NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 CIO BlackBerry News and Tips
 CIO Research and Analysis
 CIO Microsoft
 CIO Insider
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 


Wed, Aug 29, 2007 13:40 EDT

Information Security: 7 Data Leaks You Can't Ignore

Posted by: mattroedell in Best Practices

Topic: Architecture

Current Rating: 5 Comments: 14

Information security controls are an essential part of operations for all financial institutions. Members expect that their local Credit Union is just as secure as the “big bank” located a few hundred feet away in the same parking lot at the mall. The only difference is that the local Credit Union information security budget pales in comparison to the multi million that the big bank will spend.

When a limited budget is combined with a lack of understanding proper security controls, many Credit Unions turn to local consulting companies who often times roll out ineffective “security programs” that can be costly and don’t add much value to increasing their security posture.

Paying a vendor to monitor your IDS and firewall may get you a check mark on this year’s audit (at least for now) but I challenge the fact that it is an effective solution. Every credit union needs an employee on staff that has a deep understanding of information security or at a minimum a vendor or consultant that can steer them in the right direction. If you completely outsource you information security program the balance between operations and security is “broken”.

The key to an effective information security program is to establish clear and open channels of communication between IT and business operations. Operations needs to have confidence that the information security program is not an obstacle but an opportunity to incorporate methodology that will benefit the credit union and its members. Security concepts need to be broken down in terms the business will understand. The main job function of an effective information security manager is to be a sales person for information security. He/she will need to change the way business executives think and make sure security is integrated into their thought process.

I am proud to say that with the support of its executives, TruMark Financial Credit Union has positioned itself as a Credit Union information security leader. My staff and I have spent the last year and a half identifying risk and evaluating products to mitigate those risks. I would like to share our results with you in hopes it will increase the information security posture of the industry to match or exceed that of the “big banks”.

An effective Information security program with mitigating controls does not have to break the bank. Below are 7 common ways data can leak from your organization. I have taken the opportunity to share with you the compensating controls we have implemented which have not only increased out security posture but impressed external auditors and effectively raised the bar across the Credit Union industry.

7 Data Leaks You Can’t Ignore

Leak #1
Sensitive information can leave your organization through USB mass storage devices such as thumb drives, IPODs and Digital cameras or other removable media
Risk Mitigation -> Block all USB mass storage devices
Approximate cost for hardware and 300 licenses -> $50,000
Implement the Trigeo SIM. Their product comes with USB defender which detaches USB drives when mass storage capability is detected. Their product configuration is very granular so permitting USB license keys or hardware tokens is no problem. The employees also receive a pop-up indicating that the use of USB mass storage devices is prohibited. Trigeo can also be easily configured to send an email notification to any email address you like. This is only one of the many features offered with their product.

Leak #2
Sensitive information can leave your organization when copied to a CD or DVD
Risk Mitigation -> disable all burners and remove

You do not have flash or javascript support.
Average (3 votes)
5
comment icon Reply
 
All Comments Comments
 
Thu, Aug 30, 2007 5:35 EDT
Data Leaks You Can't Ignore
Posted by: abdhiraj
Rating: 56.6667

Managing Central protection and administration of confidential, enterprise-critical data is bit difficult.

But here are some tips:

1/ Install a solution by which Vital confidential data can be handled, Only authorized users can access, according to fixed rules, Transfer of such data follows clear policies Secure encryption algorithms protect data

2/ Flexible encryption management gives authorized parties permission to define, update or delete encryption keys. Encryption keys can be given to others,
e.g. individual employees and work- groups. Key use is supported by password and public key systems

3/ Encrypted directories are constantly monitored and unencrypted files automatically encrypted

4/ Secure server: file or web server for central storage of sensitive data User management server: Active Directory for user and policy management Management server: for policy settings and log management.....

You do not have flash or javascript support.
 
Thu, Aug 30, 2007 7:48 EDT
Encryption does not prevent the authorized user from decrypting
Posted by: mattroedell
Rating: 90

Encryption is great and I am a firm beliver that all sensitive data should be encrypted while at reast and in motion. Data encryption does not prevent an employee with proper access from removing data with a USB key, sending it as an email attachment or shooting it out to an FTP site. Encryption is a great additional layer of security but mitigating the 7 risks in this article are of the gravest importance. Encryption does not prevent the authorized user from decrypting the file, saving it to their desktop (or whereever) and transporting the data.

You do not have flash or javascript support.
 
Thu, Aug 30, 2007 9:05 EDT
Info Security: 7 Data Leaks You Can't Ignore
Posted by: Mark Cummuta
Rating: 90

Matt,

Great article! Lots of ideas, specific methods and products, even cost estimates.  Nicely done! 

Mark Cummuta

You do not have flash or javascript support.
 
Thu, Aug 30, 2007 9:12 EDT
Mark, Thanks for the
Posted by: mattroedell
Rating: 90

Mark,

Thanks for the positive feedback!
I think my next article will focus a "fool proof" methodology to get funding for information security products.

-Matt

You do not have flash or javascript support.
 
Tue, Sep 4, 2007 14:24 EDT
Layer 2 Security has Vulnerabilities
Anonymous user
Posted by: Anonymous
Rating: 40

There are several vulnerabilies with Layer 2 security; ARP Poisoning, MAC Flooding, MAC Cloning, port stealing, DoS, and ARP spoofing.

Avoid a false sense of security by mitigating these threats!

Check out "Securing Layer 2 in Local Area Networks" and "LAYER 2 SECURITY INTER-LAYERING IN NETWORKS" at the following URLs for more info...

http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/altunbasak_ICN2005.pdf

http://etd.gatech.edu/theses/available/etd-11172006-130414/unrestricted/altunbasak_hayriye_c_200612_phd.pdf

You do not have flash or javascript support.

Post new comment

* Subject:
* Username:
* E-mail:
The content of this field is kept private and will not be shown publicly.
Homepage:
* Body:
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <strike> <p> <br>
  • Lines and paragraphs break automatically.
More information about formatting options

* Denotes required field.
Start a Conversation
Click to post

Got something to say? We want to hear it! Click the Post button to get started. GO»

EXPERT ADVICE
See our roster of experts.

Advice & Opinion from more than 113 of IT's most insightful thinkers.

  PARTNERS       WEBCASTS    
 

Windows 7 Webcast Series

There's a lot of buzz about Windows 7 out there. Each month in our webcast series, listen to analysts and customers discuss how Windows 7 and the Windows Optimized Desktop is impacting large companies around the world. Learn how they evaluated Windows 7, including the cost of deployment, deployment strategies, and tangible benefits.

Sponsored by Microsoft  Listen to on-demand Recordings »

 

Service Level Management Best Practices Life Cycle Overview - Improve Service Levels

Best practices for Service Level Management (SLM) is a process for consistently meeting customer requirements and delivering on IT's promises. See the steps required to ensure high-quality SLM.

Sponsored by Compuware  Read this White Paper »

 

Keeping Your Members Safe from Online Scams and Predators

In order to keep fraudsters out, romance sites must deploy effective solutions that look at information independent of what is supplied by users. A device fingerprinting solution such as iovation ReputationManager™ provides unique insight into the computers being used to create multiple accounts and exposes hidden device-account relationships that identity-based fraud solutions often miss.

Sponsored by iovation  Read this White Paper »

More Partners »
Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

More Podcasts »
Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

Defend Against Blended Threats: What You Need to Know

Blended Web and email threats are becoming increasingly complex and represent a huge...  View Now »

 

Prescriptive Actions to Reduce Risk

In this Webcast, learn best practices for effective systems management in a heterogeneous environment and keep client systems cost under control.   View Now »

 

Webcast- Vantage 11: Redefining Application Performance Management

Compuware's latest release, Vantage 11, is a major advance in end-to-end application performance management--bringing together proactive issue identification, quantification of business impact and problem resolution into a single solution. Tune in to learn how Vantage 11's top-down approach helps you make better decisions and dramatically lower operations costs.  View Now »

More Webcasts »
Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

 
NEWSLETTER

Sign-up for the Blogs & Discussion Newsletter

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

See how AT&T can help protect your network.

Streamline IT Costs. Boost Performance with WAN Optimization.

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

The rules of infrastructure management just changed.

A Clear View Toward Virtualization

Interactive Q&A helps you discover key ways to maximize IT assets.

Ready to virtualize tier one applications? Check your virtualization maturity.

Think you can't afford a Cisco Switch? Cisco Catalyst Switches are now more affordable.

Five minute business analytics assessment. Immediate results.

The Case for Investing in Business Analytics Technology. Read white paper.

Upgrading to VMware vSphere with vWire

Top 10 Lessons Learned for Corporate 3G Mobile Broadband Deployments

CRM Built for IT: The Executive Guide to Selecting CRM that Meets IT Needs

Return on Information: Google Enterprise Search pays you back

ROI of Application Delivery Controllers

Making Consumer Two-Factor Authentication Simple and Cost-Effective

Mining the Cloud to Ease the Enterprise Compliance Burden

Solve Five Key IT Security Challenges with Cloud-Based Authentication

White Paper: Right-Sizing Your Power Infrastructure

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Top Five CIO Challenges

Read the RSA report: Security for Business Innovation

64-page prescriptive guide to security, compliance, and IT operations.

Increase UPS efficiency without sacrificing protection.

eZine: A Roadmap to Reducing IT Complexity

Reduce risk, gain agility. See how Progress can help your business.

Virtualization Technology as a Business Solution

eZine: A Roadmap to Reducing IT Complexity

World-class trading technology solutions from NYSE Technologies.

If You're Paying for Telecom, You're Paying Too Much. Contact Asentinel Today.

Trade-In your old printer and save up to $1,000 plus free recycling!

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Live Webinar: Applying Business Analytics. Click here to learn more

Removing Barriers To Better Server Virtualization Efficiency

4G Revisited. The Continued Evolution of Wireless Mobility.

What's Next for Enterprise Resource Planning?

Maximizing website Return on Information with high-quality search

Gartner Magic Quadrant, Application Delivery Controllers 2009

Authentication as a Service by Forrester Research

Cloud-Based Authentication for Next-Generation Extranets

Cut Costs & Green Your IT Operations with PC Power Management

White Paper: 4 Customer Service Myths