Protecting the Enterprise from Users' New, Cool Tools

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
As you read this, users are winding up their holidays and heading back tothe office. The trouble is that they're bringing security risks with them-- you can count on it.

That is, all those users are bringing all the cool new electronic gadgetsthey received as holiday gifts.

The cool gadgets this year span a broad spectrum: PDAs, USB memorysticks, personal MP3/media players, smart mobile phones (many withcameras built in), wireless adapters, Bluetooth devices and digitalcameras. The two common themes in the above list are memory capacity anddata connectivity, and those two ingredients can add up to significantsecurity risks for your business.

Now, I'm as much a ''gadget guy'' as anyone I know, and truth be told,there is great business benefit to be gained from most of these devices.PDAs can be enormously useful at organizing a busy business, along withschedules and priorities, both professional and personal. USB memorysticks have all but done away with floppy and Zip disks. Even thosepersonal MP3 players can make long business flights a little lessintolerable -- trust me!

You can be sure that corporate users are going to try to integrate thesecool devices into their work lives. Your job is to enable that to happen-- to the extent that you feel is reasonable, -- while safeguarding yourcompany's business concerns. So, just what are the threats from thesedevices? Let's take a quick look and separate the reality from the FUD(Fear, Uncertainty, and Doubt) that litters the popular press.

  • The storage devices in the above list carry two primary risks: theftof company information and insertion of unauthorized, possibly malicious,software. Storage devices have gotten smaller in size and larger incapacity. I carry a 1 G USB stick with me that is about the size of a pencap. When you combine that with the lightning fast USB 2.0 interface, youhave a device that would enable a criminal to steal your company's datavery quickly and with little chance of being noticed.

  • Regarding the risk of inserting unauthorized software, there is the''autorun'' facility provided by many Windows-based operating systems.(Autorun looks at a file called ''autorun.inf'' on the drive, andexecutes the commands in it.) Disabling autorun is quick, easy, and welldocumented, but doing so for a USB drive might cause difficulties, if thedevice driver doesn't load.

  • The main risk from unauthorized wireless devices is that the usermay well be opening up connectivity to your company's network, completelybypassing any firewall or other policy-enforcing mechanisms. That canresult in theft of data, theft of service, etc.

    All of these risks are quite real.

    The likelihood of them affecting your company depends on a whole bunch ofthings. Without a doubt, the decision of whether or not to accept thesedevices in the workplace must be made by each company after carefullyconsidering the potential benefits of allowing these gadgets against thepotential risks they would carry.

    There are a few things that you can consider doing, however, that shouldreduce -- although not eliminate -- the risks. Here's my list:

  • Disable autorun. Many IT Security people consider this to bemandatory in tightening a Windows system. As I mentioned above, it maylead to some difficulties with USB drives, but it does at least provide afirst level of protection against running rogue software on a system.

  • Access control. Restricting access to resources (e.g., USB ports) isbound to be an unpopular decision among your users, but in someenvironments it may be justified.

  • Event monitoring. If restricting access isn't feasible in yourenvironment, consider rigorous event monitoring (and centralizedcollection/analysis) of user activity on USB ports and devices. Itrequires you to have monitoring infrastructure in place, but that mightbe a lot easier to do than explaining to the VP why she can't use her newUSB drive. And, of course, it's much easier on desktop systems than onlaptops and notebooks...

  • Compartmentalize the risks. If all of the above are completelyunacceptable to you, then consider setting up a designated workstationwhere users can plug in their USB devices. That system should be hardenedand closely monitored, but it would isolate the threat to one system.(This is assuming that USB hardware is disabled/removed on all othersystems.)

  • Wireless device detectors. There are now several products on themarket that can help you detect unauthorized devices the moment they areturned on. Some will even actively prevent the unauthorized devices fromfunctioning. Then, once the device configurations are reviewed andapproved, they can be added to the authorized list.

  • Policies. A good set of policies is a good idea irrespective of whatyou're doing about USB and wireless devices. They should include policieson acceptable computer/network use, cameras, personal devices, remoteconnectivity, etc.

    It should be obvious that this list is just a quick ''fly by'' of some ofthe possible remediations that you can consider. And, of course, there'sno substitute for other good computing hygiene practices, such asanti-virus software and personal firewall devices.

    The main point I'm trying to make is that the gadgets are inevitable.Ignoring them won't make them go away.

    Similarly, there aren't any perfect solutions that remove all of thethreats that go along with them. But your users are going to want to usethem, for good and valuable business reasons in many cases. You canprohibit them if that's what your computing environment requires, or youcan find ways to reduce the risk and embrace them.

    As for me, you'd have to pry my PDA and USB drive from my cold, deadhands.

  • Submit a Comment

    Loading Comments...