You Vs. the Users

Battle Strategies for Securing Data at Risk on Unsecured Devices Itâs hard enough to secure the data you control. But how about when your employees are running around plugging in unapproved USB drives into computers and sending out unencrypted sensitive information in emails to customers, putting your institution at risk for a data breach?

The battle of the information endpoints is being fought on a long front, but through a combination of technology solutions and policy enforcement, the scourge of data leaks and infected files can be contained.

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

The Problem
A recent study by Ponemon Institute (www.ponemon.org ) finds that:

  • 62% of respondents are unsure if their off-network equipment (such as external drives, laptops and USB drives) contains unprotected sensitive information;

  • 39% donât view management of such devices as critical;

  • 30% say they would never be able to detect the loss or theft of confidential data from off-network equipment.

Keith Gienty, Director of Information Technology at Northwest Corporate Credit Union, (http://www.nwcorporate.org/), sees many of these same off-network problems in his IT operations. Northwest Corporate CU, based in Portland, OR, hosts more than 100 credit unions on its network, and runs their online banking from their site. Endpoint areas that cause some headaches for Gienty include USBs.

To fight the problem, Gienty placed controls on USB drives by monitoring them through active directory. â-Weâre not as strict as some institutions, so the hardest part of the monitoring is determining the difference between a mouse or keyboard being plugged in, and a USB or external drive being plugged in,â" Gienty says.

To illustrate the danger of off network devices such as USBs, Gienty explains, â-If I were a hacker and I wanted to infiltrate a financial institutionâs network, Iâd leave a 16 gigabyte USB on the counter in the executive washroom. A CEO or CFO walks in, grabs it up, plugs it into their PC, and Iâm able to get into their PC, and then the network.â"

While he adds that he would hope executives would be wiser than this, â-Unfortunately, that isnât always the case.â"

Public Enemy #1: The Laptop
Gienty studied where data protection was weakest at the credit union, and saw that laptops posed a grave danger. One step to mitigate that risk came when Gienty convinced his senior management to encrypt every laptop being used at the institution. The credit union now encrypts all laptops with hardware-level encryption.

This approach has advantages and disadvantages, Gienty explains, â-No one can access the information if the laptop is stolen. The down side is if some part of the operating system goes bad, you canât get any data off of the laptop, even by using a data recovery service.â"

Gientyâs convincing line to his senior management was, â-I never want to have to report to the news media (or to our board) that one of our laptops was stolen and that customer information was breached.â"

â-Once they realized the implications and cost savings of prevention,â" he says, â-the approval to buy the encryption software came pretty quickly.â"

Alan McHugh, Manager of Information Technology at United States Postal Service Federal Credit Union, also has utilized a combination of technological solutions and enforcement of policy to lock down data at the credit unionâs branches in five states.

â-What originally brought on the need to examine our endpoint security was an NCUA examination,â" McHugh says. â-The examiner was pleased with our external firewall, but said we needed a total forensics trail from the firewall into the credit union. He wanted it to go all the way to the desktop.â"

The credit union has initiated a monitoring tool on its network to detect the use of any external device on the network. This same tool allows McHugh to monitor usersâ activities as well, he says.

What About Your Vendors?
Are your vendors that perform outsourcing services also keeping an eye on their endpoints?

You will want to verify that the information security standards you insist on at your institution are also being observed by your vendors. Keeping your guard up also includes monitoring the security practices of business partners. Most institutions outsource both onshore and offshore. While onshore outsourcers are subject to compliance with the same U.S. privacy laws to which institutions are subject, offshore outsourcers may have different requirements.

Endpoints and the Big Picture
When grappling with the enormous responsibility of securing sensitive data, information security departments must identify all the areas where data is stored. â-The greatest threat today in banking and finance with regard to information security is the potential for exposure of customer information, the risk of data being stolen, data being lost, data being exposed in some fashion,â" says American Savings Bankâs vice president Ken Newman.

As head of security at the bank he notes, â-Itâs what every financial institution has to face, because customer information exists in so many places, it can exist in so many different applications, so many different day repositories, individual servers, individual laptops, e-mail accounts, PDAs, cell phones. The list goes on and on, all the places where a financial institution can maintain information with regard to its customers.â"

See: Tips for the Endpoint Warrior


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.