MADISON, Wis. (9/2/14)--A new white paper from the CUNA Technology Council, "Network Monitoring and Management: The Challenges and Complexity of Your Credit Union's Command Center," offers a thorough look at the practice of network management today, including best practices for keeping it secure.
The white paper is the second in a series of four council white papers devoted to security issues this year.
Network security, as defined by Cisco Systems Inc., refers to any activities designed to protect network--its usability, reliability, integrity and safety. Effective network security targets a variety of threats and stops them from entering or spreading on the network.
"How do you keep your network secure but fast and reliable at the same time? With electronic crime being an international, multibillion dollar enterprise, security is becoming more and more critical," said Ron Dinwiddie, chief information officer at $850 million-asset Texas Trust CU, Mansfield, Texas, in the white paper.
Dinwiddie uses a castle analogy. "If you think of ancient castles, they don't have just a tall wall surrounding the castle; they have a moat, a drawbridge, the wall and, perhaps, even an inner wall. They then have guards on the walls 'monitoring,' with other protection possibly in place: arrows, kettles of hot tar, and so on. This is a 'layered security approach' that security experts highly recommend."
Credit unions, he says, must have the outer protection, such as a firewall (some organizations even have multiple firewalls) and then the extra layers of intrusion detection and intrusion prevention systems, web filtering, email filtering, internal anti-virus, end-point protection on the servers, and someone monitoring the network 24/7/365. Texas Trust uses a managed security service provider (MSSP).
Security requires a combination of prevention and detection, agrees Justin Store, director of information technology services at $60 million-asset Michigan Tech Employees FCU, Houghton, Mich. "We can prevent a vast amount of security attacks by mitigating the risks associated with given vulnerabilities," he said.
"These vulnerabilities include exploitable software bugs, configurations that don't follow best practices, as well as vulnerabilities that are inherent by design," Store added. "We need to prioritize the risks we can mitigate, and eliminate as much risk as possible. But we also must prioritize the risks we can't mitigate and try to develop detection mechanisms accordingly.
"We need detective measures to alert us when our preventive measures fail. This is the whole point of IDs," Store said. "If we can't prevent intrusions completely (which we can't), then we need to try to detect them as best we can."
There's no silver bullet to security, he said. Neither detection nor prevention will ever be 100% secure. "The key is to use both types of controls and prioritize them according to the value of each IT system or asset," he added.