ARLINGTON, Texas – A credit union that has a maximum-security vault to protect its cash and other valuables has absolutely no need for an alarm system or a security guard. True or false? Most people would answer "false" without hesitation, knowing that one security measure without the others leaves the credit union at greater risk of being burglarized. However, many of these same people may believe their credit union computers and information systems are secure because they have installed firewalls, encryption devices and/or intruder detections systems (IDSs). This is a dangerous presumption, Bruce Schneier, CTO and founder of Counterpane Internet Security, Inc. told TechMecca 2001 participants. Technology is not the answer to Internet security. Security must be a process that combines protection, detection and response to mitigate risk. "Software is just too easy to fool. Software doesn't think, doesn't question, doesn't adapt. Without people, computer security software is just a static defense. Marry software with human beings who are experts in detecting security breaches, and you have a whole different level of security," Schneier said. "Systems should be vigilantly monitored 24/7 by people who know what they're doing. Quick detection and response can make up for mediocre protection." As software becomes more complex and interconnected, it becomes easier to hack. Security vulnerabilities are programming mistakes, and most software has about 1,000 of them, according to Schneier. Once a vulnerability is announced, the software vendor usually issues a patch to correct the problem. Unfortunately, companies have to know about the patch and install the patch before it can work. And staying current on the massive number of software patches released is virtually impossible, he said. Schneier suggested that software companies should be held liable for distributing problem software. Liability would force software quality. Most attacks on the Internet are vandalistic in nature, rather than profit-driven, Schneier said. Prosecution of these cyber criminals would lead to deterrence, but most companies don't report attacks on their systems because of the stigma associated with having an "insecure" operation. But the benefits of being online outweigh the risks, so financial institutions need to learn to manage the risk. Just as vaults, alarm systems and security guards can reduce exposure to burglars, the layered protection/detection/response process can reduce credit union computer systems' exposure to would-be hackers. [email protected]