Credit Union Optimizes Vulnerability Management

As the number of newly announced software vulnerabilities accelerated, EarthMover Credit Union needed a way to automate the manual processes associated with vulnerability management.

Since the Federal Credit Union Act (FCUA) was signed into law in 1934, credit unions have played a vital role in their communities and the economy. Today, there are more than 8,000 credit unions in the country with more than $709 billion in cumulative assets.

Like all credit unions, EarthMover Credit Union is dedicated to providing its 25,000 members efficient, low cost, personalized service and access to financial services at its six full service branch offices and many ATM locations. Part of what makes those efforts possible is the credit union’s highly-available and secure IT infrastructure, which ensures that its operations run smoothly. Unfortunately, credit unions, like all financial services firms, face the continuous threat of increasing cyber attacks.

In fact, the number of cyber criminals targeting financial institutions has nearly doubled in the past few years. Aside from targeting account holders with keystroke logging Trojans, viruses, and worms specifically designed to capture account information and Social Security numbers, attackers also are scanning the external networks of financial services companies in hope of finding vulnerable systems to infiltrate. “As a financial institution, we need to protect our members’ data. says Shelley Johnson, information technology manager, at Oswego, IL-based EarthMover. “It’s a full time job."

The Importance of Vulnerability Management

The foundation of any financial service firm is trust. And the National Credit Union Administration (NCUA) has established administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity, and proper disposal of credit union member information. These rules include having every credit union maintain an effective IT security program, and ensuring that third party providers that access credit union data take the appropriate steps to protect the security and confidentiality of that information.

EarthMover takes its security program seriously, explains Johnson, and has put into place many layers of defenses, including intrusion prevention systems, firewalls, anti-malware and VPNs, in addition to other security technologies. “You have to take a defense-in-depth approach,” she says.

A central aspect of EarthMover’s security efforts is its vulnerability risk management program, which includes the ability to discover network assets and applications, identify vulnerabilities, provide remediation information and workflow, and then validate that the vulnerabilities have been fixed. Some time ago, EarthMover had manually administered its vulnerability management efforts by gathering software updates and patch information from software and hardware vendors, and then used Microsoft update management software to push patches out to each of its servers and desktops.

This approach kept the credit union’s infrastructure secure, but as the number of newly discovered vulnerabilities announced each week increased, EarthMover found that it needed a more efficient way to find, fix, and validate that ITS systems were secured with the latest patches. That’s when Johnson and her team started evaluating network and vulnerability assessment tools. “I went through my due diligence, and examined many of the tools available at the time,” she says.

Automated and Accurate Vulnerability Management Workflow

The network vulnerability management vendor that stood out was Qualys and its Qualys line of on-demand vulnerability management solutions. Not only did the scans prove to be highly accurate, and provide all of the remediation information the security group needed to fix the vulnerabilities, but Qualys as a company far exceeded Johnson’s expectations. “Qualys went above and beyond the other vendors. It thoroughly demonstrated its service and helped walk me through an actual scan. It spent time teaching me the product. None of the competitors came close. The quality of the product and the demonstration cinched Qualys for me,” she says.

In addition, the competing vendors significantly limited the number of scans EarthMover would have been able to conduct each year. “That just didn’t work for us. You need to run a scan when systems change, when new vulnerabilities are announced, and then another scan to validate everything has been patched. With Qualys, we can run a scan whenever we want. That’s a huge difference.

Today, EarthMover schedules automatic assessments of both its internal and externally-facing networks. "The automatic scheduling helps us to save time, and we don't have to remember to manually run scans," she says. What also saves time, because Qualys is delivered as an on demand Web service, is that all of the software updates and new vulnerability checks are centrally managed and provided by Qualys. As a result, there's virtually no time wasted by Johnson and her team updating, maintaining, and securing traditional software-based scanners.

And the detailed remediation information and insightful reporting that Qualys provides helps save even more time, while also increasing security. “The reporting automatically tracks the number and the severity of vulnerabilities over time, so we always know our level of security,” she says. “It’s a fantastic tool that’s flexible, so we don’t have to change the way we work,” Johnson adds.