Idaho Bank Finds A Balance Between Security and Convenience

bankcda, in Coeur d'Alene, Idaho, finds the middle way between draconian and laissez-faire security policy enforcement.
Although bankcda, a ten-year-old community bank based in Coeur d'Alene, Idaho, is vigilant about using software tools to protect data, information security officer Stuart Gant says the bank tries to find moderate ground between draconian and laissez-faire security policy enforcement. "It's a delicate balance between security and convenience," Gant says. "Sometimes that means allowing some holes to be open, as long as you can monitor them, or closing some holes because they present too much risk."

The bank thwarted a recent hacking attack with the use of network monitoring software. An outside consultant had accidentally misconfigured SSH access to the bank's firewall, leaving a port wide open. A hacker used an automated tool to guess SSH credentials, but the bank's network monitoring software, TriGeo SIM, detected the aberrant activity, actively blocked the hacker from gaining access and alerted Gant to what was happening, all in real time. "This allowed me to take immediate action to thwart the attack," he says.

The consultant was forgiven. "Nobody's perfect, things happen," Gant says.

Hacking is one of the two types of information security threats Gant worries most about. The other is internal data leakage and inadvertent security violations.

The first step for a hacker, Gant points out, is typically a port scan of a network, to look for open ports. The TriGeo software alerts the bank to any port scans that take place as well as dictionary attacks, in which hackers attempt to guess passwords. "We weren't ever in any danger because we have good credentials and strong passwords," Gant says. "But the fact that they were able to do that was alarming."

The insider threat comes when employees deliberately but not maliciously leak data or violate a security rule. "Some people don't pay attention to policies well, they want to do what they want to do," Gant observes.

To prevent employees removing sensitive files from the bank by saving them to a flash drive, bankcda uses the TriGeo USB-Defender product. "Each computer has an agent on it that launches when the USB device is plugged in," Gant relates. He's created a list of approved devices that can be plugged in; everything else is kicked off automatically. This helped the bank evade the Conficker worm that spread across millions of computers in 2009, partially through the use of thumb drives.

To prevent employees from emailing sensitive files, Gant has limited webmail access; he monitors internal email.

The network monitoring software catches instances of employees downloading software without permission. One person installed Skype, which has many security vulnerabilities for a bank. The system detected the software installation and sent Gant an email. "I was able to respond to it first thing in the morning," he says. "I enjoy the ability to know what's going on in my network, from firewalls to routers to PCs."

The TriGeo appliance is not plug and play, it does take some time and effort to configure but within a few hours he had greater visibility into his network and within a few weeks he had much greater control as well. Gant says the vendor's training was helpful and that he was able to make decisions and set rules and alerts during the training.

But Gant isn't overzealous about rule-setting. "The software has the capability to automatically block an IP address if it detects a port scan," he notes. "However, the way I choose to do it is I watch for port scans and have alerts sent to my phone, so if I see a rash of port scans, I can log into the system from home or log in to my firewall and do a block IP manually." This is because some port scans are directed by someone within the bank and "I don't want the system to go crazy and start blocking all these IP addresses all of a sudden," he says. "I think it's better to exercise some element of human control over it."