When selecting and implementing new technology, security is rarely a top priority. It should be. Most IT specialists value stability and functionality above all else in new products because they base their decisions on business needs. The reality, however, is that compromised security is ultimately a business issue, and you will be in a time of heightened vulnerability anytime you introduce new data into your network. When selecting and implementing new technology, a credit union should conduct a thorough review of all potential security issues to pinpoint weaknesses and patch up vulnerabilities. Activate security functions. Since most hardware and software come shipped ready for use, you need to activate security or audit functions if you want them to work. For example, manuals will generally tell you to change the default ID and password, but those instructions are too often overlooked. Virtually every hacker Web site out there has a complete set of default IDs and passwords for commonly used equipment and software. If you don't change them, they'll be compromised. Another common mistake is setting everyone up with supervisor-level IDs. Not everyone needs access to everything. Instead, rigorously control who gets high-level access to sensitive resources. Ask yourself the key questions. I advise credit unions to check out their new products from a security perspective by having a ready-made set of security scenarios to test against. When conducting your review, ask yourself several critical questions: *Are there incompatibilities with other parts of your environment? *Do the product's security features work as advertised? *Does implementing the new product invalidate or bypass security on any existing critical systems? The big question, of course, is "How will you know?" The only way to answer that is by reviewing each new or modified system's impact on security to ensure that the system itself-as well as the traffic it creates -is secure. Outsource a Vulnerability Assessment The problem with finding security gaps, of course, is that somebody's got to close them after they're found. Since fixing everything is literally impossible, risk-level categories show IT people where to focus. An outsourced vulnerability assessment service will deliver prioritized vulnerability lists and recommended fixes for each vulnerability. Vulnerability assessments should scan your hardware and software systems and their configurations, as well as the network and its configurations to analyze multiple layers in the infrastructure. Vulnerability assessments vary in their scope and depth. Traditional third-party VA services scan the first 16,000 ports, view external IP addresses only, and deliver comprehensive reports (in some cases, thousands of pages). For the same cost – often, for less – you can expect full 65,000-port scans of both internal and external IP addresses, graphical executive reports supported by technical detail, and trending data showing a clear picture of your network exposure over time. And you won't have to worry about babysitting the vendor before, during or after the assessment; getting up at 3 a.m. to launch the process; interrupting network activity to accommodate the scan; or wading through reams of reports. Consider Network Intrusion and Host Intrusion Prevention. What vulnerability assessment doesn't monitor is traffic sent by the system after installation or traffic that gets through to the system from the Internet. And it's not just public-facing servers that are vulnerable. Any system that has public access can be. If the desktop runs a browser, it's vulnerable. That's why network intrusion and host intrusion prevention are so critical at this stage. Credit union executives are faced with an unprecedented number of security questions in today's ever-changing world of Internet commerce. My advice to them, however, is always the same: if you want an in-depth defense of your network, you need to pay careful attention to vulnerability assessment of new and changing IT and patch management. And the best place to start is always a thorough security review-before you buy your new system.