The Keys To The Lock

Credit unions want information security, but there's a big problem-people and their passwords.

"Most of what I do involves protecting employees against employees," said Kristina Bird, manager of information systems at $127-million Safeway Rocky Mountain FCU (SRMFCU).

In her fight to prevent employees from making big mistakes-or from committing big crime-Bird enlisted the help of vulnerability testing software in 2000.

"The number-one thing that we look for in protecting our corporate computer systems is password violations," Bird continued.

She said employees can easily and quickly create bad passwords, but that IT staff has difficulty monitoring passwords on a daily basis.

The vulnerability testing software, called Polivec Scanner by Mountain View, Calif.-based Polivec, Inc., contains a password-cracking utility that scans all of SRMFCU's machines for insecure passwords-in about five minutes.

"We take our security policy and export it into Scanner," Bird explained.

Scanner generates "a list of everybody whose password is within the guidelines and contains the correct number of digits but is easy to crack."

Bird can then quickly fix the problem. "We lock out those users and ask them to devise a new password."

Scanner has made it easier to implement the CU's security policy across all systems, she said. "On our main NT server, we have all of our security settings. We're able to push the settings out from the security station to each new computer, instead of going out and setting individual computers. And that allows everyone's PC to be set up the same."

SRMFCU also uses Scanner to MAINTAIN security policy and procedure settings on each employee's computer. User configurations and installations can thus be screened.

"For example, we can see if someone turned off a monitoring program and forgot to turn it back on," said Bird.

Of course, the 26,000-member CU's security detection and deployment is only as good as its security policy. SRMFCU's used Polivec Builder not only to deliver a GLBA-compliant corporate security policy, but also to translate that policy to machine-level configuration.

"Builder brought up stuff we'd never thought of," Bird said. An example that sticks in Bird's mind is the credit union's computer room door punch-key combination. Builder's best practices templates indicated that the combination should be changed regularly.

SRMFCU's initiative to "protect employees against employees" and obsession with password security comes at a time when hacking has hit high. Case in point is the February theft of eight million credit card numbers from Omaha, Neb.-based Data Processors International.

In his fight against hackers, Polivec CEO Robert Medrano emphasizes what he calls "social engineering," which feeds off of unintentional security breaches by employees.

Employees may be unwittingly persuaded to share security information with hackers online, over the telephone, or even in person, according to Medrano. Hacker Kevin Mitnick's solitary confinement in 1995 came after several vast feats of social engineering. One such exploit was Mitnick's breach of systems at the U.S. National Security Council. NSC employees had shared passwords with Mitnick.

Enforcing security policy helps guard against hacker threats, according to Medrano. Fortunately for Bird, tighter security is not out of reach even for a CU with a small IT staff. "Polivec has made the securing of our network a 20- minute process instead of a 20-hour process."