The people? That's the part of the IT security puzzle that sometimes falls under the heading "social engineering" and includes everything from educating staffers against giving system passwords over the phone to not opening e-mail that can introduce viruses or worms. The problem is real and it's growing, according to those who make their living dealing with such matters. "The Internet threat for credit unions continues to grow. Attacks have almost tripled in the past 12 months," says Jon Ramsey, director of Internet security at SecureWorks in Atlanta, which includes six of the 20 largest credit unions among its more than 300 CU clients. His company uses a "threat score" based on a number of factors to measure the frequency and severity of attempted attacks on clients' IT security systems and says the number of attacks, the type of attacks and their severity all have been on the rise. Combined, it all makes IT security an increasingly important and expensive part of nearly every credit union's budget and operations. "The amount of resources spent on security is definitely on the rise," says Kevin Doyle, information security manager at $2.2 billion Pennsylvania State Employees Credit Union. "We've learned that the education process for our staff and our members needs to improve. Security isn't just for technology people anymore," Doyle says. He points to the spoof e-mail, or phishing, schemes now spreading so rapidly on the Internet as a prime example. "It's the most dangerous social engineering attack in history," Doyle says of phishing, in which fraudsters create fake Web sites to gather account numbers and other personal information. "People are victimized by these schemes at the rate of 3% to 5%. The biggest challenge is educating our members not to fall victim to these schemes," says Doyle, whose full-time job is devoted to securing information and technology infrastructure at the 280,000-member CU in Harrisburg. Ed Francis would agree. "Although not technically a new threat, social engineering has been on the rise and I believe many organizations are just now realizing it can happen to them," says the president of CastleGarde, a Florida-based IT security consultancy to credit unions nationwide. "We have seen instances where an attacker will call an unsuspecting end user posing as a member of the IT staff and ask them to verify their password. The end user then will provide their password, thus giving the attacker their level of access to the network," Francis says. Along with educating staffers, addressing ongoing security issues such as those pesky patches and sniffing out spyware takes up the bulk of IT security time and effort at Purdue Employees FCU, says Gail Koehler, senior vice president of technology and retail delivery at the $400 million CU in Lafayette, Ind. That spyware can be installed on PEFCU workstations through infected Web sites, requiring staff time to detect and delete, as does "the constant need to deploy security patches to servers and workstations, responding to users' needs for security training, and constant support calls related to bogus e-mails resulting from ubiquitous viruses and phishing," Koehler says. Ask Chris Kroll what he thinks is the big threat right now to IT security at credit unions and he'll tell you: "The growing number of worms and super worms. It seems that as soon as a patch is released a new one comes out." Kroll is a security analyst for PM Systems Corp. and its CU Defense unit, which together serve about 180 credit unions from their headquarters in Chapin, S.C. "The only thing we can do is try to keep our systems current, which means applying critical patches and signatures as soon as they are released and not waiting to apply these updates until it's convenient," Kroll says. He says he think credit unions will be relying more heavily on automated utilities and managed services for patch management in the near future, leaving them more time to "focus on other security issues." "What those issues will be, I have no idea yet," Kroll adds. "However, I am seeing more credit unions becoming more comfortable with VPNs (virtual private networks) and wireless, so an emphasis in that area would not surprise me." The explosive growth of wireless networks also poses a whole new area of concern. "Wireless access is the new challenge," says Rick Fleming, chief technology officer at Digital Defense Inc. in San Antonio, Texas. That concern becomes accentuated as data becomes available to new devices beyond simply computers. "Now instead of intercepting wireless traffic with a bulky laptop, a network attacker can use a regular cell phone," says Fleming, whose company has about 120 credit union clients as well as the NCUA. "Additionally, many cell phones contain cameras which allow an attacker to capture full screens of information in an instant. "Wireless access makes life easier for legitimate users but securing these access points against attackers takes time from the IT staff," he says. Attackers also are concentrating on specific industries, says Josh Daymont, director of research at SecureWorks. "We are seeing increasingly sophisticated attacks against specific target verticals such as financials and pharma, as well as organized multi-stage worm efforts where some organized groups, probably sponsored by underground commercial spammers, have used the generic backdoors seen in most newer worms to bring large number of machines within their control and actively block access to those machines from other attackers," Daymont says. Why? "Rumors are circulating about underground markets where access to compromised broadband desktops sells for as much as 50 to 75 cents a machine," Daymont says. "At that rate, a sophisticated worm author and backdoor scanner can support himself or herself relatively comfortably just selling compromised machines." At Wescom Credit Union, vulnerabilities in Windows and Cisco operating systems and computer viruses are the main threat to IT security, says Rob Guilford, senior vice president of information technology at the $2.6 billion CU in Pasadena, Calif. "Most of our time is being spent loading security patches from the various software vendors," Guilford says. "This can be especially difficult because so many of the patches have not been tested with all the applications and can sometimes break an application, so patches cannot be simply applied without review and testing." Spam also has not gone away. "Spam is becoming very prevalent and difficult to prevent" for credit unions, says Francis at CastleGarde. "Fortunately there is software available that can help ease the burden, but it's not 100% accurate. "It still requires manual intervention to monitor the quarantine queue and release legitimate e-mail. Furthermore, custom filters may need to be created frequently, to subdue the new ways of spending spam." The experts at CU Defense, CastleGarde, Digital Defense, SecureWorks and their competitors shouldn't be put of work anytime soon. At Wescom, Guilford predicts that "the resources dedicated to maintaining IT security might grow to consume perhaps 33% of the overall IT budget." And PSECU now spends about $200,000 a year on vendors who monitor and manage its intrusion detection and prevention activities, a number expected to rise when the big CU launches the duplicate data center it's creating as part of its business continuity assurance project. So, what lies ahead? What will be the big challenge a year from now? "If we could predict that, we'd be able to sell that knowledge for big dollars," says Koehler at Purdue Employees FCU. "The problem is that there are more people working to infiltrate our systems than there are those working to protect them." -

[email protected]