Plug and play IT world can sometimes compromise security for convenience

WORLD WIDE WEB - The old Masterlock commercials of a man shooting a bullet through the lock-but it still holds-is a concept credit unions need to embrace for their growing Web presence. "Every time you add another service that other people can get access to, you're opening yourself up to everybody. Just because you have a screen with a password, that's not enough. That screen is available to everybody and people can find the keys to it," said Joe Cooper of IT security firm Digital Defense, San Antonio. Cooper said each new Web service a credit union adds poses a new risk, and those risks can be limited, but the credit union needs to look at how each additional service affects the whole of its IT security. He said one of the problems with the new plug-and-play mode of today's open systems is that software vendors are trying to make it as easy as possible for credit unions to plug in their software. But that convenience comes at a price, said Cooper. "Convenience is inversely proportional to security. The more convenient it is, the less secure it likely is. Vendors want to make it easy to set their software up. Microsoft is a great example," said Cooper. He said the default settings for a new server or new piece of software aren't secure right out of the box. Credit unions have to configure certain items to take away easy hacker targets. Cooper said credit unions should never feel that they shouldn't launch a new Web service because of security fears. "Ninety-five percent of the problem the credit union's IS staff can probably fix," said Cooper. But what about the other 5%? "Twelve-year olds are coming out with new hacks everyday. There's no way IS staffs can keep up with all that," he said. Cooper said just like credit unions should be on a regular virus updating program, they should also periodically have their remote systems checked by a security firm such as Digital Defense. IT security experts essentially try and hack the credit union. They then give the CU a report and make security recommendations. Cooper said some credit unions are under the misconception that remote security checks are costly, but in many cases they can be done for under $5,000. But most IS security problems don't even involve the Web. "Seventy-percent of problems are from the internal side. Tellers not understanding the importance of logging off their machines. Credit unions find it easier to just give everyone access to all systems, instead of segmenting authorization to make systems more secure." "I've seen office supply policies tougher than network security policies at some credit unions." Pete Hammes, director of engineering for IT security firm Para-Protect, Washington, said bad public relations should drive credit unions to make their Web sites as secure as possible. "All it takes is one headline in the local paper that a site was broken into, and trust can be lost. I think credit unions' main concern should not be Web site defacement of someone putting up some bad words or dirty pictures, but protecting the back-end systems from being compromised," said Hammes. Hammes said the CU's front-end systems may be ultra secure, but they leave the back-end systems open. "You're only as strong as your weakest link. Using SSL encryption on the front end is great, but the back-end database needs to be secure. Records being sent back and forth in clear text e-mail are available to anyone capturing data (sniffing)," said Hammes. Hammes said credit unions would be surprised how many times their sites are probed by some level of hacker. "Site probing and scanning goes on on a daily basis from all over the world." He said he has a firewall on his site and is alerted every time his site is probed-and it happens daily. Credit unions can weed out most of the hackers by engaging in well-known IT security measures. That doesn't mean the security is impenetrable, but he said if most hackers see too many locked doors they'd rather surf over to an easier target. "There are basic things credit unions can do to take away 75% of the easy hacking techniques. Then the hackers just rattle your doors and go down the street to someone else." -pgentile@cutimes.com