Portable storage devices invite big problems

By Elisabeth Horwitt, Contributor 10 Apr 2006 | SearchSMB.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

Small storage devices are inexpensive, ubiquitous, easy to use -- and easy to lose. For business IT departments, that constitutes a potentially serious security problem. A $30 Universal Serial Bus Flash drive casually misplaced in a restaurant or airport lounge may contain sensitive data that can leave a company vulnerable to a rival, or a lawsuit. In one much-publicized case, a former employee of a major financial institution unwittingly sold on eBay a wireless handheld device containing an ex-employer's customer list.

As mobile devices and small, cheap, removable storage media proliferate, the risks of leaving PC ports unprotected have grown exponentially.

Take the iPod. Commercially available software now enables the little MPEG player to download a lot more than music files: e-mail, calendar contacts, favorite Web sites and data files for example. The practice has become widespread enough to gain an official nickname: slurping.

Conversely, portable storage devices become conduits for viruses and other malware. A visitor left alone in a conference room with an unguarded PC needs only a few moments to upload malware or a Trojan horse into the corporate network. An employee takes corporate files home, infects them with a virus on his or her home computer, then uploads them to an office PC.

"There's a huge potential for losing data via a PDA or a CD-ROM, which creates a potentially enormous liability," said Michael Osterman, president of Osterman Research Inc. in Black Diamond, Wash.

In a 2004 report, "How to tackle the threat from portable storage devices," Gartner Inc. advised companies to consider prohibiting or at least restricting the use of small, portable storage devices -- from USB keychain devices to iPods -- by employees and outside contractors who have direct access to corporate networks. The report also advised companies to institute a "desktop lockdown policy" that permitted only authorized devices to be plugged in.

In the last year or two, corporate IT staffs have homed in on PC data ports as one of the serious gaps in internal security that enable hackers and other unauthorized intruders to circumvent external defenses like firewalls.

Disabling all PC data ports or instigating a corporatewide ban on portable storage devices is rarely a viable solution, according to Osterman. "These devices are one of the easiest ways to move data. Most of the ways people use them are valid, like taking information home to work, copying presentations off e-mail stores. So you can't just say don't use them."

GFI Software Ltd., SmartLine Inc. and DeviceWall have introduced a more granular solution: software that enables administrators to centrally control what type of device and port can be utilized to read from, or write to, a particular PC.

For example, an end user might be given read/write privileges for a notebook or personal digital assistant (PDA) that can be equipped with security software, but not to a keychain device.

In addition, Microsoft's Windows XP Service Pack 2 provides a registry key that can be configured to make USB storage devices read-only.

As a government agency, Tri-County Board of Recovery and Mental Health in Troy, Ohio, needs to comply with government regulations like the Health Insurance Portability and Accountability Act (HIPAA), which require accountability when it comes to data loss. The company has only 15 employees, but it's just as vulnerable as a larger firm to HIPAA violation penalties of thousands of dollars and up to 10 years in jail, notes Jerry Hill, the company's director of IS.

Last summer, he installed GFI's Portable Storage Control to ensure that sensitive data didn't make an unauthorized exit via a floppy or a USB device. In March, he installed a beta version of the latest version, EndPoint Security, which adds control of additional devices, such as CD-ROMs. "I used to have to put a CD or DVD burner out of commission; now I can pass it on with a disabled write capability," Hill enthuses. "And I can block unauthorized use of PDAs and all USB devices, including a wireless network card."

EndPoint Security allows administrators to grant either read or write privileges, or both, to a particular port, device, user or job title. For example, "A marketing person might be allowed to download animation to CD-ROMs for distribution at game shows, but not upload some crazy Internet game," says Kurt Shaver, a vice president at Cary, N.C.-based GFI. A visiting salesman might be allowed to upload presentation material from a USB Flash card onto a corporate PC, but not download anything from that PC.

Ramon, Calif.-based SmartLine's DeviceLock can grant read or read/write, but not write-only privileges. Both SmartLine and DeviceWall products allow administrators to grant users temporary access to USB devices, when their PCs are offline, by providing temporary access codes.

Both Endpoint Security and DeviceLock support Active Directory, eliminating the need to set up a separate structure for managing access rights. They also support automated, remote software installation: DeviceLock through Windows Remote Install, EndPoint Security through proprietary software. DeviceLock provides a snap-in to Microsoft Management Console as well.

Centralized administration features take the burden off SMB IT staffs. Tri-County Board's Hill can define read/write privileges on USB devices using the same Active Directory groups used to define network access rights, he said. The ease of setup and configuration is key for him: "We're a small office, but I'm a one-person IT staff."

Elisabeth Horwitt is a freelance writer in Waban, Mass.

Tags: PDAs,  Hackers and Threats to your Mobile Enterprise,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PDAs Fuel cells still years away for mobile devices Going green: Recycling and energy saving tips for mobile devices -- podcast As others flock to iPhone, Palm faithful await the Nova PDA review: HP iPAQ 210 Apple iPhone/iPod touch get doubled storage Mobile devices: Upgrade considerations HP's iPAQ 210 enterprise handheld released iPod touch gets email, iPhone gets GPS Mobility highlights from 2007 Mobile device battery capacity improved with nanotechnology PDAs Research Hackers and Threats to your Mobile Enterprise Mobile security threats Securing corporate data on your laptops iPhone hacking: Lessons from the front line Trends in mobile computing Traditional security threats coming soon to mobile device near you Prevent mobile malware: Learn how to protect your enterprise and devices On-device defenses for mobile malware Is malware coming to a smartphone near you? New challenges in mobile device discovery Mobile security – Understanding and controlling risks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary digital multimedia broadcasting  (SearchMobileComputing.com) FeliCa  (SearchMobileComputing.com) inductive charging  (SearchMobileComputing.com) iPhone  (SearchMobileComputing.com) location awareness  (SearchMobileComputing.com) microblogging  (SearchMobileComputing.com) Opera  (SearchMobileComputing.com) Quarter Video Graphics Array  (SearchMobileComputing.com) radio charging  (SearchMobileComputing.com) wireless charging  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary