Bank of America, which recently acquired Countrywide Home Financial, is dealing with a very significant security breach that occurred on Countrywide’s watch. One of its employees, Rene Rebollo was recently arrested and charged for systematically copying around 2 million records onto a thumb drive. How is it that he managed to do this when all Countrywide PCs “had technology in place to disable flash drives on employee computers”? He used a different computer!

Rene would have had to work a lot harder at his USB thumb drive based theft if Countrywide had deployed some technology to keep unknown machines off its LAN. The most basic approach limits admission to machines that are part of their Windows domains.

Today’s enterprise, however, requires access to networked resources for contractors and others with their own PCs. The Countrywide administrators could have created non-domain credentials for these guest workers. The individual server applications would refer to any one or more of a variety of tools in the typical enterprise to handle these authentications between the individual server applications and the endpoints/end-users.

This provides nice but not great compartmentalization. It does not prevent machines from sending malicious data to the application servers or other client machines. It also does not prevent eavesdropping.

Administrators could implement a more robust form of compartmentalization involving 802.1x via their Ethernet switches. This enables the Ethernet switches to regulate what part of the network a particular PC may utilize based on the identity of the end-user or machine.

Unfortunately, 802.1x can only limit network admission based on who the machine or end-user is, not what is the apparent risk of that machine being on the network. If a machine has absolutely no preventative measures in place to mitigate important security risks, then it should not be admitted.

So, Countrywide had employed technology on all employee PCs to disable USB storage devices. Clearly they were concerned with data leaks. So, this implies that they would not want machines with enabled USB storage capabilities onto their LAN.

Network admission control (NAC) is an excellent technology for satisfying such a risk mitigation policy. I recommend Microsoft NAP because it scales better than alternatives, requires less infrastructure upgrades (if any) than alternatives, and it’s extremely extensible.

To those charged with reducing the risks of data leaks, you require two hammers. One resides on each PC to disable or regulate write-operations to USB thumb drives. The second hammer, NAP, prevents endpoints without the first hammer from accessing networked resources.

Posted: Monday, August 11th, 2008 - Network Security
RSS 2.0 - Comment - Trackback