Diligent software patching can make or break network security for credit unions, But Northeast Community Credit Union is one of many that just can't keep up on its own.
"I don't have the talent or time in-house to manually identify and test all the patches" for the credit union's 35 networked PCs, said Lise Zapatka, chief operating officer at Northeast Community CU.
IT staff is too expensive for the $103-million CU. Echoing the experience of thousands of credit unions nationwide, Zapatka said, "I have no IT department. Information Technology is just one of the hats I wear."
Yet Zapatka is well aware that inefficient patching leaves Northeast Community CU's network vulnerable. "We have the financial, operational and reputation risk," she said.
Indeed, one year ago, the NCUA in Letter 03-CU-14 advised credit unions that they were responsible for risk stemming from any vulnerable software.
The risk continues to grow-Microsoft alone released 19 security updates just for Windows in 2004. And recently, "zero-day exploits" are threatening credit union security without warning or fixes.
Zapatka used to respond to the threat by calling her core vendor's LAN technician once a month. "The drawback was that when critical updates were released, our patching wasn't always timely. If I were really worried about a particular patch, I would have to call the technician sooner and pay him the hourly rate plus travel."
In April, Zapatka said her patching worries dissipated. Northeast Community CU began using PatchPlus, an automated software patching service released by core processing vendor Avon, Conn.-based COCC.
PatchPlus implements the NCUA's recommendations for monitoring, testing, installing and reporting patches, according to COCC. "The beauty of COCC's patching process is that I don't have to do anything," said Zapatka.
Updates are automatically-and selectively- applied to the CU's Windows 2000 environment during off-business hours. First, COCC beta-tests the new patch in one installation at each of the CU's two branches, before sending the patch out to noncritical workstations. Then, less than 48 hours after the software provider releases an update, the CU's critical workstations have been secured, said Zapatka.
PatchPlus applies Microsoft Critical and Security, Microsoft Office and McAfee anti-virus patches. In August, 12 patches were applied in more than 300 installations at Northeast Community CU, according to a COCC status report.
"With the reports that COCC generates, Northeast can easily demonstrate to auditors and examiners that their compliance with patch management solutions meets or exceeds the current federal guidelines," added Adam Cravedi, a LAN Specialist at COCC, referring to guidelines set in the FDIC's FIL-43-2003, computer software patch management.
Zapatka likes the PatchPlus price. "PatchPlus is just a few dollars per month per terminal," she said. NCCU pays $6.25 per machine per month for service to the first 30 PCs.
Said Brent Biernat, COCC's managing officer for network services: "Software patching is an important piece of a credit union's overall security strategy. Firewalls, web filtering, anti-virus and anti-spyware solutions with up-to-date signatures along with software patching and enforcement of an effective security policy are the key components in protecting credit unions from very real threats in cyber-space."
COCC serves 28 credit unions in North America, two of which are using PatchPlus.
CUJ Resources
For additional information on this story:
* Northeast Community CU at www.northeastccu.com
* COCC at www.cocc.com
