Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, July 30, 2004

How to Tackle the Threat from Portable Storage Devices

Gartner advises companies to take action against the risks that portable storage devices (flash drives, MP3 players, and so on) present to the enterprise.  Giving your staff free rein to use them at work could lead to breaches of security and loss of data.

This article shows which strategies and technologies organizations should adopt to manage them securely.

High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world.  This underlying vulnerability has existed since the release of Microsoft Windows 2000, the first widely deployed operating system able to mount a USB storage device automatically.

Intentionally or unintentionally, users can bypass perimeter defenses like firewalls and antivirus at mailserver, and introduce malware such as Trojan Horses or viruses that, if not discovered, can cause serious damage.

This means there is more risk of legal action if personal information - belonging to corporate clients or employees - ends up in the hands of an unauthorized third party.  Companies are at risk of losing intellectual property and other critical corporate data.  Portable storage devices are also ideal for anyone intending to steal sensitive and valuable data.

What are company requirements and strategies for deploying these devices in the workplace?

Companies should forbid the use of uncontrolled, privately owned devices with corporate PCs. The prohibition should extend to employees, and external contractors with direct access to corporate networks.

What are the best practices in managing these devices?

- Adopt a suitable security policy on using portable storage devices
- Use tools to help manage port access of USBs and FireWire
- Consider using digital rights management technology as part of a wider protection strategy for proprietary information

Posted on 07/30