CyberSecurity Institute

USB flash drives, MP3 players and the like are everywhere nowadays. Giving your staff free rein to use them at work could lead to breaches of security and loss of data.

Businesses are increasingly putting themselves at risk by allowing the unauthorized and uncontrolled use of portable storage devices. The use of unauthorized portable storage devices poses many dangers, not least for the malicious code that they can introduce. High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world.

Portable devices include any kind of pocket-sized portable FireWire hard drive, like those from LaCie or Toshiba, or USB hard drive or keychain drive, such as M-Systems’ DiskOnKey. They also include disk-based MP3 players, such as Apple’s iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.

The devices pose two kinds of threat. Intentionally or unintentionally, users can bypass perimeter defenses like firewalls and antivirus at mailserver, and introduce malware such as Trojan Horses or viruses that, if not discovered, can cause serious damage. Also, companies are at risk of losing intellectual property and other critical corporate data.

The impact of the latter goes beyond the commercial value of the data for two reasons. There are different privacy laws in different countries. This means there is more risk of legal action if personal information – belonging to corporate clients or employees – ends up in the hands of an unauthorized third party. Companies’ reputations may be damaged as a consequence of information leaks. This is particularly the case for those operating in areas where client privacy must be preserved, such as the financial market.

Managers should advise on the main procedures to be followed for the eventual use of such devices; for instance, to confirm the need for password and security protection (encryption) of stored corporate data.

Adopt personal firewalls to limit what can be done on USB ports. Leading products to consider are from vendors like Sygate Technologies, Zone Labs and Symantec. Vendors like Pointsec Mobile Technologies, Information Security Corporation and PC Guardian Technologies offer alternative specialist solutions.

On a broader level, and especially for those industries where intellectual property is of critical importance, the use of digital rights management software ensures the persistent protection of digital assets by maintaining constant control over their use and distribution.

http://www.csoonline.com/analyst/report2714.html

Consider this: Gartner Inc. estimates that more than 70 per cent of unauthorized access to information systems is committed by employees, as are more than 95 per cent of intrusions that result in significant financial losses. The “2003 Computer Crime and Security Survey,” meanwhile, compiled by the Computer Security Institute and the FBI, found that 62 per cent of respondents reported a security incident involving an insider, up from 57 per cent in 2002. In such an environment, which is also increasingly beset by so-called blended threats that dynamically target the vulnerabilities of isolated security products, enterprises must adopt an integrated strategy that addresses network security at all tiers: gateway, server, and client.

The traditional perimeter firewall no longer provides adequate protection against intrusions and threats. In part that’s because the very definition of “perimeter” has become blurred. The addition of remote access servers, peer connections to partners’ networks, VPN servers, and wireless access points means that a once well-defined network boundary is no longer so well-defined. As a result, there are now multiple outside paths into the corporate network.

Integrated security uses the principles of defense in depth and employs complementary security functions at multiple levels within the IT infrastructure. By combining multiple functions, integrated security can more efficiently protect against a variety of threats at each tier to minimize the effects of network attacks.

Secures connections beyond the perimeter, enabling organizations to safely communicate across the Internet.

With these security technologies integrated into a single solution, an enterprise is better able to withstand a modern-day network threat, be it a malicious code attack, a denial-of-service attack, unauthorized access (either internal or external), or blended threat.

A client firewall that also includes intrusion detection and antivirus technology works this way: as information is received by the client, it is passed through the client firewall and scanned for network attacks and viruses by the intrusion detection and antivirus technologies.

Moreover, proper controls can be put in place so that, should an incident occur, they can act in a timely fashion.

Enterprises should have a policy outlining their information assets and all access rights to that information.

If relationships with outside contractors call for them to access the network, make sure the access is designated only for the specific services required.

http://www.ebcvg.com/articles.php?id=256

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Forrester says now is the time for IT to take a more active role in such management.

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Where a limited support policy was appropriate two years ago, IT must now take on a much more active role in provisioning, supporting, and managing mobile devices. Because many employees use their own devices to store company information or otherwise ignore company mobile usage policies, companies often don’t have control of the devices, what information is stored on them, or how the information is protected.

Unmanaged mobile devices represent one of the most serious and often overlooked security threats to the enterprise. As several incidents over the past year demonstrate, the risk of information loss or theft from laptops, PDAs, phones, converged devices, and tablets is increasing rapidly. Organizations should balance the growing requirement for mobility with sensible policies on mobile usage and security, along with technology to enforce the policies.

While more organizations have mobile policies than two years ago, comparatively few companies have invested in technology to manage and protect the devices. The proliferation of laptops, PDAs, and other mobile devices in the enterprise, coupled with the explosion of wireless connectivity options, has led to significant support issues and security risks. Mobile devices are vulnerable to theft and loss, with most companies budgeting for a 20% or higher loss and failure rate for PDAs.

While the cost of replacing the devices is relatively insignificant, more and more users store sensitive information on the devices. Additionally, mobile devices can introduce viruses or worms to the corporate network.

Based on a recent Forrester survey, only 9 percent of companies have deployed mobile management tools; another 20 percent are piloting or plan to deploy mobile management tools within the next 12 months (see Figure 1 on source web page). This report will outline both the challenges posed by mobility and the steps companies can take to manage and secure the devices.

Many of corporate IT’s challenges regarding provisioning and supporting remote workers, including predominantly mobile or untethered ones, can be resolved by articulating – and periodically revising – a formal written corporate mobile usage policy. If the company is not willing to set and enforce standards, the costs and risks associated with the mobile device population could quickly spiral out of control.

Managing and Securing Mobile Devices: Best Practices

Mobile Usage And Security Policies
– Be convenient and easy for the user to follow.
– Balance productivity requirements against security and costs.
– Vary by the users’ roles and type of information they handle.
– Specify how users should synchronize information with mobile devices.
– Include guidelines for data usage and transfer.
– Summarize proper use and care of company-owned or -supported mobile devices.
– Have a definition of corporate standards for hardware selection.
– Outline standards for support of employee-purchased equipment.

Communication and User Education
User education is also critical.
Give users some accountability.
Make it clear what is at stake, including the user’s own information.
Give users the necessary tools and easy means to secure the devices.
Raise awareness by demonstrating real security risks.

Selcting Mobile Management and Security Tools
Asset discovery to identify and track devices on the network.
Synchronization tools for PIM, email, or enterprise data.
Antivirus.
Password policy enforcement.
Remote device kill for any PDAs, laptops, or tablets with potentially sensitive data.
Encryption.
Client firewalls.

Forrester Recommendation: Take Immediate Steps to Secure and Manage Mobile Devices

http://www.csoonline.com/analyst/report2794.html
http://www.gigaweb.com/