Wed, Aug 29, 2007 13:40 EDT

Information Security: 7 Data Leaks You Can't Ignore

Posted by: mattroedell in Best Practices

Topic: Architecture

Current Rating: Comments: 14

Information security controls are an essential part of operations for all financial institutions. Members expect that their local Credit Union is just as secure as the “big bank” located a few hundred feet away in the same parking lot at the mall. The only difference is that the local Credit Union information security budget pales in comparison to the multi million that the big bank will spend.

When a limited budget is combined with a lack of understanding proper security controls, many Credit Unions turn to local consulting companies who often times roll out ineffective “security programs” that can be costly and don’t add much value to increasing their security posture.

Paying a vendor to monitor your IDS and firewall may get you a check mark on this year’s audit (at least for now) but I challenge the fact that it is an effective solution. Every credit union needs an employee on staff that has a deep understanding of information security or at a minimum a vendor or consultant that can steer them in the right direction. If you completely outsource you information security program the balance between operations and security is “broken”.

The key to an effective information security program is to establish clear and open channels of communication between IT and business operations. Operations needs to have confidence that the information security program is not an obstacle but an opportunity to incorporate methodology that will benefit the credit union and its members. Security concepts need to be broken down in terms the business will understand. The main job function of an effective information security manager is to be a sales person for information security. He/she will need to change the way business executives think and make sure security is integrated into their thought process.

I am proud to say that with the support of its executives, TruMark Financial Credit Union has positioned itself as a Credit Union information security leader. My staff and I have spent the last year and a half identifying risk and evaluating products to mitigate those risks. I would like to share our results with you in hopes it will increase the information security posture of the industry to match or exceed that of the “big banks”.

An effective Information security program with mitigating controls does not have to break the bank. Below are 7 common ways data can leak from your organization. I have taken the opportunity to share with you the compensating controls we have implemented which have not only increased out security posture but impressed external auditors and effectively raised the bar across the Credit Union industry.

7 Data Leaks You Can’t Ignore

Leak #1
Sensitive information can leave your organization through USB mass storage devices such as thumb drives, IPODs and Digital cameras or other removable media
Risk Mitigation -> Block all USB mass storage devices
Approximate cost for hardware and 300 licenses -> $50,000
Implement the Trigeo SIM. Their product comes with USB defender which detaches USB drives when mass storage capability is detected. Their product configuration is very granular so permitting USB license keys or hardware tokens is no problem. The employees also receive a pop-up indicating that the use of USB mass storage devices is prohibited. Trigeo can also be easily configured to send an email notification to any email address you like. This is only one of the many features offered with their product.

Leak #2
Sensitive information can leave your organization when copied to a CD or DVD
Risk Mitigation -> disable all burners and remove

You do not have flash or javascript support.

Average (3 votes)

All Comments Comments

Tue, Sep 4, 2007 15:57 EDT

Layer 2 Cost Effective Mitigation

Posted by: mattroedell
Rating:

The point of this article is cost effective mitigation for those with a limited budget. Enabling port security costs nothing and weeds out the majority of your "end users". With a simple(and free) port secure implementaion you SUBSTANTIALLY mitigate impact from vendors and end users. While no control is fool proof, it makes sense to mitigate risk whenever you can. if you were to do any of the following on my network; ARP Poisoning, MAC Flooding, MAC Cloning, port stealing, DoS, and ARP spoofing" your port would be immediately disabled (actually...before you had a chance to do any of it).

The probelm is that most companies do NOTHING at all to defend the access port level. Some of these companies are fortune 500's with tremendous amounts of sensitive data that anyone on the inside can simply walk out with. I present a FREE way to do somthing to MINIMIZE the damage that is very effective.

You do not have flash or javascript support.

Reply to this comment | Post new comment | Report as spam

Tue, Sep 25, 2007 2:22 EDT

Information Security: 7 Data Leaks You Can't Ignore

Posted by: Salman
Rating:

Really, this is article contains valuable information which I urge every organization to implement or at least consider to perform a feasibility study on each point in order to feel secure.

Wish Matt all the success in his career.

Salman

You do not have flash or javascript support.

Reply to this comment | Post new comment | Report as spam

Tue, Sep 25, 2007 7:26 EDT

8th Risk and Beyond

Posted by: Anonymous
Rating:

The 8th risk is allowing your employees to go home at night. Sensitive company information may leave in their memory, on notes handwritten and stored in pockets, wallets, purses. Does the cost of one dishonest, rogue employee really merit disabling all of the capabilities that modern science has developed? Where is the 'risk assessment' in all of this?, rather than just suggesting the means to disable the world. Employees have stolen merchandise (to include data, corporation secrets, etc. for years) and they have wasted time in the hallways or backroom closets chit-chatting and how knows what. It's time to modernize our education processes at the office, encourage good behavior, maybe exhibit some employer-to-employee loyalties. The 'disabling' approach, to me, is kind of like solving the challenges of adolescence by locking our teenagers away for about eight years so that they can't get in trouble. That would be the easy, yet very unproductive approach. Guess Macgregor's Theory X and Y theories are alive and well in the land of IT security.

You do not have flash or javascript support.

Reply to this comment | Post new comment | Report as spam

Tue, Sep 25, 2007 14:38 EDT

One flaw in not allowing

Posted by: Anonymous
Rating:

One flaw in not allowing users to implement their own network hardware (hubs, switches, etc) is that most IP phones have a switch built in. I do agree with the one review that took issue with disabling USB and CD drives; increased security = decreased productivity. Great article, otherwise.

You do not have flash or javascript support.

Reply to this comment | Post new comment | Report as spam

Sat, Sep 29, 2007 22:32 EDT

One flaw in not allowing - author reply

Posted by: mattroedell
Rating:

If there is a legitimate business need for a switch at a users desk, all you have to do is remove bpduguard and add add the mac addresses to the switchport config using the "sticky" command. As far as hubs go...they should be replaced with a small switch. You still wind up with an additional layer of security.

You do not have flash or javascript support.

Reply to this comment | Post new comment | Report as spam

Post new comment

* Subject:

* Username:

* E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

* Body:

Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <strike> <p> <br>
Lines and paragraphs break automatically.

More information about formatting options

Are you a person?: *