LANSING, Mich. - Small credit unions are sitting ducks for network hackers, according to one executive at a $56-million CU here.
"There's not a small credit union out there that's not in trouble in regards to the Internet," asserted Kathy Schroeder, senior vice president, operations, at Consumers Professional Credit Union (CPCU).
"Small credit unions think they're safe, but they're not," Schroeder continued. "Even if their online services are handled by a third party, they're still allowing external traffic into their networks. Consumers Professional is decidedly one of the very few small credit unions that does not allow the internal network to access the Internet."
The source of the problem? Small CUs are "fairly innocent and fairly non-technical," said Schroeder, who has worked in credit unions for 20 years and is a Certified Novell Administrator for Novell and Windows systems.
CPCU is neither innocent nor non-technical: The three-branch CU doesn't count on third parties to oversee its network security, Schroeder said.
"We manage our security in-house," she explained. "There's too much liability that comes from relying on a third party."
Asked about the lack of resources at small credit unions, Schroeder said that small CUs can and should shoulder the responsibility of managing their own network security.
"Small credit unions can do it," she said.
Although CPCU doesn't rely on someone else to oversee its security, it does turn to third parties for security hardware and software.
In fact, the CU switched one year ago from a "labor-intensive" Cisco Systems platform to the network security solution provided by iPolicy Networks of Fremont, Calif. and installed by Security Inspection, Inc., of Ortonville, Mich.
"iPolicy has given us peace of mind," Schroeder said.
The iPolicy Security Manager scans the credit union's two redundant firewalls, which have built-in intrusion prevention and detection systems. Then, iPolicy delivers a single, synthesized report on demand.
"I never had complete faith in our previous security products, because we could never get them to report together," Schroeder continued. "And that meant we couldn't prove that all the holes were sealed."
The iPolicy report is easy to read, both for auditors and the credit union's one-person IT department, she said. "With the Cisco product, you had to know what their rule definitions were. It was a lot easier to make mistakes."
The iPolicy system responds well to CPCU's layered security approach, Schroeder added. The Internet and six separate networks, such as third-party vendor, main office and server networks, are configured through a single iPolicy firewall.
"I've got six, separate demilitarized zones hooked up to the one firewall box, and it doesn't even blink an eye," she said. "The box is getting requests around the clock from networks inside and outside the credit union, and it never freezes up."
A second, redundant firewall keeps CPCU's network running safely if the other firewall shuts down. Network uptime is critical, as the credit union pushes 40,000 electronic transactions per month and nearly 40% of the credit union's members bank online, said Schroeder.
The iPolicy firewall is unique in its Single Pass Architecture, which performs a one-time inspection of each data packet entering the network and simultaneously enforces all of CPCU's security rules, according to Gajraj Singh, vice president, marketing, at iPolicy.
"Most vendors have one software for the intrusion prevention and one software for the firewall that separately look at each data packet and then analyze the information and enforce the rules differently," Singh explained.
"The fact that the Single-Pass Architecture can read the contents of every packet and route the packet accordingly, without being slow about it, is pretty amazing," Schroeder agreed.
CUJ Resources
For info on this story:
* Consumers Professional CU www.conprocu.org
* iPolicy Networks www.ipolicynetworks.com
* Security Inspection www.securityinspection.com
