A small thumb drive can carry a lot of data, and they can easily be misplaced or carried off. Controlling what can go on them seemed a way to head off any problems down the road, Neal says.

"We wanted to lock down our workstations to prevent people from downloading data they shouldn't to USB drives. We also wanted to track what our IS staff did with USB drives when working on our computers," she says.

So SWFCU turned to the Sanctuary software solution from SecureWave in Herndon, Va.

The endpoint security software is used to create a whitelist and then simply bars any other devices from accessing the system. IT administrators control the list and the software also tracks what information actually is copied to and from various devices, providing the kind of log regulators can see ensures compliance, the company says.

SecureWave now has nearly two million client components installed in laptops and desktops at more than 1,800 sites worldwide, and the company says Sanctuary's adoption in the financial services sector more than doubled in the past year.

Two factors are driving a sharp increase in interest in products like Sanctuary, says Dennis Szerszen, senior vice president at SecureWave.

First is the increased responsibility regulators are placing on financial institutions to show that they are protecting private information. Second is the surge in malware attacks, such as Trojans and keyloggers, that hackers send coursing through the Internet looking for vulnerabilities that would allow them to use a computer as a host for spewing spam or stealing account numbers.

The Sanctuary software uses the Active Directory component of the Microsoft network software to manage user groups and access authorizations, then uses policies set by the administrator to identify devices, allow or deny access and record access attempts and file names or content as they are copied to floppies, CDs or DVDs or other removable devices.

A particular problem is the ultra-portable devices called by various names: flash drives, thumb drives and memory sticks among them. In a kind of social engineering experiment, a recent trend in IS testing has been to load "fairly benign White Hat malware onto 10 or 15 memory sticks and throw them in a parking lot and sit back," Szerszen says. "It's interesting to see how many get picked up and plugged in."

USB was born out of the popularity of plug and play and a lot of memory sticks now present themselves to the computer as CD devices, the Secure Ware executive says. That makes it very easy for them to run in the auto-run task format, and that can present the opportunity for malware to get into a network, he says. "It doesn't matter what you're trying to stick in and try to run, our application will stop it if that device is not authorized, and it will let you know," Szerszen says.

At about $45 a seat, Neal and her credit union are working with Sanctuary to ensure that threat is minimized.

"We had the policies in place and we could administer ourselves through Active Directory, but it's not easy doing it that way and it would cost us a lot in man hours. Sanctuary is very simple to administer and our deployment went very smoothly," she says.

"We had one little glitch, when we realized that our cash dispensers used a USB port, so they didn't work, but we figured that one out in about five minutes," she says.

Now, anyone wishing to use a memory stick, floppy drive or CD or DVD in the credit union's system has to clear it with IS, adding a layer of protection that didn't exist before.

"If someone does need access, such as using a CD for training, we can give it to them quickly," Neal says. "And the learning curve for using it was so small it was a no-brainer. Making changes using Active Directory was a lot harder. This is easy." –[email protected]