Bank Thwarts Threats From Within

Case study: When an audit turned up less-than-stellar security results, Ulster Savings Bank turned to the CyberGatekeeper network access control system to protect the network from inside threats.

All IT managers worry about hackers, viruses and external security threats. But what really keep IT pros up at night are threats generated inside their companies firewalls. Even when they are not maliciously motivated, employees, contractors and visitors to an office building can wreak havoc by logging on to the corporate network without heeding corporate security policies.

Ulster Savings Bank, in Kingston, N.Y., uses an outside company to conduct periodic security audits. When a 2005 audit revealed the banks procedures for protecting against internal threats were less than solid, Jim Hochstatter knew it was time to take action.

"We had faced the outward-facing security issues and were feeling pretty good about that," said Hochstatter, vice president of technology for the 20-branch institution. "But security issues kept popping up in the press. The next big theme was inward-facing threats."

Seeking advice from systems integrator Topgallant Partners, of Londonderry, N.H., Hochstatter arrived at a network access control solution that would ensure all machines connected to the corporate network complied with security policies.

Topgallant had been working with the bank for more than a year, and Jeff Jones, managing partner at Topgallant, said he knew Hochstatter would be open to his suggestions on beefing up internal security.

Founded in 1851, Ulster Savings Bank had a tradition of extreme caution when it came to adopting new technology. When Hochstatter came on board in 2004, he was tasked with implementing a direct Internet connection for the first time.

And, as the bank was pursuing an aggressive growth strategy, all the systems had to be upgraded to support those plans. "This company is about $635 million in assets. Our five-year plan puts us up to $900 million," said Hochstatter.

Hochstatter said he wanted to put in place a solid IT infrastructure and tools that would allow his modest five-person IT staff to handle more users and a bigger network without having to increase head count. The bank currently has 355 employees.

"We had hired a firm to harden the perimeter of the network. But we needed another piece in there," Hochstatter said. "We needed a tool that would help us manage access to our physical network from inside."

In the process of evaluating network access solutions, Topgallant recommended that the bank buy the CyberGatekeeper network access control system from InfoExpress, of Mountain View, Calif. CyberGatekeeper audits the endpoint before allowing it onto the network.

In December 2005, Hochstatter signed the purchase order for CyberGatekeeper. The project cost $75,000, including 200 software licenses, hardware and implementation services.

CyberGatekeeper works via a software agent installed on each machine, according to Todd Nakano, executive vice president of sales for InfoExpress. The software checks that the PC, laptop or other device is in compliance with security policies. This includes running all new anti-virus definitions, disallowing instant messaging applications, checking for the most recent operating system patches and making sure the personal firewall is configured properly.

/zimages/2/28571.gifClick here to read a review of InfoExpress CyberGatekeeper LAN 3.0.

"It allows IT folks … visibility into all the endpoints connecting into the network, whether they are remote or in the office," said Nakano. "[CyberGatekeeper] gives them the confidence of knowing exactly what is connected to the network and the ability to remediate instantly."

The rollout proceeded on at an orderly, if somewhat leisurely, pace. Since the IT department had to physically "touch" every machine to install the agent software, it took some time to get all the machines ready. There were some surprises: A few machines were woefully out of policy in terms of running the required software patches. It took about five months to bring all of them in line.

"We didnt go to full enforcement until everything was clean," said Hochstatter. "From a technical and users perspective, the final implementation was a nonevent."

As for implementation of CyberGatekeeper itself, it was a success, said Hochstatter. Though the bank now uses CyberGatekeeper only to check for the most current anti-virus definitions, he has not ruled out expanding its use down the road. "Our configuration is quite simple. It may get more elaborate over time," Hochstatter said. "The thing is, I get a warm and fuzzy feeling being able to see every endpoint that is connected to my network."

Lauren Gibbons Paul is a freelance writer in Waban, Mass. E-mail her at

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.