COLUMBIA, S.C. – For anyone who might feel so jaded by hearing about the latest computer virus, worm or hack attack in the news every day that complacency is setting in, Jon Ramsey has some numbers for you to consider. "SecureWorks' intrusion prevention technology has prevented the effect of over 36 million attacks against credit unions in the first six months of 2003," said the director of Internet security services for the Atlanta-based firm. "Attacks against client-side applications such as Internet Explorer, Outlook, Adobe Acrobat and others are on a dramatic increase since this time last year and automation is playing an increasingly important role for hackers who are looking for systems to compromise," says Ramsey, whose firm includes 200 credit unions among its 450 to 500 clients. He attributes the increase from 2.5 million alerts in August 2002 to 8.25 million attacks his firm detected in July 2003 to "an increase in automation and sophistication of attacker tool kits. We also have witnessed the fastest-spreading worm (SQL-Slammer) and the most destructive worm and first to target financial institutions (Bugbear.B)," Ramsey says. Indeed, the ambition of cyber-attackers and the virulence of their weapons continue to increase, industry participants say. "The nature of the attacks is changing over time. Most attacks in the early days of the Internet were non-focused on any target and were much like real-life epidemics because we didn't know to control the spreads, didn't really understand how the infection mechanism worked and simply had to let the viruses run their course," says Rick Fleming, vice president of strategic technology for Digital Defense in San Antonio, which provides Internet security services to more than 110 credit unions currently. "Today, we control most diseases and viruses with vaccines and good hygiene. The same is true for computers. We now have virus scanners and have learned to develop good computing habits that can protect us from malicious code," Fleming says. "But it's not enough to stop everything." It used to be that a user had to open an e-mail attachment to let a virus loose. Simply opening the e-mail is enough now for some, and other attacks are probing for openings in Internet servers, firewalls and VPNs through Web browsers and other applications. The number of attackers also is growing, Fleming observes. "About five years ago, there was a very small community of people who had the ability to write malicious exploit code. Now there are hundreds of people who can do so, with more learning every day," he says, noting that "high-quality exploit code" also can be purchased from a number of sources. The publicity that attracts the hackers, such as announcements about new vulnerabilities discovered in Microsoft's Internet Explorer and server software systems, also should serve as an alert to credit unions to watch out for what's coming next, and the window of warning keeps compressing. "The MSBlast Worm was easy to predict," says Niels Taylor, a network security analyst with PM Systems Corp./CU Defense in Chapin, S.C., which serves more than 120 credit unions. "When the bulletin describing the vulnerability was released, we knew it was only a matter of time before a worm was developed to exploit it. "Other worms are harder to predict. A good anti-virus system is pretty much set-and-forget, so the main thing the IT staff needs to do is make sure that the anti-virus signatures are getting downloaded and distributed." Following procedures that are already in place remains a key to good IT security, whether it's the latest outbreak like Sobig or MSBlaster or one that has been around a while, the experts say. "Security is a process that needs to be addressed by everyone involved with safeguarding members' data," says Ed Francis, president of CastleGarde, a Tampa-based consulting and compliance firm with 140 credit union clients, including 24 of the top 100. "Some of these steps include installing the patches that seem to come out every week from Microsoft and other computer technology companies. By having a documented process in place, the procedures and the personnel that are in charge already know how to handle an incident like a worm," he says. Tools To Grow With The technology to combat system-snarling worms and viruses, as well as hackers trying to access member information, also continues to grow. In recent months, there's been the evolution of intrusion detection systems into intrusion prevention systems, with deep-packet firewalls and similar technologies also leading the way. Here's a description of how that often works, in this case from Jeff Marshall, chief technology officer of Minnesota-based Liberty Internet Services. "At the border lies an intrusion prevention system, which detects the scanning activity of a worm and identifies the source before the infectious portion of the worm comes along. The system then notifies the firewall to block all activity coming from that source," says Marshall, whose firm recently merged with CUNA Network Services and now serves more than 1,500 credit unions. Meanwhile, intrusion detection systems inside the networks check for infections from other means. "By continuously checking servers behind our firewall, including customers' servers, we are able to anticipate possible problems," Marshall says. He says the LIS/CNS system detected about 100,000 attacks on one of the days the MS Blaster worm outbreak was at its peak. Exacerbating these outbreaks, which can snarl networks and bring down operations (like Maryland's state motor vehicles department for several hours) is the fact that variants seem to immediately appear afterward, including after the notorious BugBear.B attack, which focused on financial institutions and attempted to shut down anti-virus and firewall processes on networks. "I think the surprising aspect of this worm and others like it is the repetition of copy cat worms," says Dan Sheehan, a senior security consultant at Vibren Technologies in Boxborough, Mass. "It seems that there is some form of variant of this worm and others that adds a little twist to get around the latest fixes and operating systems alike," says Sheehan, whose firm's client list includes several major credit unions. "These types of worms utilize discovered vulnerabilities within the operating systems and software applications that most credit unions use. So it is very important that security professionals educate management on the risk assessment, the plan and policies to mitigate that risk and return on investment that this kind of activity can provide," Sheehan says. Of course, there's still the matter of convincing some higher-ups that all this is necessary. For instance, Taylor at PM Systems/CU Defense, says that while for the most part, the senior managers at credit unions he works with are "interested and involved in the information security mechanisms" in place, there can still be the exceptions. "The other day I got a call from a CU IT manager telling me that his management team thought that his security measures were overkill. He was hoping we could help bring an objective perspective to this issue," Taylor says. "We usually can. It often helps to have experts come in, identify issues and give IT the support they need to improve security at the credit union. "Either that or an incident occurs which makes the CU look bad, and then we get called in. The first option is usually the better one." But, another industry participant adds, awareness does seem to be on the rise. "Six months ago, credit unions knew they needed security, but they really didn't know what that meant," says Markus DeShon, chief scientist at SecureWorks. "Today, they're more sophisticated when they make IT purchases in general. They are starting to ask good questions, like the differences between IDS vs. IPS, multi-yeared security, etc. "They are more educated today about their needs and they are definitely early adopters to the whole concept of outsourcing, so when it comes to choosing a security service provider, they tend to be more open than other industries." -

[email protected]