You Vs. the UsersBattle Strategies for Securing Data at Risk on Unsecured Devices Itâ€™s hard enough to secure the data you control. But how about when your employees are running around plugging in unapproved USB drives into computers and sending out unencrypted sensitive information in emails to customers, putting your institution at risk for a data breach?
The battle of the information endpoints is being fought on a long front, but through a combination of technology solutions and policy enforcement, the scourge of data leaks and infected files can be contained.
A recent study by Ponemon Institute (www.ponemon.org ) finds that:
- 62% of respondents are unsure if their off-network equipment (such as external drives, laptops and USB drives) contains unprotected sensitive information;
- 39% donâ€™t view management of such devices as critical;
- 30% say they would never be able to detect the loss or theft of confidential data from off-network equipment.
Keith Gienty, Director of Information Technology at Northwest Corporate Credit Union, (http://www.nwcorporate.org/), sees many of these same off-network problems in his IT operations. Northwest Corporate CU, based in Portland, OR, hosts more than 100 credit unions on its network, and runs their online banking from their site. Endpoint areas that cause some headaches for Gienty include USBs.
To fight the problem, Gienty placed controls on USB drives by monitoring them through active directory. â€œWeâ€™re not as strict as some institutions, so the hardest part of the monitoring is determining the difference between a mouse or keyboard being plugged in, and a USB or external drive being plugged in,â€ Gienty says.
To illustrate the danger of off network devices such as USBs, Gienty explains, â€œIf I were a hacker and I wanted to infiltrate a financial institutionâ€™s network, Iâ€™d leave a 16 gigabyte USB on the counter in the executive washroom. A CEO or CFO walks in, grabs it up, plugs it into their PC, and Iâ€™m able to get into their PC, and then the network.â€
While he adds that he would hope executives would be wiser than this, â€œUnfortunately, that isnâ€™t always the case.â€Public Enemy #1: The Laptop
Gienty studied where data protection was weakest at the credit union, and saw that laptops posed a grave danger. One step to mitigate that risk came when Gienty convinced his senior management to encrypt every laptop being used at the institution. The credit union now encrypts all laptops with hardware-level encryption.
This approach has advantages and disadvantages, Gienty explains, â€œNo one can access the information if the laptop is stolen. The down side is if some part of the operating system goes bad, you canâ€™t get any data off of the laptop, even by using a data recovery service.â€
Gientyâ€™s convincing line to his senior management was, â€œI never want to have to report to the news media (or to our board) that one of our laptops was stolen and that customer information was breached.â€
â€œOnce they realized the implications and cost savings of prevention,â€ he says, â€œthe approval to buy the encryption software came pretty quickly.â€
Alan McHugh, Manager of Information Technology at United States Postal Service Federal Credit Union, also has utilized a combination of technological solutions and enforcement of policy to lock down data at the credit unionâ€™s branches in five states.
â€œWhat originally brought on the need to examine our endpoint security was an NCUA examination,â€ McHugh says. â€œThe examiner was pleased with our external firewall, but said we needed a total forensics trail from the firewall into the credit union. He wanted it to go all the way to the desktop.â€
The credit union has initiated a monitoring tool on its network to detect the use of any external device on the network. This same tool allows McHugh to monitor usersâ€™ activities as well, he says.What About Your Vendors?
Are your vendors that perform outsourcing services also keeping an eye on their endpoints?
You will want to verify that the information security standards you insist on at your institution are also being observed by your vendors. Keeping your guard up also includes monitoring the security practices of business partners. Most institutions outsource both onshore and offshore. While onshore outsourcers are subject to compliance with the same U.S. privacy laws to which institutions are subject, offshore outsourcers may have different requirements.Endpoints and the Big Picture
When grappling with the enormous responsibility of securing sensitive data, information security departments must identify all the areas where data is stored. â€œThe greatest threat today in banking and finance with regard to information security is the potential for exposure of customer information, the risk of data being stolen, data being lost, data being exposed in some fashion,â€ says American Savings Bankâ€™s vice president Ken Newman.
As head of security at the bank he notes, â€œItâ€™s what every financial institution has to face, because customer information exists in so many places, it can exist in so many different applications, so many different day repositories, individual servers, individual laptops, e-mail accounts, PDAs, cell phones. The list goes on and on, all the places where a financial institution can maintain information with regard to its customers.â€