Top 10 Internet Security Questions

Should CUs accept the matricula consular as a form of ID?

Top 10 Internet Security Questions

Does a firewall provide enough security? Should your firewall be monitored? Should you outsource security management? Learn the answers to these and other important questions to see whether you’re Internet-security savvy.

1. Is a firewall enough security?

No. Often times, even a properly configured firewall doesn’t block allowed services such as e-mail and Web traffic. In these environments, a firewall doesn’t filter, block, or even examine this traffic once allowed.

2. Is my firewall managed?

Most credit unions would answer "yes," but most of the time the answer is no. A managed firewall means that a trained Internet security expert can ensure the configuration is correct as well as keeping the software and security patches up to date, make appropriate changes, and review logs for suspicious activity.

3. Does my Internet service provider (ISP) manage my firewall?

Probably not. ISPs are connectivity experts, not security experts. Usually, they configure the firewall for the base level connectivity requirement and leave it as is. Most never update the software. Typically, an ISP performs only maintenance, which means if the device fails, they’ll replace it.

4. Should my firewall be monitored?

Probably not. Most of the time, firewalls don’t record the type of data needed to determine if a dangerous attack is happening. There’s some value when added to an intrusion detection system, but by itself, there’s little value.

5. Should I outsource my security management?

Retaining highly qualified security engineers is difficult and costly. Usually, it’s far more cost effective to outsource the specific Internet security components, including remote vulnerability assessments, firewall management, and intrusion detection and prevention.

6. How often do I need a full assessment?

Federal regulation requires these to be done regularly. "Regular" means different things to different people. For the smallest of credit unions, an assessment should be done at least every three years. Larger credit unions should do an assessment each year or every other year depending on the credit union.

7. Do I need an intrusion detection system?

If you host services (which means the server is in the credit union network) such as e-mail, a Web site, online banking, and so on, then using an intrusion detection system is highly encouraged. If you don’t host any services but have many other potential attack sources, such as inbound modems, partner connection, or virtual private network, then using an IDS is moderately to highly encouraged. If you have broadband Internet access and employees have unrestricted access to the Internet, IDS is moderately encouraged.

8. Do I really need a penetration test?

Few credit unions need to go to the expense of a full-blown penetration test. Most of the time, when asked to do a penetration test, a remote vulnerability assessment is all that’s needed.

9. How often should I have a remote vulnerability assessment performed?

If you host services, monthly assessments are highly encouraged. If your Internet access is for outbound use only (i.e., web surfing), a quarterly assessment usually is sufficient.

10. Which systems should I test when doing a remote vulnerability assessment?

Test all publicly accessible systems. This includes the firewall’s public address or any public system, such as a Web site, e-mail server, or file transfer protocols server that’s hosted at the credit union. Depending upon the credit union environment, the Internet router may need to be tested as well. Most credit unions have one to four addresses that should be tested.

SOURCE: CavionPlus, Mounds View, Minn.; www.cavionplus.com.


Should CUs accept the matricula consular as a form of ID? Yes No	Top 10 Internet Security Questions Does a firewall provide enough security? Should your firewall be monitored? Should you outsource security management? Learn the answers to these and other important questions to see whether you’re Internet-security savvy. 1. Is a firewall enough security? No. Often times, even a properly configured firewall doesn’t block allowed services such as e-mail and Web traffic. In these environments, a firewall doesn’t filter, block, or even examine this traffic once allowed. 2. Is my firewall managed? Most credit unions would answer "yes," but most of the time the answer is no. A managed firewall means that a trained Internet security expert can ensure the configuration is correct as well as keeping the software and security patches up to date, make appropriate changes, and review logs for suspicious activity. 3. Does my Internet service provider (ISP) manage my firewall? Probably not. ISPs are connectivity experts, not security experts. Usually, they configure the firewall for the base level connectivity requirement and leave it as is. Most never update the software. Typically, an ISP performs only maintenance, which means if the device fails, they’ll replace it. 4. Should my firewall be monitored? Probably not. Most of the time, firewalls don’t record the type of data needed to determine if a dangerous attack is happening. There’s some value when added to an intrusion detection system, but by itself, there’s little value. 5. Should I outsource my security management? Retaining highly qualified security engineers is difficult and costly. Usually, it’s far more cost effective to outsource the specific Internet security components, including remote vulnerability assessments, firewall management, and intrusion detection and prevention. 6. How often do I need a full assessment? Federal regulation requires these to be done regularly. "Regular" means different things to different people. For the smallest of credit unions, an assessment should be done at least every three years. Larger credit unions should do an assessment each year or every other year depending on the credit union. 7. Do I need an intrusion detection system? If you host services (which means the server is in the credit union network) such as e-mail, a Web site, online banking, and so on, then using an intrusion detection system is highly encouraged. If you don’t host any services but have many other potential attack sources, such as inbound modems, partner connection, or virtual private network, then using an IDS is moderately to highly encouraged. If you have broadband Internet access and employees have unrestricted access to the Internet, IDS is moderately encouraged. 8. Do I really need a penetration test? Few credit unions need to go to the expense of a full-blown penetration test. Most of the time, when asked to do a penetration test, a remote vulnerability assessment is all that’s needed. 9. How often should I have a remote vulnerability assessment performed? If you host services, monthly assessments are highly encouraged. If your Internet access is for outbound use only (i.e., web surfing), a quarterly assessment usually is sufficient. 10. Which systems should I test when doing a remote vulnerability assessment? Test all publicly accessible systems. This includes the firewall’s public address or any public system, such as a Web site, e-mail server, or file transfer protocols server that’s hosted at the credit union. Depending upon the credit union environment, the Internet router may need to be tested as well. Most credit unions have one to four addresses that should be tested. SOURCE: CavionPlus, Mounds View, Minn.; www.cavionplus.com. More security articles: Take a Security Quiz What Are the Components of Information Security?
	Copyright © 2008 - Credit Union National Association, Inc.