Batten Down The Patches

Register now

If you think e-mail phishing is bad, wait until you see the threats marked for your other applications and networks, a panel of seven technology vendors told CU technology managers at the first Credit Union IT Risk Management Summit last month.

"Hackers are preparing for something much worse," said Pierluigi Stella, chief technology officer at Network Box USA, Inc., a Houston-based provider of network security solutions.

Virus threats are moving beyond e-mail to other channels, such as popular Voice-over Internet Protocol (VoIP) telephony and wireless, wide-area and peer-to-peer networks, including Instant Messaging (IM), said the panelists.

Networks are no longer the only target-threats are aimed directly at desktop applications as well, added Justin Mitzimberg, senior risk assessment and forensic engineer at Info@Risk, a security risk consulting team out of Eugene, Ore.

"The firewall companies aren't moving at the same speed as people writing the viruses," said Mitzimberg. "Firewalls don't protect applications."

Stella agreed: "I'm sure you have something to protect you against e-mail attacks but not against these new attacks. These attacks are coming from robots that can create 200 variants of a virus in one night and unleash them incredibly quickly."

Worse yet, professional criminals have jumped on the bandwagon, the panelists said.

"This is not your average Joe messing around in his basement at night," said Andrew Vesay, Information Technology consultant at Compushare. "We're seeing a systematic approach from professional criminals."

CU network security is being compromised by "messy" technologies such as VoIP and IM, which have "cut into the idea that you have a strong perimeter," according to Brent Huston, chief executive officer at MicroSolved, Inc., a Columbus, Ohio-based security and risk management provider.

Employees are the weakest link in the perimeter, many of the panelists asserted. "Hackers are using advanced social engineering to get people to click on links and go wherever hackers want them to go," said Mitzimberg. "Hacking a human is the trend that threats are taking."

Employees are often gullible, explained Richard Fleming, vice president of Security & Risk Management Consulting at San Antonio, Texas-based Digital Defense, Inc., a network security solutions provider.

A Great Big Wall, But...

"We've built a great big wall of security but made it convenient for employees to get in," he said. "Many attacks are going on inside the network. If employees see a link, they've got to click it. There's no patch for gullibility."

Often, employees click links or visit sites that inadvertently install anonymous spyware onto network computers, making it difficult to track criminals.

"Anonymous network traffic is the most frightening thing for next year," said Aaron Bawcom, vice president of Software Engineering at Richardson, Texas-based Intrusion Inc., provider of detection and prevention solutions and information compliance.

"If we are unable to find out who is behind the attacks, it greatly exacerbates our efforts to stop them," Bawcom said.

Credit unions must continue to fight the onslaught by assessing their security risk, educating their employees, patching their networks, and pushing for legislation, the panelists said.

The "Top Five" steps against security threats in 2006, according to Huston:

* Switch from perimeter-based security to "asset-centric" security.

* Focus more awareness on internal network and web-based applications.

* Work together to help establish best practices.

* Stay current on the risks from new and disruptive technologies.

* Keep your employees educated against social engineering.

The vendors participated in a session titled Malware, Spyware and Emerging Threats during the three-day Summit sponsored by The Credit Union Information Security Professionals Association (CUISPA).

CUJ Resources

For info on this story:

* CipherTrust at www.ciphertrust.com

* Compushare at www.compushare.com

* Digital Defense at www.digitaldefense.net

* Info Risk at www.info atrisk.com

* Intrusion at www.intrusion.com

* MicroSolved at www.microsolved.com

* Network Box USA at www.networkboxusa.com

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER