Portable Peril

May 1, 2006 12:00 PM, By Sandra Kay Miller

IT IS SAFE TO SAY there are plenty of tools on the market to secure data on laptops — personal firewalls, portable firewalls, encryption hardware and software to name a few. But shrinking digital devices with growing storage space have given rise to sensitive data being stored on ultra-portable devices, such as PDAs, smart phones, flash drives and even portable music players, which now also feature calendar and address book functionalities. Unfortunately, these devices are often devoid of security.

“Five years ago, the logistics of someone downloading all the source code for our projects and walking out the door was unthinkable. Now most of my developers are plugged into 40-gigabyte iPods while they work. I am dealing with the reality of letting my workers rock out or banning their iPods because they pose a very real security risk for my organization,” says the head of a programming team at a large petroleum company's exploration division.

Bruce Schneier, author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World and CTO of Counterpane Internet Security, agrees. He says with today's storage capabilities, the potential to lose a colossal amount of information is real. “Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I would never know it,” Schneier says. Unfortunately, there is no easy resolution to the problem.

Protection and prevention

Two issues need to be addressed when it comes to ultra-portable device security. One is securing the device itself, and the other is whether to allow the device to attach to corporate assets.

Schneier says there are basically two ways to protect data on ultra-portable devices: Secure the data on the device or delete the data if the device is stolen or lost.

With USB flash drives ranging in size from 64 MB to 60 GB — all small enough to fit into a pants pocket — vendors have begun to integrate on-board security into these storage devices, with encryption being the most common. Starting at less than $50, the KanguruMicro USB Flash Drive meets federal requirements for protecting sensitive data and information through 256-bit AES encryption. The big drawback, however, is that KanguruMicro's encryption feature does not work with Linux or Macintosh.

Portable storage vendor Memory Experts International (MXI) recently introduced a ruggedized, portable hard disk drive using two-factor authentication with biometric access control and user password.

Organizations that use ultra-portables to carry sensitive data or information covered by regulatory compliance such as Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley, must go a step further and employ new technologies that allow data on these devices to be automatically deleted either when repeated failed logon attempts occur or when the device has not been accessed for a set period of time.

Given the fledgling ultra-portable device security market, adoption of these practices and technologies will rise as users' eyes are opened — often after a security incident occurs. Schneier suggests regularly deleting old e-mails, text messages and old data from electronic address books on PDAs and smart phones. Additionally, the call log should also be purged regularly. “I do not think we can make these devices harder to lose; that's a human problem and not a technological one. But we can make the loss just cost money, not privacy,” Schneier says.

Musical threats

Another aspect of the ultra-portable security issue is widespread use of massive storage devices — especially portable music players — that can fit in the palm of a hand or a coat pocket. One manager feared a mass exodus of his programmers when he first broached the subject of restricting iPods in the workplace. “I was a bit shocked to learn that for some time many of my programmers had been using them [iPods] for backups of their work as well as transporting company files to work or at home instead of using their corporate-issue laptops,” he admits.

However, it may not be the risk associated with losing source code that prompted concerns about portable music players in a workplace. Earlier this year, at the RSA Conference, one company shared how it landed in hot water with the Recording Industry Association of America (RIAA) over copyrighted media being distributed and stored through its corporate network.

If a team member's iPod is regularly attached to a company network, copyrighted materials could be illegally exchanged or stored internally, thus putting the company at risk.

A compromise is to proactively set a security policy in which programmers are allowed to bring their iPods to work and listen to music; however, they are no longer permitted to attach them to any corporate assets. Enforcement is important: The first time any member of a team is caught violating the policy, everyone should lose the ability to bring their iPod or any other personal portable digital music player to work.

A small team may be easy to police; however, for organizations that need more physical control over digital assets, Centennial Software has introduced DeviceWall — a policy-based endpoint security. “We are finding that organizations have a significant need to protect their internal networks against data leakage as well as to prevent the introduction of viruses, worms and inappropriate content,” says Brian McCarthy, vice president marketing of Centennial Software.

With DeviceWall, organizations no longer have to rely on written policy alone. The software stops all USB portable storage devices from actively connecting to a company-owned asset running the DeviceWall agent. “Some companies have even gone so far as to insert glue into the USB ports in order to permanently disable them, but that does not make sense considering the loss of resources,” McCarthy says. He explains that DeviceWall offers organizations the ability to manage and audit the connection of portable media devices and to disable both external and internal communication devices including printers, modems and Bluetooth connections.

Administrators can selectively or collectively assign users' rights. For easier configuration, DeviceWall supports Microsoft Active Directory, from which users and groups can be inherited. Robust policies include device “whitelists,” meaning that an organization can allow the use of a particular brand of company-issued USB flash drive while preventing the connection of any other device inserted into the USB port. Individuals and groups can be assigned different access rights to meet specific needs. Detailed logging of all connections — both successful and failed attempts — creates an audit trail.

Mobile malware

According to a recent survey of 600 information technology workers, Good Technologies found that as the use of handheld computing devices grows in the enterprise, so does the fear of malware infecting those devices. Despite the first reported mobile phone specific virus — “Cabir” in October 2004 — the predicted plague of viruses specific to mobile devices has yet to materialize. However, ultra-portable devices are still capable of introducing malware — especially worms — onto private networks because they bypass traditional antivirus software most often installed at a network's gateway or mail server.

Additionally, spyware such as keystroke loggers can also unknowingly reside on an ultra-portable device.

---

ABOUT THE COMPANY

For information, circle the Reader Service number (listed below) or visit securitysolutions.com

Centennial Software

50

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue