I've spent the last several years helping credit unions develop and implement an online presence on the Internet. From e-mail only to simple "informational" Web sites through sophisticated sites that offer the latest in transactional capabilities, I've seen credit unions work (sometimes torturously) through putting online technology to the best use for their members. And my experience has led me to a similar conclusion as NCUA -s Credit unions in general need help with engaging online products and services. NCUA's December 2002 Letter No. 02-CU-17 featuring the agency's e-Commerce Guide for Credit Unions provides some of that help. The guide is somewhat general in nature, but I was particularly impressed that it placed so much emphasis on risk assessment and security. To me, these are the most important considerations for any credit union involved with online services. Assessment and Plans It really boils down to just a few imperatives: you cannot put into place adequate, comprehensive online security measures without defining what you want to protect, from whom and from where; and you are required by regulation to develop "a written security policy." In other words, risk assessment and specific actions to address those risks (A Plan!). For example, I worked with a credit union that came to us asking that we assess their online security protection-which basically consisted of a generic firewall. They failed our tests miserably. Why? Their firewall was not programmed to meet the specific needs of the credit union, such as what traffic to pass through and what traffic to block from access to their server. Now, their network company should probably have informed the credit union of this vulnerability. But really, the credit union must bear the brunt of the responsibility for not defining their acceptable traffic (i.e. data processors, Web providers, ATM or ACH networks, credit/debit cards) plus what the responsibilities of the network company were regarding security. The lack of risk assessment and planning could have cost this credit union, particularly when you consider FBI statistics show computer systems that access the Internet are touched by intruders and vandals looking for a weakness they can exploit every 15 seconds. At its most basic, a firewall is software or hardware that filters all traffic between a computer or computer network and the Internet. Firewalls are absolutely essential online security components-but they only offer strong protection when managed by competent, security professionals known as managed security service providers (MSSP). Management consists of a various responsibilities, but the most important are implementing the software or firmware updates to ensure that no vulnerabilities are on the firewall itself. They must also ensure that the access through the firewall to various applications such as a web site or email is restricted to only what is absolutely necessary If a credit union is hosting services on their network (such as a mail server or web server that is physically on their network), traffic must be allowed through the firewall to access these servers. For this traffic, most firewalls are useless, which means if a hacker attack is coming through one of these allowed "ports", it will be ignored by the firewall. Now the server itself will be expected to stop that attack. This is where an intrusion detection system (IDS) is very powerful. An IDS will monitor in real-time (24×7) all of the traffic coming into your network looking for specific "signatures" or known hacking attempts. When an alert is generated, the MSSP can respond to that in various ways that may include making a policy change to the firewall or prohibiting certain access directly on a server or system. If someone looks at a firewall log, it is usually impossible to tell what is a hacker, and what is authorized traffic. That is because most firewalls do not record the type of data that is needed for that analysis. That is why firewall management is critical, and for certain environments, IDS management and monitoring. An emerging aspect of firewall protection involves firewalls that operate at the application level, not just the network level. This has become important because as Internet commerce and communication have increased, so have the protocols or methods for conducting this business. Network level firewalls work for and against protocol-level attacks-most commercial firewalls perform little application-level attack inspections. In other words, protection is broad, but not deep. Hackers are using advances made by application-integration designers to mask their attacks under protocols accepted by a firewall, such as a Web browser or e-mail, allowing applications to pass data and even executable programs past firewalls. Recent worms such as Code Red and the I Love You virus used such tactics. The bottomline: As your systems become more complicated, you will need to bring to bear application-level firewalls to support secure Web communication and services. Regular Testing I want to add another imperative for online technology: You must regularly test and adapt security measures to emerging threats and technology changes. While this is also a regulatory requirement, NCUA is not specific about how often it should be done. My suggestion is that if a credit union employs a high-speed Internet connection such as DSL, cable, wireless or T1, testing must occur at least quarterly as these connections are always on. A non-dedicated dial-up environment maybe able to run on a less frequent testing schedule. A minimum test that can be performed is called a remote vulnerability assessment (RVA). This involves running a software program containing hundreds of known firewall vulnerabilities against a credit union's firewall and its external IP addresses-both static (where the address is always the same) or dynamic (where the service provider has a bank of IP addresses and each day assigns a different one to your network.) The RVA scans your IP address(es) and firewall and your network ports to determine what type of traffic it allows. It then runs over 1,000 known hacker scripts to determine if you are susceptible to any. It should rate the risks to let you know which ones are most serious and recommend how to fix any vulnerabilities identified. Job 1 I talk to a lot of credit unions on a monthly basis, and always regularly find those that either have no firewall in place, or that have never tested the one they have, nor asked their provider what the firewall is specifically protecting them from. This simply must change if credit unions are to compete in the online service arena. First, online security is a regulatory expectation. Examiners will expect to see security policies and procedures that follow Reg Part 748. Second, members expect that their online communications, information and transactions with your credit union are secure. A problem here and a member is easily lost forever. Third, physical security at your credit union is important: your vault, safe deposit boxes, even paper records. But online, your accounting, transaction history, member data and even more are vulnerable. Protection here is beyond vital, it is an absolute necessity to your credit union's survival. Do yourselves, your members and our movement a favor. Make online security a top priority in 2003.