Can Technology Keep Us Secure?
Every day we depend on technology to control our lights, record our sales transactions, and ensure our money is available when we want it. We use technology to store vital information such as birth, death, marriage and divorce records, our checking and savings account balances, and the mortgage for our houses. Commonly, these documents only exist in the electronic world any longer. In all of these cases, we rely on systems because we believe they are secure. However, as evidenced every day in the press, these systems are not always secure and are quite often open to compromise. So why is technology not keeping us secure? One of the fundamental reasons technology is currently not keeping us secure relates to how modern technology works. In the ancient past, say 30 years ago, almost all technology worked via a physical control mechanism. It did not require batteries or transistors, or more importantly, control software to function. A lock on a vault was just that, a lock; and while it may have had a timer to control when one could open the vault, many of those were merely wind up clocks. Today, modern vaults use a combination of hand scanners and other biometric devices to control access. Likewise, when all information was stored in printed form on paper, security relied on locking the filing cabinet as well as the file room. Security also depended on the fact that a thief could grab only a few files and still be able to run. Today, we depend on a myriad of electronic storage systems to store and protect our documents. "Older" systems depended purely on mechanical and physical security controls to protect their information. Today's relatively modern systems make use of computers and electronic controllers to help make our life more convenient. Most of these controllers and all of the computers rely on a combination of the electronic hardware and programmed software to perform their functions. Here is where the problems begin. The development of software is typically with one focus, and that is to allow the hardware to perform its designated function. Usually due to storage constraints in the hardware, developers keep the software small and therefore cannot include additional features that may protect the hardware from performing tasks it was not designed to do. This is sometimes good, as in the example of the development of one of the original microprocessors that controlled features on a refrigerator that later was redesigned into a computer. In another example, we see it is bad when a software glitch allows a flight control system to malfunction and cause a crash. Why is it then that software gets such an easy break when it comes to liability? If we designed a car that, without warning, simply required us to pull over and shut it down only to restart it after every 200 hours of use, we would find that unacceptable. Yet for many of our electronic computing systems, when it fails, we simply power it off and back on and find that an acceptable practice. Unfortunately, this type of liability leeway for software will not change until there is enough motivation from the users of that software to force that change. Therefore, we spend a large amount of our time patching the software and testing our configurations to ensure that our systems are functioning correctly and all tests show that we are secure. Then tomorrow happens. Frustration is a part of our lives because our systems do not seem to be secure for long and there are people in the world who seem to find pleasure in finding ways to break into our computers and electronic systems. While some of them may have altruistic motives and a desire to point out the flaws so they are fixed in a timely fashion, others will always have darker motives, most involving the separation of you from your money. Why does this cycle continue unabated? Again, until someone holds software developers liable for their products failures, this trend will not change. Let us assume for just a moment that all of our systems are patched, updated and we have a top-notch security company performing our security testing. We are actively keeping perpetrators out and all is good. Can there still be a compromise of our information? The answer, unfortunately, is yes. The recently released film, Firewall, shows that even if we install the greatest technology to protect our information, we are still subject to a social engineering attack. In the movie, we see the villains go after our hero's family in order to get him to allow them access to the assets. Of course, since this is a movie, the hero gets mad, refuses to cooperate and proceeds to beat up all the bad people. Sorry if we spoiled the ending for you, but it is a Harrison Ford film. Tragically, we often see similar things occur in real life. There are no easy answers. Vigilance and awareness are the watchwords of the day. Credit unions have to remain vigilant in protecting their information systems through an almost continuous process of detecting vulnerabilities and patching them. Using tools that allow for the evaluation of every change and update to the network against known threats is critical. The problem will only be compounded if you do not stay on top of it. Awareness comes in the form of member and staff education and training. Yes, members need training. They are at the forefront of the protection against SPAM and other phishing attacks. They need to know what information is legitimate for an email and what is not. They need to learn how to protect themselves against online predators. You and your credit union play a vital role in the security of our information. Helping members become more aware of the security threats against them is the first step in protecting information. The second is holding your software vendors accountable, through contracts and dollars spent (or not spent) on their products. As the old saying goes, Money Talks. Unfortunately, sometimes you have to turn up the volume to get someone's attention. Lastly, being vigilant in maintaining and testing your systems is vitally important.