<p>COLUMBIA, S.C. – As holiday celebrations fade, here's a sobering thought for the New Year: While credit unions and their members move more of their financial lives onto the Web, some leading Internet security experts say breaches, worms, viruses and others attacks will only increase. In fact, says John Pescatore of Gartner Research's Information Security Strategies: "Enterprises should not assume that the Internet will reach the mean-times-between-failures of private networks and other utility services and should plan for periodic outages until 2006. "Where they require non-stop processing, enterprises should contract for alternate connections," Pescatore said. Is the Gartner vice president overly pessimistic? Will the white hats of technology have finally thwarted the hackers, crackers and denial-of-service attackers enough to declare victory four scant years from now? "I think it's an optimistic warning," says Scott Mackelprang, director of security and compliance at Digital Insight (www.digitalinsight.com), the California-based provider of electronic services and Internet hosting for thousands of financial institutions, including hundreds of credit unions. "I don't know about outages of the whole Internet, but certainly parts of it. And certainly denial-of-service attacks are not going to end after four or five years," Mackelprang says, adding that the growing ability of cyber-criminals to encrypt their own weapons (viruses, worms, etc.) only makes the job of protection increasingly difficult. A DAILY CHALLENGE Tom Ha sees the challenges grow daily. "Staying up to date on firewalls and anti-virus software is critical to a good operation," says the information systems manager at AmeriChoice FCU, a $70 million, 11,000-member organization in Mechanicsburg, Pa. "Money in accounts is really just another form of data, the real, physical money is stored in vaults and off-site, et cetera. But our data is of utmost concern and we do our best to keep it safe," he says. That includes defending against such things as the so-called Goner worm, the most recent headline-grabbing system snarler. Ha says it showed up at AmeriChoice (www.americhoice.org) the day it was first internationally reported, but that he had already been warned by his anti-virus provider and was protected. "It can be hard, but the same technology that they are using to spread these worms and such is also being put into play much more quickly now to defend against them," says Ha, who receives alerts through his PC, PDA and cell phone. Indeed. Just keeping up is daunting and a full-time job. "As of today, there are 57 security updates from Microsoft out for this year," Rick Woehler of PM Systems (www.pmsyscorp.com and www.cudefense.com), a South Carolina-based provider of security services to more than 300 credit unions, said in mid-December. Of course, as the biggest target, Microsoft-powered servers are a favorite for hackers surfing Internet addresses and breaking into systems, and Woehler can demonstrate just how easy it is, quickly demonstrating a series of steps that gain entry to an unprotected host system of what apparently is a small Internet services provider on the West Coast. It can also be that easy for destructive viruses and worms (the latter being particularly insidious because they propagate themselves) to enter and do their damage. Woehler says he wishes he could alert every system he receives an alert from but has to spend all his time protecting his paying customers. "PM Systems receives around 500 NIMDA (a pernicious cyber-worm) attempts per day against our 1,000-plus IP addresses. One of our monitored security customers gets around 900 per month from the BellSouth network," he says. And credit unions that think they're immune are kidding themselves, says Rick Fleming, vice president of security operations at Digital Defense (www.digitaldefense.net), a Texas-based provider of security services to hundreds of credit unions across the country. He sees problems occurring daily because of sloppy internal IS techniques, including not keeping up with necessary patches. However, Fleming says, "the leading cause of this is an `it can't happen to me because I'm too small attitude.' " " I can't tell you how many times over the past few years I've heard CEO's and board members of credit unions tell me that they didn't think their credit union was vulnerable to attack because they are too small an organization or just don't have a large Internet presence," he says. "My reply to them is that those ever-annoying telemarketers can find their home numbers, even if they are unlisted, by simply dialing every number. The same is true with hackers and script kiddies. "Script kiddies are inexperienced hacker wannabes who don't really understand what they are doing, but simply download scripts and tools from the Internet and run them. "Many times a system is compromised simply because its number, literally speaking, was up. It wasn't a targeted attack against the organization because it was a financial organization, but simply a target of opportunity because its servers were scanned and found to be vulnerable," Fleming says. CONSUMER DEMAND So what's going to definitively turn the tide? That old reliable of American capitalism: consumer demand. Mackelprang, the security chief at Digital Insight, feels that security and stability are going to have to be as valued as bells and whistles to the customer, whether it be Joe Consumer buying Windows at Best Buy or the CU exec investing in server software, before the software industry starts to develop and incorporate robust protections in a consistent and ongoing manner. "He's absolutely right," says Woehler at PM Systems, adding that such change may now be under way. "We're starting to see that very thing in some of the new products coming our right now. Both Windows XP and Red Hat Linux 7.2 now come with personal firewall options available during the installs. "Gartner really scared the heck out of Microsoft (recently) when they came out and recommended that companies move away from Microsoft IIS (the software giant's ubiquitous server software system)." Of course, there's a human factor, too. "In the conduct of our assessment of credit unions, we are usually able to get the network user name and password of about half of all the employees we contact," Woehler says, simply by using what he calls "spoof" e-mail and direct phone calls. To combat that problem, Ha, the AmeriChoice IS manager, says, "The best investment is in training and education, so that you understand the threats that are out there and how to deal with them." And how might credit union chiefs view security as the new year dawns? Whether the threat is from hackers out for the fun of it or crackers with theft or political motivations in mind, "I would ask credit union executives to ask these two questions," Fleming says. "How would my credit union suffer if our Internet connection was terminated for a month? For two? For six? "Could we continue to be competitive if we had no external network connectivity to . core processors and e-commerce sites like CUNA's? "If the answer to these questions is not favorable, you must act to shore up your security to protect your members' interests," says Fleming. Or, as Mackelprang at Digital Insight puts it: "I think everyone involved in this business and in the financial services industry need to realize that if, in fact, we don't do things securely, all the other things we do well, will become unimportant." -</p> <p>[email protected]</p>