Case Study: Bank Audits Vulnerabilities with Security Appliance

Cape Cod Cooperative Bank chooses a dedicated appliance to can its network for vulnerabilities

What’s the best way to audit a relatively small IT environment?

For Cape Cod Cooperative Bank in Yarmouth Port, Mass., the answer was a dedicated appliance to scan its network for known vulnerabilities. “We have to do independent audits for a lot of the regulatory requirements,” notes Jason Bordun, the IT manager at the cooperative bank, highlighting FDIC regulations. Bordum says that when he joined the bank, there was no effective, automated way to do that.

In the course of researching automated ways of auditing network security, Bordun began investigating appliance possibilities. “We have a small staff—three to four people, five branches, and we have to be able to make the most of our time.” The bank has about 150 workstations, combined with a number of workstations for American Express financial advisors who are co-located at the five branches.

After testing an appliance from PredatorWatch called Auditor 128, which scans PCs on a network for known vulnerabilities, he later adopted the appliance, then rolled out smaller versions for each of the branch offices. “It helped,” he says, in finding vulnerabilities and reporting on the overall state of PC health. “The reporting function is a big thing we look for, not only for myself, but also for management.” Senior managers want regular reports on the bank’s information security. To get them, they log on to the appliance via their Web browser, where they can browse reports in PDF format. Audits and related reports are generated weekly; the bank audits a different branch every day.

Once Cape Cod began using the appliance to audit the environment and generate reports, however, Bordun got a surprise: the existing patch management program wasn’t working. “Right now, because of the size of the bank, we didn’t have a functional patch management system in place,” he says. Instead the bank uses Microsoft’s Software Update Services (SUS) to patch all of its computers, and “we weren’t sure what was actually getting patched in terms of Microsoft vulnerabilities.”

In fact, updates weren’t being distributed. “SUS wasn’t pushing them out, even though we had it set up in Group Policy to do so.” So the bank tweaked its SUS set-up to get it working. Even so, “based on what some of what PredatorWatch found, we found [SUS] wasn’t good enough for us,” he says. Long story short: “I was able to budget a patch management system.”

Beyond patch management, “the biggest reason we went to PredatorWatch was laptops,” Bordun notes. The laptops belong to the financial advisors who prefer to use the bank’s network instead of needing their own DSL connections at the same branches. Yet the laptops were introducing vulnerabilities that could spread across the network. Since Cape Cod doesn’t own those laptops, however, it didn’t know whether they had the latest Microsoft security updates.

Using the security appliance now, however, and “using DHCP, as soon as the router gives out an IP address, they get audited.” The audit informs IT of any vulnerabilities or exploits on the PC, so employees can contact the relevant laptop owner to remediate the machine.

In the future, Bordun wants to automatically restrict network access for non-compliant PCs until IT remediates them. “We’re in the process, we haven’t done it yet, of talking with our firewall vendor, because it can actually block ports.” Later, he expects to audit all wireless devices that connect to the network.

Bordun doesn’t anticipate just instituting automated blocking, however, but first vetting it with American Express. “You have to judge the business versus the security side,” he notes. “We’re taking that slow.”

On the compliance front, the bank is moving forward more aggressively. While regulations don’t require the bank to have an auditing system in place, “when you do, you eliminate some of the real scrutiny,” he says. For example, when it comes to analyzing log files to look for known vulnerabilities or uninstalled patches, auditors “know if you don’t have software, you can’t do it in depth.” On the other hand, when they see automated tools in place, “they know you’re being proactive, and it just helps the whole process.”

Related Articles

Q&A: Endpoint Security for Unknown Devices
http://www.esj.com/Security/article.aspx?EditorialsID=1315

Endpoint Security Grows But Interoperability Questions Remain
http://www.esj.com/security/article.aspx?EditorialsID=1153

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.