COLUMBIA, S.C. – Following rules as well as fighting off rogues will make IS security an increasingly difficult challenge for credit unions in 2003 and the years ahead, industry participants say. "As their business grows, we see our clients asking us more and more for the ways and means to comply with regulatory requirements that grow right along with them," says Roberto Medrano, CEO of PoliVec in Mountainview, Calif. His company specializes in security policy automation, helping about 60 credit unions keep up with NCUA and other state and federal regulations, including those evolving from Gramm-Leach-Bliley, by scanning their systems and making patches and other changes as necessary. Denver Community Federal Credit Community uses PoliVec for intrusion detection and to help ensure its IT security policies are up to snuff. Devin Brown, CFO for the 21,000-member, $172 million CU, says the need for such help is ongoing. He says viruses are snagged daily by his CU's defenses and that intrusion detection and potential for internal problems also are ongoing concerns. Asked what his CU's biggest challenge in meeting IT security needs in 2003, Brown says simply: "Keeping current on training given the rate of change in this area. And balancing the need for ever-expanding electronic services to remain competitive with the high cost of securing those services." But while the complexities and costs of compliance and combating threats continue to grow, so do the actual attacks. "That's where the money is, so people are always trying to get into systems," Medrano says. "The threat of viruses is also still always there, but most of the attacks we're talking about are not of that type. I have the privilege of having accounts at three credit unions and I don't even know their e-mail addresses. The biggest problems are not from the consumer side, in that sense." Those who would break into a system – whether they're called hackers, crackers script-kiddies or worse – pose a more complex threat. And as financial systems become more and more intertwined electronically, and outsourcing brings more third parties into the mix, controlling that process means keeping up with the people as well as the process. "We must keep in mind that any function must be led by policies and procedures," says Doug Benzine, senior vice president at CUNA Network Services. "Without this standard direction, technology is just technology waiting to be exploited. "This requires a CU to do more than just implement a firewall. Now they must have this firewall managed and updated, they must run vulnerability assessments to see what exposures they may have and remediate them, and lastly, many need a monitored intrusion detection system to identify attacks in real time." Benzine, whose organization provides e-services to about 2,000 credit unions, adds: "The good news is that technical products and services are available for CU's to do this affordably. The bad news is that many CU's feel that because they have a firewall, they are secure, which is a huge myth. "So the major challenges we face are not technical, but human in nature." Cynthia Hawk sees it that way, too. "If we could take these smart kids who can get into just about anything and put them to work for the good, they could be helping to solve problems instead," says the president of $13.7 million GTX Credit Union in Houston, Texas. She spends a lot of time keeping up with IT security issues and, along with her board, is so concerned about things like keeping up with patches and other vulnerabilities that the small CU has decided for now to forego offering online banking. "We do keep our members informed in our newsletter about our findings and share pieces of information we gathered if they ask," Hawk says. "Many are dumbfounded by some of the articles and statistics about the problems." There's also the matter of cost and finding trustworthy help, Hawk says. "State-chartered CU's in Texas with transactional Web sites are now required to perform security reviews at least every two years, and there is concern about the expertise of some companies performing IT services. "There also is some concern about the costs affiliated with hiring real IT experts to perform such reviews, and whether different companies perform the review as part of our due diligence." THE EXPERTS SAY "From a purely technical point of view, we are concerned with two major areas," says Rick Fleming, vice president of strategic technology at Digital Defense in San Antonio, Texas. "First is insider abuse of systems. We continue to see scenarios in our testing that show employees aren't using the systems according to organizational policies," says Fleming, whose firm provides security services for about 180 clients. "Often, these credit unions have weak or non-existent policies, so there are no actual means to correct this misbehavior. Secondly, we are seeing an increase in the number of methods that can be employed to use a Web or Internet interface to exploit a back-end database system," he says. The increase in third-party outsourcing and in Web services, a catch-all term for functionality that breaks down barriers between systems and organizations through the use of such technologies as XML and SOAP interfaces, adds to that potential. "If credit unions continue to add more Web services to our member offerings without developing stronger, more effective security measures to protect those services, we will have more break-ins and theft of member information," Fleming predicts. "History has shown that we cannot depend on the software manufacturers and developers to produce totally secure systems. Even if they did, many organizations are not expending the resources required to deploy their technology securely," he adds. Pennsylvania State Employees Credit Union is a well-known tech leader, serving more than 275,000 members from one office, and it has a lot of experience with both creating its own solutions and outsourcing when needed. Greg Smith, CEO of PSECU (now nearing $2 billion in assets), says his biggest concern is business continuity and that plans are to ultimately create a second data center. Meanwhile, his IT security manager, Kevin Doyle, has the responsibility of keeping all that data secure. In addition to its in-house firewalls and other efforts, the CU uses such specialists as IBM Global Services for intrusion detection help, Metasys ethical hackers looking for vulnerabilities and TruSecure to conduct remote reviews. Doyle stresses that you need to be able to trust the help. "The biggest challenge I see, in addition to Greg's concerns about business continuity, is maintaining security when outsourcing electronic services to third parties," he says. "Many organizations do not recognize the risk to their own security if you hire a third party with poor security practices." Medrano, the PoliVec chief, says that's why his company's services include "checking up continually on our clients' outsourcers – including their service bureaus – to make sure they, too, are complying with reporting policies that we all agree need to be in place." Even core processors that don't have service bureaus have to be vigilant, and business continuity remains a concern there, as well. For instance, "since AFTECH does not process for its clients – it sells and supports software used at the credit union site – a virus that disrupts AFTECH's business would not disrupt a client's data processing," says Joe Doyle, vice president of technology for AFTECH in Malvern, Pa., core processor for 85 credit unions and the NCUA Office of Asset Recovery in Austin, Texas. But it could affect client support by affecting communications, he adds. "Consequently, our approach to security focuses both on the software and services provided to clients and on the protections AFTECH builds around its own operations." HOW MANY HACKS HAPPEN? Of course, with all this talk of potential, the question arises, has it happened? Has member information been compromised or even stolen? What kind of damage have they done, success are they having? "Unfortunately, this is a major problem in the industry, because when a company has been exploited, they typically try to sweep it under the carpet to avoid publicity," says Benzine at CUNA Network Services. "Only a small number of attacks are ever reported." A successful hack takes its toll both in repair costs and in lost trust, he adds. And the cost can indeed be high. "We know of a couple institutions that have gone out of business as a result of a hacker stealing credit card information and it getting into the news," Benzine says. "Typically, the company will go out of business in less than four months after the incident." So, who's behind all this? Thrill seekers or worse? "I think a vast majority of the attacks we see are automated in nature with the person simply wanting to have the thrill of the break-in," says Fleming at Digital Defense. "We've seen organizations who've had their systems compromised in such a manner where the hacker had no further restrictions to accessing member data," he says. "However, on several of these attacks, we could find no direct evidence that the hacker had actually compromised the data." However, Fleming warns: "In many of those cases, the hacker may simply be building a list of `owned' machines that can be used at a later date for a more direct-type attack." Meanwhile, he adds, "I won't rule out terrorists and criminals increasingly attacking Internet-based systems, but I've seen no significant increase in attacks from these sources. "Will that change? I'll go out on a limb here and say that yes, as we attack terrorists and their supporters, we can expect to see them launch a variety of attacks against our financial and manufacturing infrastructures." -

[email protected]