At Countrywide, One Overlooked PC Led to Loss of 2M RecordsInsider used the one machine that hadn't been 'fixed' to prevent use of external storage devices
If your primary defense against portable storage devices is to seal up the USB ports on your users' computers, you'd better be pretty darn good with a glue gun.
That's the message that's emerged from court documents surrounding the recently revealed security breach at Countrywide Home Loans, where an employee siphoned off about 20,000 customer records a week for more than two years and sold them to a third party. (See Ex-Countrywide Employee Charged With Selling Customer Data.)
An affidavit by an FBI special agent assigned to the case reveals exactly how the insider attack took place. It states that in an effort to prevent users from loading unauthorized data onto memory sticks or other portable storage media, Countrywide had sealed the USB ports on all of its employees' machines -- all, that is, except one.
Rene Rebollo Jr., 36, a former senior financial analyst with Countrywide Home Loans subprime mortgage division, found that one machine near his own workspace, according to the affidavit. And so, every Sunday night for about two years, Rebollo brought a memory stick over to that machine and downloaded personal information on approximately 20,000 customers.
Countrywide had not deployed any method for detecting or managing downloads to portable storage devices, since its policy was to block their use entirely on all employee machines. As a result, the downloads went undetected for years, leading to the compromise of some 2 million records, according to court documents.
A criminal complaint against Rebollo said that he earned about $65,000 a year at Countrywide and had opened a personal bank account for holding what he estimated to be up to $70,000 in proceeds from Countrywide data sales. Experts have said that Rebollo woefully underestimated the value of the mortgage data, which is difficult to get on the black market and can fetch several dollars per record.
Disabling USB ports -- either logically through the registry or physically, by sealing them with glue or some other permanent substance -- is a simple way to prevent users from accessing portable storage devices, experts said. But it can prove fallible.
"This is certainly a quick way to lower the risk of information transfer," said Tom Olzak, director of information security at HCR Manor Care, in a recent blog. "It isn't difficult, especially in a Windows environment. A simple registry hack on each workstation, easily deployed via login scripts, can completely shut down USB and Firewire ports.
"But this might cause a problem if you deploy USB or Firewire devices like keyboards, mice, displays, etc.," Olzak noted. "A direct registry modification to achieve a security result is not my idea of a good time." For many enterprises, encryption or granular control of USB ports may prove to be better options than disabling USB altogether, he suggested.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio