Don't try to single-handedly manage your credit union's network security- it's a job to share with a third party.
So report a number of credit unions from various asset categories, including Atlantic CU in Newtown Square, Penn., Xerox FCU in El Segundo, Calif., Alliant CU in Chicago and Centris FCU here, who shared their insights in recent interviews with The Credit Union Journal.
Yet many credit unions continue to fight cyber threats with internally-managed firewalls.
At $300-million Centris FCU, information technology staff was beginning to wonder if it could properly protect its data security perimeter around the clock, according to Steve Edgerton, vice president of technology at Centris.
The CU began outsourcing firewall management, intrusion detection services and File Transfer Protocol (FTP) and Virtual Private Network (VPN) monitoring to Solutionary, Inc. in late 2002.
"Before Solutionary, we had an internally-managed firewall," said Edgerton. "We were concerned with the ability for internal staff to appropriately monitor our systems to protect our network and member information.
Sophistication Lacking
"We monitored the firewall condition with existing staff and used third-party engineering firms to assist with maintenance, upgrades, and software rules," he continued. "The system lacked the sophistication to provide statistics and primarily acted as a hardware and software blocking device."
In addition, Centris did not have a fail-over system. "The fail-over system allows you to upgrade a system while the other takes over," Edgerton explained.
Consequently, when technicians encountered potential breaches, Centris would have to prevent access to certain member services-which was especially regrettable when alerts turned out to be false positives.
With Solutionary's monitored services, Centris has managed to tighten the screws on the network without locking out members, according to Edgerton.
"We have a managed firewall system that is monitored around the clock and includes automated fail-over to a backup system," he explained. "This is a decision we made to have the best possible up-time for our members in the event that our equipment fails. In addition to the firewalls, we have intrusion detection systems in place that monitor all activity.
"We have pre-established standards for what to do when certain events happen," Edgerton continued. "This may vary from making immediate calls to our staff or automatically blocking a suspect IP address. We have limited VPN access and limited staff who can access FTP files, but these are also monitored for breaches in policies."
Edgerton said the biggest difference in network security today is that Centris is "proactive, and less reactive. We chose to actively manage intrusion detection instead of have intrusion detection tests performed periodically."
Solutionary alerts Centris to potential security breaches and responds with predetermined countermeasures. "I am not sure how well I would have slept in the past if I were to realize just how many attempts were made to access our systems," Edgerton said.
54 Alerts In One Month
Though the 58,000-member credit union hasn't experienced serious breaches, Edgerton shared one month's report that included 54 alerts, 10 of which were considered serious risks, 36 of which were considered medium risks, and eight of which were considered low risks.
Many of the risks alerts were false positives, Edgerton said. The remaining risks were blocked or determined to be benign.
"We review the detail of these reports monthly." said Edgerton. "The reviews help us see what is happening or attempted, and may lead to changes in our rules-based handling of threats."
Outsourcing has been a wise choice financially, as well, he said. Edgerton estimates that maintaining a round-the-clock, 4-person staff with suitable expertise would cost nearly $90,000 per year.
Centris is a community based credit union with nine offices serving members of Douglas, Sarpy and Lincoln Counties in Nebraska, and Pottawattamie County in Iowa.
Also based in Omaha, Solutionary provides security solutions to protect networks and electronic assets of organizations worldwide.
