KENSINGTON, Md. - Walk softly but carry a big firewall, and backup what's behind it. That's the word from Tim Kersnick, aself-employed IT security consultant who has spent the past severalmonths working at Lafayette FCU in suburban Washington, D.C., buthas a career in financial services IT security spanning decades andcontinents. Kersnick has seen a lot and feels strongly aboutfinancial institutions' need to protect their data and the peoplewhose money and personal information they harbor. "When I started,I was 15 and the only kid in my town with a computer. Things havechanged so much," he says. "Everything's connected and new threatspop up every hour, and banks and credit unions have aresponsibility to society to make sure they do everything they canto be as secure as possible." Credit unions hold a special placefor him, and with their special relationship with their consumerbase, Kersnick has long been helping them keep that member-centricfocus in the lobby while keeping the information lockbox securebehind the scenes. Kersnick's experience with credit unions extendsback to 1997 when he put in one of the early WAN (wide-accessnetworks) at Bayer FCU in Pittsburgh. From there he went on to dospecialized security work, responsible for virtual privatenetworks, encryption deployments and security assessments for arange of multinationals. Some of his most far-flung assignmentsincluded setting up WANs from Melbourne to Sydney in Australia and,for Barclays, from Singapore to Hong Kong. He also has connectedsuch systems through the major international Internet trafficcenter in Ashburne, Va. Wanting to spend more time at home and withhis family, Kersnick, who holds degrees in computer science andelectrical and mechanical engineering, now has his own consultancy,Bluefish Systems (www.bluefishsystems.com), and does work forcredit unions such as Lafayette, where he has gained a big fan inJohn Straub, the $300 million CU's vice president of informationtechnology. Kersnick's company at the time was brought in to managethe installation of 20 DSL lines to connect an ATM network into aVPN, Straub said. An unusual router setup had been installed in thevirtual private network and when Kersnick heard Straub complainthat nobody but the original installers understood it, Kersnickjumped in. "Tim immediately telnetted into the router, took a lookat the config, telnetted into a similar router, copied the configfile and installed it on the sick router," Straub says. "He neededto alter a number of registry entries to get the requiredpermissions, and the thing was up and running in a total of fiveminutes! "I was flabbergasted. At best I had expected the ATMmachine to be down for a day while I searched for help from theprovider of the router, which was no longer in business." Kersnick,wanting to spend more time around home with friends and family,formed Bluefish Systems and took on Lafayette FCU as his firstclient. Besides his intuitive ability to understand "UNIX, Windows,Active Directory, Cisco, TCP/IP, anything related to networking,"Straub says, Kersnick became well known around the FCU for thefigure he cut when he was hard at work. "He's a casual dresser andalmost always worked slouched in a chair, feet up on another chair,with a huge laptop balanced on his lap," Straub says. "Even in thispose he looks serious and intense when he's in his zone, which heoften is." Kersnick comes out of that zone to share his knowledgeand has "become legendary in my shop of quite well-qualifiedtechnicians," Straub says. "He's always willing to share hissecrets with my staff, and in fact, takes extra pains to do so."Kersnick, for his own part, says he appreciates the open atmosphereof credit unions compared with the banks he's served, an opennesshe said creates the need to perhaps be even more diligent aboutpossible security lapses. It starts out in front. "Banks have thesestrict policies, always aimed at preserving everything from incometo property," he says. "It's all right in your face, beginning withthe bulletproof glass and PIN pads in the lobby. Heck, some want tocharge you to talk to a teller. "Credit unions are more like afamily. They have to be friendlier. But do you need a friendlysecurity guard? Do you want a friendly firewall? Friendly andsecurity are terms that don't mix well. So at a credit union, youhave to do a little more to hide those sorts of measures, to keepthem in the back office," the 21-year network security veteransays. "You have to keep the friendlies in front and the uglies inback," he says. Security is a mixture of technology, internalcontrols and training, Kersnick adds. Don't let staffers downloadprograms like AOL onto their PCs. And don't let them use eBay atwork, because it's a hotspot for malicious, intrusive stuff. Bewareof popups and cookies and email attachments, all of which can beused by outsiders to quickly glean information about the creditunion and its internal systems, and, perhaps a bit unfortunately,it's necessary to be aware of each other. "Knowing what ishappening on your network and who has access to what is criticallyimportant, especially in smaller organizations like credit unions,"Kersnick says. "Your security policy should include not giving allthe keys to one person. IT people often have access to more piecesof information than they really need. For instance they have noneed for the passwords to access the Fed. It's the same with wiretransfers. And more than one person should have each of those keys,in case someone leaves, disgruntled or otherwise," he says. It alsodoesn't have to cost a fortune. For $500, Kersnick says, he can setup an intrusion detection system that helps mitigate risks, and itcan be monitored externally for a monthly fee. Such systems alsocan be monitored in house by staffers, who if they keep withupdates from CERN and other Internet security organizations andhelp make sure the organization uses best practices internally, canhave pretty solid risk reduction measures in place, and "all itcosts you is an old PC to monitor it," Kersnick says. "It cracks meup sometimes" he says. Credit unions, because of their open culturecompared with banks, can be a bit slower to catch on to a lot ofthe realities of IT security these days, but cost and technicaldemands aren't the barriers they have been in the past, Kersnicksays. "There's no reason for anyone not to be able to do it," hesays. -

[email protected]