USB drive security project protects endpoints, aids CoCo compliance

By Ron Condon, U.K. Bureau Chief 01 Jul 2009 | SearchSecurity.co.uk

Digg This!     StumbleUpon     Del.icio.us

A rash of press stories about USB drive security and lost devices convinced Vernon Coles, principal IT security officer for Caerphilly County Borough Council, that his own organisation should do something about the growing use of memory sticks for storing and transferring information.

Not that Caerphilly Council took information security lightly. The council had become only the second in the U.K. to achieve BS 7799 (now ISO 27001) security accreditation back in 2006, and the organisation was already a big user of McAfee Inc. products to protect the 9,000 computers for which it is responsible on its own network and in local schools. It also uses McAfee's Safeboot product for encryption on the council's 900 laptop machines.

Coles looked at available endpoint protection products in 2006, but found the available products lacking.

"We had just been accredited for BS 7799, and having got best practices in place, we wanted to make the infrastructure more secure," he said. "At that stage, the available endpoint protection products were not very mature," which led them to delay the project.

But the rising tide of bad-news stories recently put the subject of USB drive security back on the agenda, and this time he managed to find six products worthy of consideration.

"We put together a detailed specification and we had a couple of mandatory requirements," Wells said. "We needed to be able to identify a USB device by serial number and track its use with a full audit trail. It also had to be tamper-proof."

They whittled the list of six products down to two, and then brought in a team from the NCC Group, a consultancy, to spend three days trying to crash the products or tamper with them. Both products stood up well, but the NCC team said they found the offering from Philadelphia, Pa.-based Safend Inc. was slightly more robust. "They felt it was just a little more frustrating to try to break," said Coles, who declined to say which was the other product in the test.

Working with Safend partner Vigil Software Ltd, Caerphilly Council installed and deployed the software in monitor mode only for the first six months, to get a clear picture of the extent of USB devices by the council's 900 users. It was able to track exactly what devices were plugged into every computer on the network, and when they were plugged in. That turned out to be quite revealing.

"It gave us some amazing figures against each device -- what was plugged in and when," Coles said. "We found a lot of pen drives that could have been bought anywhere were plugged into our network."

Following that revelation, they decided to ban the use of all non-approved USB devices and supply everyone with an encrypted USB stick supplied by Kingston Technology Corp. Each device carries the Caerphilly logo and has a unique serial number. That number is recorded at the time of issue and recorded against the user's name on the central system. Safend enforces encryption on the USB device; access to the content is via username and password.

The Safend client agent on each of the council's PCs prevents any other unauthorised sticks -- or any other USB devices such as CDs or DVDs -- from being connected to the machines.

In addition, each approved memory stick is loaded with Safend's offline access utility, which allows the council to track what happens to the information when the device is unplugged from the main network.

"If, for example, a user copies a document from the USB device to their home computer," said Coles, "the event will be logged, and when they reconnect the device to the corporate network, all of the logs will be updated."

The Safend system is also capable of even more granular content control -- for instance, preventing the copying of specific files -- but Caerphilly has chosen so far not to implement that feature.

Code of Connection (CoCo) compliance too
Apart from bringing greater control over the use of memory sticks, the Safend project has had an extra spin-off benefit for Caerphilly Council. Like every other local council in the U.K., it needs to meet new security standards to connect to the Government Connect Secure Extranet (GCSx). This is a secure private wide area network (WAN), which will enable local authorities, central government, police and health authorities to communicate without using the public Internet.

The list of security requirements that local authorities need to meet is called the Code of Connection (CoCo). It consists of 92 detailed security questions, some of which deal with endpoint protection and encryption. With the Safend product covering the protection of data held on USB sticks, laptop encryption enforced by Safeboot, and the ability to provide audit trails of all file usage, Coles said he was able to provide confident answers to many of the CoCo questions.

Having already gone through BS 7799 accreditation was another great advantage. "A lot of the questions in CoCo are based on the ISO 27001 security standard, and so having been compliant with that, we could answer some of the questions quite easily," he said.

Nevertheless, he said CoCo compliance was not easy, and involved input from all sections of the 90-strong IT department. "Some questions had to be answered by people with a mix of skills -- the network guys, the server team, the installation guys," he said. "To be honest, we found it difficult to complete. I must have sent it back about five or six times to the project manager at Government Connect before we actually got accredited."

Last October they were accredited -- the first in Wales -- and were chosen to be one of eight councils to take part in a pilot involving the Benefits systems. The deadline for all other councils to comply is this September.

Tags: Endpoint and NAC Protection,  Compliance Regulation and Standard Requirements,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary