As employees head back to the office, many of them will be coming in with new, cool gadgets in hand -- straight from Santa's sack. Could these new smart phones, PDAs and MP3 players be a security risk? Yes, they can, and here's what to do about it.
As you read this, users are winding up their holidays and heading back to
the office. The trouble is that they're bringing security risks with them
-- you can count on it.
That is, all those users are bringing all the cool new electronic gadgets
they received as holiday gifts.
The cool gadgets this year span a broad spectrum: PDAs, USB memory
sticks, personal MP3/media players, smart mobile phones (many with
cameras built in), wireless adapters, Bluetooth devices and digital
cameras. The two common themes in the above list are memory capacity and
data connectivity, and those two ingredients can add up to significant
security risks for your business.
Now, I'm as much a ''gadget guy'' as anyone I know, and truth be told,
there is great business benefit to be gained from most of these devices.
PDAs can be enormously useful at organizing a busy business, along with
schedules and priorities, both professional and personal. USB memory
sticks have all but done away with floppy and Zip disks. Even those
personal MP3 players can make long business flights a little less
intolerable -- trust me!
You can be sure that corporate users are going to try to integrate these
cool devices into their work lives. Your job is to enable that to happen
-- to the extent that you feel is reasonable, -- while safeguarding your
company's business concerns. So, just what are the threats from these
devices? Let's take a quick look and separate the reality from the FUD
(Fear, Uncertainty, and Doubt) that litters the popular press.
The storage devices in the above list carry two primary risks: theft
of company information and insertion of unauthorized, possibly malicious,
software. Storage devices have gotten smaller in size and larger in
capacity. I carry a 1 G USB stick with me that is about the size of a pen
cap. When you combine that with the lightning fast USB 2.0 interface, you
have a device that would enable a criminal to steal your company's data
very quickly and with little chance of being noticed.
Regarding the risk of inserting unauthorized software, there is the
''autorun'' facility provided by many Windows-based operating systems.
(Autorun looks at a file called ''autorun.inf'' on the drive, and
executes the commands in it.) Disabling autorun is quick, easy, and well
documented, but doing so for a USB drive might cause difficulties, if the
device driver doesn't load.
The main risk from unauthorized wireless devices is that the user
may well be opening up connectivity to your company's network, completely
bypassing any firewall or other policy-enforcing mechanisms. That can
result in theft of data, theft of service, etc.
All of these risks are quite real.
The likelihood of them affecting your company depends on a whole bunch of
things. Without a doubt, the decision of whether or not to accept these
devices in the workplace must be made by each company after carefully
considering the potential benefits of allowing these gadgets against the
potential risks they would carry.
There are a few things that you can consider doing, however, that should
reduce -- although not eliminate -- the risks. Here's my list:
Disable autorun. Many IT Security people consider this to be
mandatory in tightening a Windows system. As I mentioned above, it may
lead to some difficulties with USB drives, but it does at least provide a
first level of protection against running rogue software on a system.
Access control. Restricting access to resources (e.g., USB ports) is
bound to be an unpopular decision among your users, but in some
environments it may be justified.
Event monitoring. If restricting access isn't feasible in your
environment, consider rigorous event monitoring (and centralized
collection/analysis) of user activity on USB ports and devices. It
requires you to have monitoring infrastructure in place, but that might
be a lot easier to do than explaining to the VP why she can't use her new
USB drive. And, of course, it's much easier on desktop systems than on
laptops and notebooks...
Compartmentalize the risks. If all of the above are completely
unacceptable to you, then consider setting up a designated workstation
where users can plug in their USB devices. That system should be hardened
and closely monitored, but it would isolate the threat to one system.
(This is assuming that USB hardware is disabled/removed on all other
Wireless device detectors. There are now several products on the
market that can help you detect unauthorized devices the moment they are
turned on. Some will even actively prevent the unauthorized devices from
functioning. Then, once the device configurations are reviewed and
approved, they can be added to the authorized list.
Policies. A good set of policies is a good idea irrespective of what
you're doing about USB and wireless devices. They should include policies
on acceptable computer/network use, cameras, personal devices, remote
It should be obvious that this list is just a quick ''fly by'' of some of
the possible remediations that you can consider. And, of course, there's
no substitute for other good computing hygiene practices, such as
anti-virus software and personal firewall devices.
The main point I'm trying to make is that the gadgets are inevitable.
Ignoring them won't make them go away.
Similarly, there aren't any perfect solutions that remove all of the
threats that go along with them. But your users are going to want to use
them, for good and valuable business reasons in many cases. You can
prohibit them if that's what your computing environment requires, or you
can find ways to reduce the risk and embrace them.
As for me, you'd have to pry my PDA and USB drive from my cold, dead