As part of its pitch to win our credit union's business, a consulting firm has guaranteed our board that we have security vulnerabilities (i.e. they can hack us successfully) in the multiple connections between our core solutions provider and the other technology pieces we have bought. Does your panel believe that's true, and doesn't our core processor have a responsibility here?
Richard G. Taylor, president, CU Intel
I personally would expect that many credit unions do have security vulnerabilities, and to some extent your vendor may provide some levels of security. However, the burden lies on the credit union to ensure that member data is protected. When it comes to security, there is so much that has to be taken into consideration.
For one, your internal credit union protection, such has your firewall. It is the credit union's responsibility to make sure the firewall is providing adequate protection. In my experiences, credit unions think their firewall is all they need for protection. Firewall settings would have to be adjusted daily to provide maximum protection. I would be surprised to find credit unions that change them once a quarter. You also have to consider the system that your host system is operating on, for example an IBM RS6000 or HP9000. These systems run their own version of UNIX that includes security.
Your host vendor can't be responsible for the security of your operating system. Another thing you have to be aware of is the most treacherous of them all-your internal staff. Your host system has security, your network has security, your firewall provides security, BUT the security provided is only as good as the people maintaining it and your internal credit union security procedures.
Most hacks come from within. Employees have access to dial-up lines, passwords, and the system itself. Add in all the new systems credit unions are installing and you have the potential for some security holes. Ongoing penetration and vulnerability testing is the only way to adequately secure your credit union.
Scott Mackelprang, Director of Security and Compliance, Digital Insight, Camarillo, Calif.
Although these types of scare tactics are more common with smaller companies soliciting business, and uncommon with the larger, more professional security firms, they need to be addressed nonetheless. Good security practice takes every threat seriously.
The first step is to clarify what a system vulnerability is. In the question, the reader is assuming that a security vulnerability is the same thing as fully compromising a system.
A system vulnerability is a point of weakness that lessens your defense against an attack, but is not necessarily a successful system break-in. Vulnerabilities can range in potency. A minor vulnerability, for instance, would be displaying current application version numbers in a network scan. Such a vulnerability may or may not significantly raise the probability of a full system compromise. A major vulnerability would be leaving default administrative accounts and passwords on a server. The first example helps the hacker better understand how to attack the system, but does not guarantee a successful system compromise. The second example is a serious vulnerability that will likely lead to an immediate system compromise.
The responsibility of security lies with every party involved. To ensure integrity of their system, the credit union should communicate these claims to each of its technology partners and expect a satisfactory response. Prioritize the list of partners and begin with the primary contractor. The company should have a security infrastructure already in place, as well as audit documentation. You may have already asked for these when you purchased your other products.
Dick McConnell, AFTECH, Malvern, Penn.
The sales tactic of "guaranteeing" that a system can be successfully penetrated is common, so it is probably commonly successful. Whether it would be successful in this case is impossible to tell, since there is no detail given about the system in question.
The question of the core processor's responsibility for system security is more easily answered: yes, the core processor has some responsibilities.
It is important, however, to realize two things:
The core processor is not responsible for all security, especially when the system resides at the credit union. Physical security, for example, is hardly the responsibility of the vendor. When dealing with third parties, the risk increases and the responsibility becomes more diffuse.
Concern for system security provides one more reason for you to start your third-party shopping with your core processing vendor.
In addition, the ultimate responsibility for system security always rests with the credit union. It is up to the CU to perform the due diligence necessary to ensure that the core processor as well as providers of other elements of the IT structure share in the security responsibility.
As a credit union expands its branch network, the opportunity for increased use of technology also expands.
For example, both service improvements and reduced costs can come from high-speed communications lines; wide use of ATMs and similar devices; video devices that allow members to access their own accounts; shared branching; and expanded use of audio and internet communications and transaction processing.
Keep in mind too that more members, more endpoints, and more transactions could well require an upgrade of the capacity and speed of the core processing system.
Zandy Reinshagen, Director of Product Delivery, Symitar Systems, San Diego
There's no doubt that consultants can play a useful and important role in the development of a credit union's technological landscape. However, they're operating a business like any other, and are therefore motivated by a need for new clients.
Chances are that any security consultant who knows his business will be able to find some sort of vulnerability on any system. The challenge is determining exactly how serious a vulnerability you're faced with. For example, the consultant may report vulnerabilities in the credit union's firewall. There are a lot of firewalls on the market, and each consulting firm will have its favorite, along with some dirt (legitimate or otherwise) on a competitor's model. The bottom line: If you're dealing with a security consultant that doesn't already have a strong name in the CU market, don't be afraid to get a second opinion. And don't forget to discuss the matter with your core processor, either. They should be able to point you in the right direction.
As for responsibility, the relationship between a core processor and its credit union client really is a partnership. The core processor is obligated to provide the tools and information that the credit union needs to keep its system secure. However, especially in an in-house environment, the core processor can't always make sure the credit union is using those tools and information as they're supposed to. To fulfill its part of the partnership, the credit union must make a conscious decision to use the security tools provided by the core processor to their maximum capability.
The issues are compounded when third-party technology providers enter into the picture. The core processor may provide a secure system, and the credit union may be doing its part to keep the system secure, but the third-party product could very well introduce some sort of vulnerability. This all points to the need for extensive security testing before third-party products are deployed, and brings us back full circle to the beginning of this question, where the credit union was looking for a security consultant. Again, the core processor should play a key role in this.
Jim Hutchins, Director of Cyber Products, re:Member Data Systems, Indianapolis
All parties share in the responsibility of ensuring high security measures. Core processors should support and enable their customers to implement high security standards and should provide complete training on the security features available in the system. The core system can enable credit unions to implement stringent security measures, but it is the financial institution that enforces all security measures. For example, the best locks and high tech identification systems can be purchased, but if someone who has access to these security devises leaves the back door open, the security measures are of no use. Credit unions should have support from their third party vendors, but ultimately the responsibility to enforce security rests with each financial institution.
Chris Brooks, Chief Technology Officer
Unfortunately, it's very likely that the consulting firm is telling the truth. They probably can perpetrate some form of attack against your systems. However, responsibility for the breach may or may not fall on your core processor. That depends on the specific vulnerability and on your risk management expectations.
The vulnerability that the consulting firm is alluding to may be caused by a failure in personnel, processes, or technology. For example, they may have found that they can obtain access to your data center or to your core processor's data center by posing as janitorial staff. Once inside the data center, they may have unmonitored access to a variety of sensitive systems.
It's reasonable to expect that your core processor will follow the best practices established by the US government for safeguarding financial information. These are largely embodied in the SAS70 guidelines. It's reasonable to expect that your core processor will follow the best practices for systems management. This includes performing regular system backups and applying published security patches. It is not reasonable to expect your core processor to find new security vulnerabilities in commercial software or hardware. It probably is not reasonable to expect your core processor to withstand a prolonged distributed-denial-of-service attack. Everything else is in the gray area of risk management and must be negotiated between you and your core processor.
Tom Miles, E PSCU, Tampa, Fla.
It is possible that there are security holes that this vendor has found between the core processor and other connections.
The core processor does have a responsibility to make sure that data on your host system is secure. However, if the credit union contracts with a third-party vendor that creates a custom connection to your host, that third party must ensure the security of its connection and the data it is utilizing. In my experience with credit unions, even when the core processor is contracted to provide security assurance/monitoring, they tend to focus on the areas immediately adjacent to the data processing host, and only cursorily examine the rest of the infrastructure.
Still, the bottom line is that the credit union must take the lead in securing all the data it owns on every channel, but I would hesitate partnering with an outfit that uses a "hack and tell" approach to gaining business.
I recommend working with an established security vendor that employs a holistic approach to information security. An assumption inherent in such an approach is that there is and always will be risk associated with information technology. The objective then is to mitigate that risk and manage to an acceptable level of risk.
Reader Question Two:
In mid 2002, we (hope) to convert to a rather large community charter. In doing so, we also project a significant increase in our branches over a much larger geographic area. 1) I would greatly appreciate your panel's thoughts on any technology demands we should plan for with the expanded branch network, and 2) Has anyone any experience in incorporating biometrics as we've been told we can expect increased fraud with the increased FOM.
Zandy Reinshagen, Director of Product Delivery, Symitar Systems, San Diego
The single most important piece of advice I can give to anyone on the topic of branch expansion is not to scrimp on bandwidth. High-speed data connections are becoming cheaper and cheaper, and there are also a number of competing technologies available. Make sure you understand each of your options, how much they cost, and what the trade-offs are. The last thing you want is for your new, expanded operation to grind to a halt because you ran out of bandwidth.
Nearly as important is the need for remote network management tools. In other words, you need to be able to manage and control the entire system, branches and all, from your computer room. It's simply not feasible to send your technical staff out to a branch every time something goes wrong.
As for biometrics in lieu of some other more traditional security measure, I don't think we're there yet. Naturally, as you add more members, you're going to encounter more fraud. There's just no way around that. However, biometric technology is still very expensive, meaning that an investment in the technology at this point may not pay for itself very quickly in terms of preventing fraud. Furthermore, depending on which biometric technology you choose--- fingerprints, retinal scans and facial recognition are all technically viable-you're likely to meet some resistance from your members.
The cornerstone to any fraud prevention program is solid policies and procedures. Without these, all the cool gadgets in the world won't help. I suggest the credit union invests the time first to make sure its internal security policies and procedures are able to accommodate the projected growth. That may seem like a low-tech notion, but I think it makes sense.
Chris Brooks, Chief Technology Officer, Corillian Corp.
The considerations for expanding branch network (hardware, data distribution and network infrastructure) include:
* How are branches receiving their data? Mainframe or LAN?
* If LAN based, do/will the branches have individual LANs?
* As branch network grows, distribution of updates to application software needs to be considered. Smaller, non- geographically diverse branch networks can utilize "sneaker net" (send floppy or CD to branches with install instructions). For larger, geographically-extended networks, automated distribution is more efficient and won't require training of branch personnel.
* Is the current branch technology extensible and scalable to support extended numbers of branches?
Network infrastructure needs to be considered, such as network backbone expansion and mainframe capacity. Additions of branches and therefore transactions will likely increase processing time. What will the impact of larger batch run times be on other applications dependent on the data (missed windows). Individual branch configurations also need to be considered, such as cable drops, power, etc.
As you expand your branch network, you are inherently expanding your risk profile. As you service more customers, more people will require access to your core systems, increasing the probability that fraud will occur. Biometric technology can aid in mitigating some of that risk, but it is not a silver bullet. Biometric technology today is best used for physical access control to highly secured areas such as data centers. At this time, biometrics are not well-suited for controlling access to applications. For those systems, you may want to consider improving on usernames and passwords by using one-time pads such as RSA's SecureID cards or Vasco DigiPass tokens.
Jim Hutchins, Director of Cyber Products, re:Member Data Systems, Indianapolis
With an expanded branch network, it is imperative to ensure that your infrastructure is ready to support increased activity. The network should be self-healing and redundant, with the appropriate bandwidth to support high transaction volumes. Review firewall security, telecommunications, and the proliferation of Internet technologies, including home banking and bill payment.
Dick McConnell, AFTECH, Malverne, Penn.
The question of biometric security devices is easy enough to answer: they do improve security. They are also expensive and-to members unfamiliar with them-can be intimidating. How much fraud are you expecting? Is the fraud cheaper than the security system? These are baseline questions that have to be answered to determine the cost/benefit equation of any security measure.