employees. The head of the department, Rusty Haferkamp, spoke with American Banker about how he runs the operation and some of his surprising practices and policies.

As the man in charge of information security at his bank, Rusty Haferkamp has to be cautious, and it shows.

Haferkamp gets an email whenever an employee tries to plug a USB storage device into a work computer, and unlike many security professionals, he has never used a password manager. He recommends his family and friends keep important credentials secret by other means.

Haferkamp is the chief information officer of Central National Bank in Waco, Texas. He is also tasked with the $1.26 billion-asset bank's information security.

Before joining the bank, Haferkamp earned his top secret security clearance working as a military defense contractor at the Army base in Fort Hood, Texas. He moved on to run a consulting firm for 10 years before the CEO of Central National recruited him.

Haferkamp said he's seen many financial institutions "move backwards" in the 15 years he's worked for the bank. They've asked the question, "Do we need technology for every single thing?" For many applications, the answer has been no.

For each thing where the answer is yes, a tech solution is best, that's just another potential vulnerability that needs to be secured, he said. That often means "bolting on" security to the application rather than building it in, which comes with headaches.

In an interview, Haferkamp shared these and other views on security and described recent security efforts at his bank.

Rusty Haferkamp, Central National Bank of Waco, Texas
Rusty Haferkamp

How has cybersecurity changed while you've been in your current position?

RUSTY HAFERKAMP: I've been here 15 years, and when I started, all industries were somewhat relaxed on security. The goal was to get things moving — let's email invoices, get on the internet, or get these other luxuries of technology to the office.

We've gone backwards the past few years. It seems like Central National Bank, along with every other financial institution and even other industries — we're all reevaluating how we use technology. Do we need to use technology for every single thing? Every one of those things has to have a security layer on top of it. The security aspect is almost an afterthought.

It's almost like we built the bridges, but we really didn't test them for load capacities, and now we're experiencing all of those headaches that come with retrofitting and bolting on security — going back and reviewing APIs and some of the custom development work.

When you think about banks and credit unions your size, how do you see yourself today in terms of your cybersecurity posture? Where are you in the pack?

I steer clear of using the word innovative, because what happens with innovation is you just get out there with custom development, having in-house programmers, and we're not there. We don't really want to be there. We like tried-and-true, secure, stable products.

I don't want to throw myself out there and say we're leading the pack. I would say our infrastructure is mature. We are in a position where everything seems to be running smoothly. I'm comfortable. CrowdStrike and some of the other products we're using give me an ability to look at the network and look at what my users are doing just at a glance, and I can feel good about that.

So, I would say mature, not necessarily innovative.

Why establish such a mature level of security? Why not run in the middle of the pack and merely avoid becoming low-hanging fruit? As long as you just keep up with security patches and keep regulators off your back, you're good, right?

I disagree. There are amateur threat actors — the ones looking for a quick buck, a Microsoft Exchange exploit, or some sort of public-facing server that's not patched. Those guys are looking for a quick turnaround. They want to get into the network, try to get some ransomware going or some sort of data leakage, and then they can come back and get some quick cash from you.

Yes, low-hanging fruit is the No. 1 target. But there's also a lot of organized crime out there and nation-states that are after larger targets. It would be great for China or Russia to get a hold of a dozen community banks in Texas and be able to orchestrate something. Fortunately, we haven't experienced that yet, and I think that's because of all the pressure that we have on us to adapt in terms of cybersecurity.

Another part of that is our communication. I think financial institutions, especially community banks — we do a lot of talking amongst our peers. In Texas, we have the Texas Bankers Association that does a really good job of coordinating vulnerability discussions. We'll talk about what's the latest and greatest trends, and what we are doing to protect ourselves from those orchestrated attempts.

I don't want to argue with you; the low-hanging fruit is probably the largest target. And yes, that is the one that probably causes the most damage. But there's still a side of me that says there's something yet out there in the works, and I hate to say that, but we have to be ready for it.

I said something controversial mostly to get a good response, and that's exactly what you gave me, so thank you.

Let's talk a bit more about the products and services you use; you've praised these single-page reports that CrowdStrike gives you on a regular basis. Tell me a little more; what are you looking for in these security reports?

The No. 1 thing I'm looking at is to make sure all the CrowdStrike agents we have installed and scheduled are running properly. The specific activity or logs on the machine — that's not really important to me.

I've got a security guy and a network administrator here that looks at our security event management and intrusion protection system on a daily basis. For me, the CrowdStrike piece is the first thing I check in the morning. If there's any problem overnight while I'm sleeping or my team is sleeping, we will have complete coverage from the Falcon Complete package.

An analogy would be walking out of the house and looking at the alarm to make sure it's set. For me, looking at CrowdStrike and seeing those agents active gives me that kind of security.

Also, after COVID, we added some VPN access because we didn't allow remote access until then, so we have a firewall supporting that technology, but we also have CrowdStrike on the laptops for our remote users. That's another thing that gives me a lot of faith in protecting our network.

What's the size of your security team?

We're a small outfit. There's technically three of us in my whole IT department. CrowdStrike is my fourth. We operate very efficiently. We have 100 users, but we have somewhere around 150 desktops and about 35 servers. We have some stuff in the cloud; we've got some stuff on premises.

You've said you get an email every time there's a security incident, including if someone tries to plug in a USB drive. I think a lot of people would see it as paranoid to worry about every USB drive someone puts into a work computer. Why have that level of awareness?

I have to think about what is happening on employee devices that they use at home, or more so what their children may do on it, or a roommate. We have a lot of Baylor interns that come and go in our credit department. I can just imagine what I was doing in college, and I'd date myself if I told you the file sharing stuff I used to do, but anyway: Removable storage devices definitely have risks associated with them.

We can allow certain devices, so we will allow someone to plug in a USB printer or peripherals — mice or keyboards. But we dial it down to a specific storage media or mass storage device. We don't want those plugged in if I can't scan the device or tell you where it has been since it came out of the package.

I've got a handful of employees who are always asking us to open that up temporarily, and we will when needed. Employees will tell me they're not doing anything wrong, and I say yes you're not doing anything wrong, but no one ever intentionally drives over a nail to get a flat tire. It's when you have your guard down that bad things happen.

What training regimen do you have in place to help people with awareness about strong passwords or this USB example?

The first thing we do is use KnowBe4 for our phishing training. We send out two or three fake emails to employees monthly, and I get a report on who's clicked. We also use KnowBe4 for security training we do annually. If someone clicks on a fake phishing email twice in a year, they have to go back through that training, so we're constantly hammering them with that.

Second, I have lunch and learn in October, which is National Cybersecurity Awareness Month. We do four or five face-to-face training sessions with employees that month, and it's pretty informal. We answer their questions, teach them how to make sure their family and friends have their PCs and iPhones up to date, and teach them about personal safety. We also tell them they need to set up a separate network in their homes that they use as a business network.

Third, throughout the year, we send emails and post videos about whatever information we need to get out. For example, we just had one about how employees don't need to use the same password for every platform.

Since the LastPass breach, I've seen a lot of people wringing their hands about whether you can still trust password managers. What are your thoughts?

I have never used a password manager. My password manager is a secret. I have a lot of passwords, and they change regularly. The ones I don't remember are locked up pretty tight.

For family and friends that are just looking for a tool to store their Netflix and Hulu passwords, maybe the login for their health care portal, I'm cool with that. Use whatever strong password manager tool you can find out there.

But everything is susceptible. There is nothing that cannot be breached in this world. If hackers in China or Russia really put their mind to it, they can already be in some of these things.

The one thing that you can do is use utilities for checking if you've had password leakage on the dark web. But as far as password managers go, I'm not a big fan of them.

If you have a password for an app you use to transfer money, or it's a credit card company or bank credential, don't save those passwords in your password tools. Those are the ones where someone can cause damage rather quickly. Who cares if someone logs in to see what I watched on Netflix.

For reprint and licensing requests for this article, click here.
Cyber security Data security Technology
MORE FROM AMERICAN BANKER