Client Spotlight:
Home Federal Savings Bank USB Device Security
The emergence of USB mass storage devices has provided an extremely convenient way to save, transfer and share data. It’s amazing that you can easily move gigabytes of information around on a portable device so small it can clip onto a key chain.
However, most security officers wish that this technology did not exist because of the information security risks it presents. Without proper controls, USB devices make it very simple for individuals to save confidential information (potentially entire databases) and walk out the door. Even without malicious intent, these tiny devices are easily misplaced and could wind up in the wrong hands. USB is also a medium that can carry computer viruses, introducing yet another security concern.
Home Federal Savings Bank, headquartered in Rochester, MN, recognized the risks that USB devices present and decided to do something about it. Home Federal Savings is a $1B institution that has 250 employees spread across its 18 branches in southeastern Minnesota and Iowa.
Bobs Hoenisch, Vice President of Technology for Home Federal, led the initiative to implement USB security measures. Below is a Q&A with Bobs about his approach and his results:
What were your drivers for addressing USB device security?
USB devices were being used everywhere within our bank. Having 18 branches and 250 employees, we quickly understood the risks associated with a lack of controls over USBs. Our primary objective was to protect bank data. We also like to stay one step ahead of the examiners and believe they will be looking closely at USB controls in future examinations.
What alternatives/options did you consider?
As we researched the alternatives, we found that one option was to put glue in the USB ports of all of our computers. While that may have been effective eliminating USB concerns elsewhere, that didn’t sound like a good alternative for us.
In addition to USB controls, we also wanted to have centralized logging for all of our network devices. So we narrowed down the list of options to Cisco’s Security Monitoring, Analysis and Response System (MARS) and Trigeo’s Security Information Management and USB Defender.
How did you evaluate the alternatives?
We are a Cisco shop, so we really wanted to select MARS. Cisco sent an engineer to set up a trial for us and gave us 3-4 weeks to play with it. We found that the solution was very robust. It did a great job of locking down the security controls on the PCs and provided centralized logging. But, we could not get it to block USB ports.
Trigeo gave us a 1-month trial, and we scheduled a couple of web conferences with their engineers. Once we received the trial system, we installed it and created rules within 1 hour—even before the scheduled webinars with the engineers.
We found that Trigeo did not give us the workstation lock-down capabilities that the Cisco solution provided, but it gave us centralized logging and the ability to easily manage USB security.
What option did you select?
We selected Trigeo.
How did the implementation go?
By the time our trial was complete, it was already implemented. We kept the trial systems they had sent. We had 4 web conferences with the engineers during setup, but the implementation was smooth.
Were you able to demonstrate an ROI?
We didn’t look at it from an ROI perspective because security controls are difficult to justify in that fashion. For us, the bottom line is that nobody is walking out with our data. TJ Maxx offers a recent example of the negative financial and reputation impact of an information security breach*. You just can’t put a price on that.
* View article
Did you get any negative response internally?
Yes. Some people complained, but after I explained to them why we needed to restrict the use of USB devices, they understood.
Prior to selecting Trigeo, did you have a policy that addressed employee use of USB drives and other devices?
Yes – it was for authorized personnel only, but this was difficult to enforce.
Can anyone in the bank use USB devices now?
We have very limited exceptions. As the Physical Security Officer for the bank, I review all requests. Our accountants can use them when the auditors are in and we also allow use for computer technicians. But USBs never leave the building.
Would you have done anything differently?
I think if we were looking at it again today, the Cisco solution would do what we wanted it to do. I really liked Cisco’s offline capabilities that are not available today in the Trigeo.
So, what are the next security controls that you plan to implement?
We are always analyzing and improving security. Some of our plans include looking at device-based network access controls; setting up a secure wireless network in our bank for guest access; improving e-mail security; adding biometric/fingerprint access controls for our notebooks; and improving our disaster recovery capabilities, especially for our IP telephone system.
