COLUMBIA, S.C. – Think your credit union's safe and secure, hiding all that confidential data and crucial functionality behind the latest and greatest in firewalls? Think again. "The lesson of the Code Red worm is that firewalls didn't prevent it, period. That's the issue," says Chuck Welsh, president of NetBankAudit of Mount Vernon, Va., an Internet security consultancy serving credit unions and small financial institutions. Unlike viruses, which have to be activated in some way and typically wreak havoc on the internal workings of a network or single PC, a worm generally works its damage simply by getting in and then propagating on its own. In this case, the first Code Red worm dials the White House Web site continuously, attempting to bring it down. Another variant that followed soon after sends random e-mails, in enough volume that it already seriously affected major Internet operations such as Time-Warner's cable-modem network and The Associated Press news service. At the same time, all that activity clogs the host victim, too. Estimates of affected servers range from 250,000 to close to a million. While there were no widely publicized reports of credit unions being seriously affected, the danger exists and grows. "Nearly every credit union has some sort of Internet connection today. Additionally, they may also have network connectivity to several third-party vendors," says Dan Jorna, general manager for USERS' DataSafe Operations (www.users.com) at Valley Forge, Pa. "The threat is not limited to lost assets. The latest focus is on confidentiality and privacy issues and regulations. Firewalls have become a critical component of the credit union's inventory of security measures." Welsh agrees, and says there's more. "Firewalls are very, very important," he says, "You are virtually naked without one. But the only way to be secure is to have overlaying methodologies protecting you. You cannot be up to snuff simply by having a box," says the 25-year financial-services IT veteran. A firewall basically is a software or hardware device that monitors and controls the flow of data. There are two general types, according to Rick Fleming, vice president of security operations at Digital Defense Inc. (www.digitaldefense.net) in San Antonio, Texas. The first, packet filtering, involves inspecting each packet of information that is transmitted or received and deciding based on a set of rules whether to allow it in or out, for instance a permitted IP address. The second, application proxy, looks at the type of function being performed and makes a decision based on those rules, including whether the individual sending or receiving the data is authorized for that specific kind of traffic. "Another way to think about this is that proxy servers make their decisions based on the content of the information being exchanged and not just the envelope it's being sent in," Fleming says. Either way, firewalls are gateways, which have ports that allow data in and out of computers and networks. And once those doors are open, they can let in viruses and worms. "Remember, a network firewall gets its name from a firewall in a car or a building," says Fleming at Digital Defense, which has more than 60 credit union clients. "Each time you poke a hole in that wall to let a water pipe or a wire in or out, you create a point where fire could possibly get into the protected room. "In computer networks, it's no different. When we open a port on the firewall to allow certain traffic into our internal networks, we create a weakness in the firewall that must be monitored, and we must make sure that the systems we are now allowing traffic to are protected with the latest security patches and upgrades." Even then, skilled hackers can sometimes come right on in. "The Code Red worm passed through Port 80 in firewalls to exploit a vulnerability in Microsoft's IIS Web server," says Max Staples, technology sales manager for SecureWorks (www.secureworks.com), an Atlanta-based IT security solutions firm. Staples said his firm's security specialists were able to write an attack signature that prevented it from disrupting its clients' networks, but that the "Code Red Worm is a prefect example of why firewalls are not sufficient for credit unions that need to completely secure their networks and data." "We use an advanced, real-time intrusion detection and monitoring tool," says Jorna, who as general manager for USERS' DataSafe Operations shares responsibility for the security of hundreds of credit unions and millions of members. "Credit unions that are running an in-house Internet banking solution should likewise use intrusion detection and monitoring tools to identify and head off possible attacks." Adds Jeff Marshall, chief technology officer at Liberty Cavion (www.libertysite.com) in Englewood, N.J.: "Equally important as updating the firewall is keeping the operating system of all network servers and PC's up to date. Most hacking happens by way of already known vulnerabilities. "Windows NT, the most commonly used business servers on the Internet, releases security patches and upgrades almost weekly. Hackers have learned that most network administrators are lax in applying these patches, and will actively scan for those vulnerabilities that they fix," Marshall says. "It's a little like Ford or Chevy announcing that they've discovered a new way to hot wire their cars, and suggesting to everyone that they drive down to the dealer for a free kit to fix it." Regardless of how the credit union accesses the Internet or other networks, hackers could be trying to get in in many ways and for many reasons. "Deliberate attacks from outside sources can take many forms," Jorna says. "For instance, they can include viruses of many kinds; a flood of e-mails, a high volume of queries; or logic bombs, which are programs that have harmful effects when triggered." And for many reasons: "The attacks can be aimed at bringing a credit union's Web services down and making them unavailable; or they can attempt to gain access to members' personal financial information for use in perpetrating crimes," Jorna says. "The attacks also may be aimed at stealing member information for the purpose of selling it to another party for marketing use." Staples at SecureWorks warns: "Network security experts believe that worms will become an even more pervasive and malicious attack technique for professional hackers." Welsh agrees. "The Code Red worm is just the tip of the iceberg," says the co-founder of NetBankAudit (www.netbankaudit.com), describing other threats such as the ability to intercept faxes or turning on a networked laptop in a board room and listening in at meetings through the computer's speaker system. It may sound all very James Bond, but Welsh says such tools are easily available for downloading at hacker sites. He also says the Code Red worm may actually be a blessing in disguise. While it clogged traffic and tied up IT staff time, it didn't destroy databases like so many nefarious viruses, and it "has elevated the awareness of risk," Welsh says. Going forward, firewalls need to be a part of a total security package that includes intrusion-detection solutions, and policies and procedures that are implemented and updated as aggressively as the technology itself, experts agree. "A firewall should have regular updates, active intrusion detection, 24/7 monitoring and logging," says Marshall, the Liberty Cavion CTO. "There also needs to be senior-level staff who can analyze and understand the logs, and follow up with action to counteract those threats." Adds Jorna at USERS: "To ensure that they have all of these essential bases covered, system suppliers and credit unions alike should have their operations audited and certified by a third-party company that specializes in Web security." – [email protected]