Information security controls are an essential part of operations for all financial institutions. Members expect that their local Credit Union is just as secure as the “big bank” located a few hundred feet away in the same parking lot at the mall. The only difference is that the local Credit Union information security budget pales in comparison to the multi million that the big bank will spend.
When a limited budget is combined with a lack of understanding proper security controls, many Credit Unions turn to local consulting companies who often times roll out ineffective “security programs” that can be costly and don’t add much value to increasing their security posture.
Paying a vendor to monitor your IDS and firewall may get you a check mark on this year’s audit (at least for now) but I challenge the fact that it is an effective solution. Every credit union needs an employee on staff that has a deep understanding of information security or at a minimum a vendor or consultant that can steer them in the right direction. If you completely outsource you information security program the balance between operations and security is “broken”.
The key to an effective information security program is to establish clear and open channels of communication between IT and business operations. Operations needs to have confidence that the information security program is not an obstacle but an opportunity to incorporate methodology that will benefit the credit union and its members. Security concepts need to be broken down in terms the business will understand. The main job function of an effective information security manager is to be a sales person for information security. He/she will need to change the way business executives think and make sure security is integrated into their thought process.
I am proud to say that with the support of its executives, TruMark Financial Credit Union has positioned itself as a Credit Union information security leader. My staff and I have spent the last year and a half identifying risk and evaluating products to mitigate those risks. I would like to share our results with you in hopes it will increase the information security posture of the industry to match or exceed that of the “big banks”.
An effective Information security program with mitigating controls does not have to break the bank. Below are 7 common ways data can leak from your organization. I have taken the opportunity to share with you the compensating controls we have implemented which have not only increased out security posture but impressed external auditors and effectively raised the bar across the Credit Union industry.
7 Data Leaks You Can’t Ignore
Leak #1 Sensitive information can leave your organization through USB mass storage devices such as thumb drives, IPODs and Digital cameras or other removable media
Risk Mitigation: Block all USB mass storage devices
Approximate cost for hardware and 300 licenses: $50,000
Implement the Trigeo SIM. Their product comes with USB defender which detaches USB drives when mass storage capability is detected. Their product configuration is very granular so permitting USB license keys or hardware tokens is no problem. The employees also receive a pop-up indicating that the use of USB mass storage devices is prohibited. Trigeo can also be easily configured to send an email notification to any email address you like. This is only one of the many features offered with their product.
Leak #2 Sensitive information can leave your organization when copied to a CD or DVD
Risk Mitigation: disable all burners and remove burning software
COST $0
The solution is 3 fold
• disabling the default windows burning capability through an AD GPO push to all workstations
• Uninstalling all 3rd party burning software
• Removing all employees from the PC local admin group and power users group (best standard practice anyway)
This prevents anyone from copying info to a CD without submitting a formal request to do so. When a legitimate request comes into your ticketing system, you can RDP to their workstation and install the 3rd party software. The software would then be uninstalled when they were finished. Another more manageable option is to assign the CD burning functionality to a smaller group of users which mitigates risk by requiring a “standard” user to go to a trusted employee such as a supervisor to have information copied.
Leak #3 Sensitive information can leave your organization when a laptop is lost or stolen
Risk Mitigation: enable whole disk encryption on all laptops
Approximate cost per laptop: $200
If you are running disk encryption and a laptop is lost or stolen you can rest easy if you have deployed PGP desktop. It will take more than several lifetimes to crack disk encryption even with the right software and computing power to do so. Make sure the password is complex or the encryption is pointless.
Leak #4 Sensitive information can leave your organization when a backup tape is lost or stolen
Risk Mitigation: enable software or hardware tape encryption
Approximate cost per server license: $800
This is a 2 fold solution
• We use the built in encryption option included with Backup Exec 11d.
I have heard engineers express concern with the overhead associated with software based encryption methods but I see no significant difference in the time it takes to write a terabyte to tape with the encryption option enabled. The tapes are then sent off site to Iron Mountain.
• Our core processing system uses Neoscale, a hardware based encryption appliance. The transfer rate is outstanding but that comes with a price tag that may be outside of the budget for smaller credit unions.
Leak #5 Sensitive information can leave your organization by being sent out your internet connection.
Risk Mitigation: enable content packet inspection with the ability to block
Approximate cost: varies based on member records
This is probably the easiest way for an insider to intentionally or accidentally cause a data leak. Most organizations fail to recognize this threat and the “governing bodies of audit” do little to even mention it in their check lists.
• Employees of financial institutions have access to a tremendous amount of sensitive data. It would not be difficult to create a spreadsheet, word document or access data base and attach it to an email destined for a hotmail account. This is also true for files sent to vendors that are part of normal operations. It is imperative that all sensitive information sent from your organization is encrypted. Anything sent out your internet connection in clear text puts your organization and its members at a huge risk and should be blocked from transmission.
• Implement the INTRUSION secure tap appliance. Their product is easy to install, configure and manage. The operational concept is straightforward, export all member records from your core processing system to a delimited file and load the file to the INTRUSION device. The secure tap is inserted between you internet router and external firewall interface. All outbound packets are inspected before they get to your internet router. If information in the internet destined packets matches member records, the packet transmission can be denied. The device can be configured to send an email notification to members of the incident response team.
Leak #6 Sensitive information can leave your organization when a rouge device such as a wireless router, laptop, hub, switch or any other unauthorized device is connected
Risk Mitigation: enable layer 2 access switch port security
COST $0
This is a multi-faceted solution
• All unused access switch ports must be administratively shut down to prevent users from freely connecting devices and obtaining a network IP address.
o Send an email to everyone in your organization requesting that all PCs printers and any other device be left on or they will not have connectivity the next day
o Go through every access switch port in your environment and administratively shut any port that is in the “down down” state.
• Once you have eliminated all unused ports the next step is to enable dynamic mac-address learning for each access port.
o Commands to enable dynamic mac-address learning vary with the Cisco OS on your switches
o The key is to dynamically bind the currently learned mac-address to the switch port so that if it is changed the port automatically shuts off. Here is a sample config:
interface FastEthernet0/19
switchport access vlan 6
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0013.7476.f257
spanning-tree bpduguard enable
o When you enable port security take note that when you do a “show run” the mac-address becomes part of the configuration for that port
o The next step is to examine the number of mac-addresses learned through each port. If you see numerous addresses being learned from a single port you know that a hub or switch is connected to that port. If you have a hub with 6 connections you can configure the switch port to accept a maximum of 6 addresses (or however many you see).
o All ports that show a single mac-address should then have bpduguard enabled. This will tell the switch port to automatically shut down if another switch or router is connected. This makes it virtually impossible for someone to connect a router, switch or hub without your knowledge.
o If you have implemented the TriGeo Sim, setting up notifications on these types of events is a breeze and you can immediately engage the incident response team
Leak #7 Sensitive information can leave your organization when vulnerabilities are discovered and exploited.
Risk Mitigation à perform monthly penetration testing on the internal and external network
Approximate monthly recurring cost: $1,600
3 key aspects need to be addressed here:
• You can’t fix a problem unless you know it exists. My vendor of choice for vulnerability discovery is Digital Defense. There is no need to download your own testing tools because they have just about every aspect covered. They will ship you a preconfigured device that connects to your internal network. It should be placed on your production server VLAN and have unrestricted access into your core network. You can setup your own tests for internal and external testing as frequently as desired. The reports are granular and include instructions on how to remediate or mitigate the discovered vulnerabilities. Also included is a compliance tool that enables you to go through the governing auditing agencies (GLBA, FFEIC, NCUA, etc…) requirements and enter a response. These report can be printed out and handed to the auditors to show you practice due diligence.
• Deploy Windows WSUS and all PC/Server updates are automated. It’s free…
• Deploy an automated antivirus solution for all PC/Servers. My recommendation is Panda.
Matt Roedell
Network & Information Security Manager
TruMark Financial Credit Union
