Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, August 23, 2004

How to Tackle the Threat from Portable Storage Devices

Gartner advises companies to take action against the risks that portable storage devices (flash drives, MP3 players, and so on) present to the enterprise.

USB flash drives, MP3 players and the like are everywhere nowadays.  Giving your staff free rein to use them at work could lead to breaches of security and loss of data. 

Businesses are increasingly putting themselves at risk by allowing the unauthorized and uncontrolled use of portable storage devices.  The use of unauthorized portable storage devices poses many dangers, not least for the malicious code that they can introduce.  High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world.

Portable devices include any kind of pocket-sized portable FireWire hard drive, like those from LaCie or Toshiba, or USB hard drive or keychain drive, such as M-Systems’ DiskOnKey.  They also include disk-based MP3 players, such as Apple’s iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.

The devices pose two kinds of threat.  Intentionally or unintentionally, users can bypass perimeter defenses like firewalls and antivirus at mailserver, and introduce malware such as Trojan Horses or viruses that, if not discovered, can cause serious damage.  Also, companies are at risk of losing intellectual property and other critical corporate data.

The impact of the latter goes beyond the commercial value of the data for two reasons.  There are different privacy laws in different countries.  This means there is more risk of legal action if personal information - belonging to corporate clients or employees - ends up in the hands of an unauthorized third party.  Companies’ reputations may be damaged as a consequence of information leaks.  This is particularly the case for those operating in areas where client privacy must be preserved, such as the financial market.

Managers should advise on the main procedures to be followed for the eventual use of such devices; for instance, to confirm the need for password and security protection (encryption) of stored corporate data.

Adopt personal firewalls to limit what can be done on USB ports.  Leading products to consider are from vendors like Sygate Technologies, Zone Labs and Symantec.  Vendors like Pointsec Mobile Technologies, Information Security Corporation and PC Guardian Technologies offer alternative specialist solutions.

On a broader level, and especially for those industries where intellectual property is of critical importance, the use of digital rights management software ensures the persistent protection of digital assets by maintaining constant control over their use and distribution.

Posted on 08/23