CUISPA survey finds security protections are stretched by Lean Budgets.Security remains a top concern at credit unions of all sizes as they deal with an ever-evolving landscape of threats while armed with flat or declining budgets to deal with the problem. More than 90% of the 83 credit unions that responded to a three-question survey sent out in early May by the Credit Union Information Security Professionals Association said their security budget this year had either decreased or stayed the same this year. Meanwhile, 42% of the respondents said the current recession has helped increase security concerns in their shop, while about 52% said they were about the same. Only 6% reported feeling more secure. The survey, sent out by CUISPA CUISPA Credit Union Information Security Professional’s Association Executive Director Kelly Dowell in response to questions from Credit Union Times, also solicited dozens of comments from credit union security managers on the wide number of threats and challenges they face in keeping a firewall around their networked enterprise and their members' assets. Basic economic problems were noted as one of the biggest impediments IMPEDIMENTS, contracts. Legal objections to the making of a contract. Impediments which relate to the person are those of minority, want of reason, coverture, and the like; they are sometimes called disabilities. Vide Incapacity. 2. to keeping up. For instance, one CUISPA member said, "I think patch management The installation of patches from a software vendor onto an organization's computers. Patching thousands of PCs and servers is a major issue. A patch should be applied to test machines first before deployment, and the testing environments must represent all the users' PCs with their unique is getting more and more critical and at the same time harder to keep up with. As overtime pay is being cut due to the recession, we're having a harder time keeping systems updated with the latest security patches A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. , and we suspect we are not alone." Several others cited vendor management and third-party transactions of all kinds as a challenge, something that also has caught the eye of security professionals like Ben Feinstein, director of research at SecureWorks in Atlanta. "Credit unions face a real challenge of how to enforce a reasonable security policy on end points they don't own or control," he said. Exacerbating that, Feinstein said, is the fact that "attackers are increasingly using aspects of social engineering and the human factor to achieve their goals. It's very difficult to defend against social engineering and human frailty frailty Vox populi A state of delicacy or weakness which, which encompasses age-related fragility, in particular osteoporosis. See FICSIT, Osteoporosis. with any existing technical control." Of course, one of the key antidotes to social engineering is member education; something one of the respondents to the CUISPA survey said can take place even in these days of tight spending limits. "If there is not budget available, it would be wise to look at your end-user education, both internally for your staff and externally with your members," one respondent said. The education also needs to start at the top. "We need to educate executive management on the benefits of risk management and how it helps make money," another respondent wrote. Among the other concerns listed by CUISPA members: * ATM security: * ACH (Automated Clearing House) A system of the U.S. Federal Reserve Bank that provides electronic funds transfer (EFT) between banks. It is used for all kinds of fund transfer transactions, including direct deposit of paychecks and monthly debits for routine payments to transactions processed without verification, "sometimes resulting in loss and fraud." * Complying with "all these policies, procedures and documentation required by the regulators." * Counterfeit presentations. "More crooks are trying to join and make loans." * "Numerous outside forces trying to gain access from China and Eastern Europe Eastern Europe The countries of eastern Europe, especially those that were allied with the USSR in the Warsaw Pact, which was established in 1955 and dissolved in 1991. . I see these on the edge of my outside firewalls." Credit unions can expect to see more of the latter. "In the past year, attackers have escalated their use of social engineering and exploiting the human factor, and have further weaponized a whole host of client-side vulnerabilities," said Feinstein. "The threat continues to move 'up the stack' and into the Web application layer," he said, attacking such widely used plug-ins as Adobe Reader The software that displays and prints Adobe Acrobat documents (PDF files). Formerly known as Acrobat Reader, Adobe Reader is available free from the Adobe Web site (www.adobe.com) for Windows, Mac, OS/2 and various versions of Unix. , Apple QuickTime "and a slew of ActiveX controls A software module based on Microsoft's Component Object Model (COM) architecture. It enables a program to add functionality by calling ready-made components that blend in and appear as normal parts of the program. ." "Frequently, the attackers use the successful compromise to insert malicious content into site, with the objective of compromising visitors to the Web site," Feinstein said. The solution? "User and member education, and security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. training," the SecureWorks research director said. And going forward? "Are we much more secure than we were five years ago? Absolutely. Are there more risks? Definitely," said Jim Morrell, senior vice president/ chief information officer at iQ Credit Union in Vancouver, Wash. "Today, we are a year further into identification, prevention and remediation of security concerns," said Morrell, who's also a former chair of the CUNA Cuna Chibchan-speaking Indian people who once occupied the central region of what is now Panama and the neighbouring San Blas Islands and who still survive in marginal areas. In the 16th century they lived in federated villages under chiefs who wielded considerable power. Technology Council. "Unfortunately, so are those that are trying to subversively outsmart out·smart tr.v. out·smart·ed, out·smart·ing, out·smarts To gain the advantage over by cunning; outwit. outsmart Verb Informal same as outwit Verb 1. us. I don't believe we'll reach a point where we'll ever be able to put due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. and prudent monitoring in a file with a tickler A manual or automatic system for reminding users of scheduled events or tasks. It is used in PIMs, contact management systems and scheduling and calendar systems. to revisit re·vis·it tr.v. re·vis·it·ed, re·vis·it·ing, re·vis·its To visit again. n. A second or repeated visit. re in five years," he said. --mrapport@cutimes.com
1. Due to the current economic conditions have security
concerns within your credit union changed:
Response Responses
Percent Count
Increased concern 42.2% 35
decreased concern 6.0% 5
no change 51.6% 43
answered question 83
skipped question 0
2. Has your security budget changed?
Response Responses
Percent Count
Increased concern 8.4% 7
decreased concern 28.9% 24
no change 62.7% 52
answered question 83
skipped question 0
3. Do you think your security budget will change in 2010
Response Responses
Percent Count
Increased concern 30.1% 25
decreased concern 9.6% 8
no change 60.2% 50
answered question 83
skipped question 0
Source: CUISPA
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion