Leak #6 Sensitive information can leave your organization when a rouge device such as a wireless router, laptop, hub, switch or any other unauthorized device is connected
Risk Mitigation: enable layer 2 access switch port security
COST: $0
This is a multi-faceted solution

• All unused access switch ports must be administratively shut down to prevent users from freely connecting devices and obtaining a network IP address.
• Send an email to everyone in your organization requesting that all PCs printers and any other device be left on or they will not have connectivity the next day
• Go through every access switch port in your environment and administratively shut any port that is in the "down down" state.
• Once you have eliminated all unused ports the next step is to enable dynamic mac-address learning for each access port.
• Commands to enable dynamic mac-address learning vary with the Cisco OS on your switches
• The key is to dynamically bind the currently learned mac-address to the switch port so that if it is changed the port automatically shuts off. Here is a sample config:
  interface FastEthernet0/19
  switchport access vlan 6
  switchport mode access
  switchport port-security
  switchport port-security mac-address sticky
  switchport port-security mac-address sticky 0013.7476.f257
  spanning-tree bpduguard enable
  

• When you enable port security take note that when you do a "show run" the mac-address becomes part of the configuration for that port
• The next step is to examine the number of mac-addresses learned through each port. If you see numerous addresses being learned from a single port you know that a hub or switch is connected to that port. If you have a hub with 6 connections you can configure the switch port to accept a maximum of 6 addresses (or however many you see).
• All ports that show a single mac-address should then have bpduguard enabled. This will tell the switch port to automatically shut down if another switch or router is connected. This makes it virtually impossible for someone to connect a router, switch or hub without your knowledge.
• If you have implemented the TriGeo Sim, setting up notifications on these types of events is a breeze and you can immediately engage the incident response team

Leak #7 Sensitive information can leave your organization when vulnerabilities are discovered andexploited.
Risk Mitigation: perform monthly penetration testing on the internal and external network
Approximate monthly recurring cost: $1,600
3 key aspects need to be addressed here:

• You can't fix a problem unless you know it exists. My vendor of choice for vulnerability discovery is Digital Defense. There is no need to download your own testing tools because they have just about every aspect covered. They will ship you a preconfigured device that connects to your internal network. It should be placed on your production server VLAN and have unrestricted access into your core network. You can setup your own tests for internal and external testing as frequently as desired. The reports are granular and include instructions on how to remediate or mitigate the discovered vulnerabilities. Also included is a compliance tool that enables you to go through the governing auditing agencies (GLBA, FFEIC, NCUA, etc...) requirements and enter a response. These report can be printed out and handed to the auditors to show you practice due diligence.
• Deploy Windows WSUS and all PC/Server updates are automated. It's free...
• Deploy an automated antivirus solution for all PC/Servers. My recommendation is Panda.

Matt Roedell
Network & Information Security Manager
TruMark Financial Credit Union
mroedell@trumark.org