Credit Unions Batten Down Electronic Hatches To Keep New Threats at Bay
WEST PALM BEACH, Fla. - As e-mail and instant messaging become more pervasive credit-union communication tools, so, too, have concerns for securing electronic transmissions between the credit union and its members and business partners. Credit unions have become popular phishing targets, proving phishers don't just target the largest institutions. "Phishing attempts have been wildly successful at larger banks," said Joel Smith, CTO of AppRiver, an e-mail security service company in Gulf Breeze, Fla. "They snare quite a few victims. Now phishers are turning their sights on the credit unions and smaller regional banks. Now what we're seeing is they're targeting a large employer in an area - say, a government employer or large company - and then try to get those e-mail addresses from that employer - say, search for them on the Web site - and go out and impersonate that employer's credit union." Smith sees such phishing schemes as brand theft, pure and simple. With tax season almost here, he said, "The next big thing - we're starting to see it now - is IRS impersonation." A number of security industry professionals take the Occam's Razor approach to e-mail security, saying that the most effective first step is also the simplest: have a clear policy on what the credit union will and will not put in an e-mail and then educate employees and members. "Policies have been implemented and changed to reduce or eliminate marketing e-mails, to stay away from heavily graphical e-mails that look marketing related," said Kelly Dowell, executive director of the Credit Union Information Security Professionals Association in Austin, Texas. "A lot are sticking to strictly text. They're not asking for information. It's more informative. If there is any confidential information they need or that they need to share, a lot of them have started to put that on the member's account within the Web banking site and direct the member by e-mail to that." Smith also recommends publishing a sender policy framework, where the credit union lists the servers allowed to send e-mail on its behalf. Still, human fallibility needs to be taken into account, said Tom Giangreco, information security officer, Orange County Teachers Federal Credit Union, Tustin, Calif., which has more than 308,500 members. For that, the answer is a network monitoring product designed to audit network traffic. "We're using a product from Intrusion called Compliance Commander," Giangreco said. "It monitors all our traffic leaving over the Internet, e-mail or any form. It looks for actual member data, a member Social Security number, not just something that looks like a Social Security number. It then alerts us and we can take appropriate action." The Intrusion system is just one of several levels in Orange County Teachers' security plan. Another critical component is an external e-mail security service. "We have gotten e-mail viruses where the e-mail pretends to come from our internal administrators or from our management going to our members informing them of something or other and they have to click on some link," said Giangreco. "We've managed to filter most of that out. We use Postini, a third-party e-mail handler. All the e-mail that comes to us actually goes to them first. They filter it for spam and viruses. They block close to 100,000 e-mails a month. We, of course, continue to filter it and check for viruses as well at a couple of different levels. But they're our first level of defense. We've escaped any kind of infection at this point. I'm a strong believer in multiple layers of defense." An area still to be addressed in many credit unions is instant messaging, in part because it still tends to be done through consumer-grade services such as AOL, MSN, and Yahoo, with little oversight from the IT staff. "Those tools, while they are very useful, represent a potential breach of security, because they don't have any native security built into them," said Michael Osterman, president of Osterman Research and an analyst who tracks electronic messaging. "Credit unions either have to lock down the use of instant messaging or provide capabilities that will allow that messaging to be sent securely." There also are concerns with auditing, logging, and archiving, particularly if credit union services extend into areas that require preservation of communications. Namespace control also figures in: a business needs to control the screen name an employee uses and needs to be able to cut off use of that screen name should the employee leave. There are two solutions. One is to add capabilities to the network to monitor and, when necessary, intercept traffic. The second is to deploy an enterprise-grade instant messaging system, such as Lotus Sametime or Novell GroupWise Messenger. Still, there are instances when a credit union needs to transmit confidential data - for example, to third-party vendors. "We're working on that now," said Giangreco. "We're looking at encrypted e-mail applications. You can't just tell people that they can't communicate anymore. You have to have some alternative. Encrypted applications are starting to come online a little more and are becoming more user friendly and transparent." All the battening down may prove to be a deterrent, according to Osterman. "I think things are looking up a bit," he said. "In July of 2004 spam hit as high as 95% of all e-mail. Now it represents on the order of 70%. Viruses are still as bad a problem as they always have been, though we haven't had any major outbreaks in the last few months. But that could always change."