COLUMBIA, S.C. – It's hard to put a price on security, but when it comes to patching that growing flood of server and PC vulnerabilities, it's only going up. Generally the term "patches" refers to software downloads needed to plug potential or actual ways that hackers, of both the ethical and criminal variety, have found to penetrate computer networks through Internet browsers, operating systems, server software and more. How much it costs to keep up depends on who you ask and how they add it up. For instance, TruWest Credit Union spends about $1,200 a month in labor alone, and that doesn't include the software subscriptions sometimes needed, says Thomas Gessell, senior vice president of IT at the $625 million institution in Phoenix. "In many cases we combine needed software patches with security patches, making it difficult to isolate the time required for that aspect alone," Gessell says. "However, I can tell you that the time required for security-related patches has definitely increased over the past 12 to 18 months." Dramatically so, some would say. "It's gone from a trickle last year to an absolute blizzard this year," says Jim Hicks, president of $69 million San Jacinto Credit Union in Houston. He says his CU will spend about $100,000 this year on patching and other security management, an amount that could go up another 40% this year. "And that's in an IT budget of only about $250,000 a year," Hicks says. "We pay about $15,000 to $20,000 for the software itself, but then you add in the labor, the time your own people spend doing the work," he said. He noted all this work and expense wouldn't be necessary if it weren't for all the abuses taking place on the Internet." At Carolinas Telco FCU in Charlotte, "it's hard to say, but I'd say I spend about an hour or more a week and $500 per month, perhaps, dealing with patch issues," says Tim Sigmon, data center manager for the $300 million credit union. His night operator and systems analyst spend an equal amount of time, he estimates. He also sees the problem getting worse. "Much worse in my opinion," Sigmon says. "So much info can be obtained off the Internet for script kiddies, crackers and hackers to learn code that allows them to do the damage." Many credit unions turn to outside vendors for help. For instance, Northeast Community Credit Union in Haverhill, Mass., has signed up for a new service from COCC, its core processor. Called PatchPlus, the automated software patching service helps client credit unions protect themselves while meeting NCUA recommendations for installing and reporting commercial patches in computer systems. The PatchPlus service, in addition to automatic installation, includes testing on a single workstation to ensure the new patch works with a CU's various teller, lending and backroom systems before it is deployed to the rest of the network, the former Connecticut Online says. "This is something that Microsoft and other software vendors simply cannot do," said Brent Biernat, COCC's managing officer for network services. "As credit unions increase their dependence on commercial software to support their operations, tailored software patch management becomes a critical function," Lise Zapatka agrees. She's assistant treasurer/COO of $100 million Northeast Community Credit Union in Haverhill, Mass., a COCC client that found that it didn't have the staff or expertise to keep up with the patches needed to protect the 36 PCs deployed at its two locations. It became one of the first users of the COCC PatchPlus program. "We don't have an IT department or person. We'd have to call for a road tech whenever anything came up. And like Murphy's law, he would come on a Thursday and a new patch would come out Friday," Zapatka says. "Now when there's a new patch out, COCC will test it, then send it to a machine that I designate as non-critical. When everything goes there, we then send it out to most of our other machines," she says. The importance of testing patches and installing them correctly should not be taken lightly, the IT experts say. That's because installing patches can sometimes create more problems than the vulnerability itself might have, especially for servers. "If you have a bad patch, you're in trouble," says Sigmon at Carolina Telco. "Not all IT shops have the luxury to fully test patches before rolling them out to production servers. So you have to read the security bulletins carefully." And at the individual PC level, there are separate challenges. For instance, adware or spyware. Those are small programs placed, usually anonymously through an Internet download, on a PC's hard drive that then track Web site visitation, among other things, and report it back to another site. Usually, it's just for cybermarketing purposes, but the intentions can be far worse, especially if keystrokes are logged and account numbers and passwords are revealed, and they're harder to detect. "The only programs that have been able to get past our multi-layered security have been programs that can be covertly loaded via Internet browser sessions, such as adware," says Gessell at TruWest. "These kinds of programs can be very annoying and cause productivity loss for the employee and IT staff in time spent removing the offending software." None of the credit unions interviewed for this article said they had encountered serious problems or direct attacks, other than system slowdowns and the usual flood of spam that's now controlled as much as possible by filters. Finding out about problems when they become known is not that hard either. "Part of our service agreements with our business partners is to ensure that we are advised of known vulnerabilities with their software," says Gessell. "When you combine that notification along with industry alert services you can subscribe to, you often get advised of issues in multiple ways." -

[email protected]