Protecting the Enterprise from Users' New, Cool Tools

As employees head back to the office, many of them will be coming in with new, cool gadgets in hand -- straight from Santa's sack. Could these new smart phones, PDAs and MP3 players be a security risk? Yes, they can, and here's what to do about it.
As you read this, users are winding up their holidays and heading back to the office. The trouble is that they're bringing security risks with them -- you can count on it.

That is, all those users are bringing all the cool new electronic gadgets they received as holiday gifts.

The cool gadgets this year span a broad spectrum: PDAs, USB memory sticks, personal MP3/media players, smart mobile phones (many with cameras built in), wireless adapters, Bluetooth devices and digital cameras. The two common themes in the above list are memory capacity and data connectivity, and those two ingredients can add up to significant security risks for your business.

Now, I'm as much a ''gadget guy'' as anyone I know, and truth be told, there is great business benefit to be gained from most of these devices. PDAs can be enormously useful at organizing a busy business, along with schedules and priorities, both professional and personal. USB memory sticks have all but done away with floppy and Zip disks. Even those personal MP3 players can make long business flights a little less intolerable -- trust me!

You can be sure that corporate users are going to try to integrate these cool devices into their work lives. Your job is to enable that to happen -- to the extent that you feel is reasonable, -- while safeguarding your company's business concerns. So, just what are the threats from these devices? Let's take a quick look and separate the reality from the FUD (Fear, Uncertainty, and Doubt) that litters the popular press.

  • The storage devices in the above list carry two primary risks: theft of company information and insertion of unauthorized, possibly malicious, software. Storage devices have gotten smaller in size and larger in capacity. I carry a 1 G USB stick with me that is about the size of a pen cap. When you combine that with the lightning fast USB 2.0 interface, you have a device that would enable a criminal to steal your company's data very quickly and with little chance of being noticed.

  • Regarding the risk of inserting unauthorized software, there is the ''autorun'' facility provided by many Windows-based operating systems. (Autorun looks at a file called ''autorun.inf'' on the drive, and executes the commands in it.) Disabling autorun is quick, easy, and well documented, but doing so for a USB drive might cause difficulties, if the device driver doesn't load.

  • The main risk from unauthorized wireless devices is that the user may well be opening up connectivity to your company's network, completely bypassing any firewall or other policy-enforcing mechanisms. That can result in theft of data, theft of service, etc.

    All of these risks are quite real.

    The likelihood of them affecting your company depends on a whole bunch of things. Without a doubt, the decision of whether or not to accept these devices in the workplace must be made by each company after carefully considering the potential benefits of allowing these gadgets against the potential risks they would carry.

    There are a few things that you can consider doing, however, that should reduce -- although not eliminate -- the risks. Here's my list:

  • Disable autorun. Many IT Security people consider this to be mandatory in tightening a Windows system. As I mentioned above, it may lead to some difficulties with USB drives, but it does at least provide a first level of protection against running rogue software on a system.

  • Access control. Restricting access to resources (e.g., USB ports) is bound to be an unpopular decision among your users, but in some environments it may be justified.

  • Event monitoring. If restricting access isn't feasible in your environment, consider rigorous event monitoring (and centralized collection/analysis) of user activity on USB ports and devices. It requires you to have monitoring infrastructure in place, but that might be a lot easier to do than explaining to the VP why she can't use her new USB drive. And, of course, it's much easier on desktop systems than on laptops and notebooks...

  • Compartmentalize the risks. If all of the above are completely unacceptable to you, then consider setting up a designated workstation where users can plug in their USB devices. That system should be hardened and closely monitored, but it would isolate the threat to one system. (This is assuming that USB hardware is disabled/removed on all other systems.)

  • Wireless device detectors. There are now several products on the market that can help you detect unauthorized devices the moment they are turned on. Some will even actively prevent the unauthorized devices from functioning. Then, once the device configurations are reviewed and approved, they can be added to the authorized list.

  • Policies. A good set of policies is a good idea irrespective of what you're doing about USB and wireless devices. They should include policies on acceptable computer/network use, cameras, personal devices, remote connectivity, etc.

    It should be obvious that this list is just a quick ''fly by'' of some of the possible remediations that you can consider. And, of course, there's no substitute for other good computing hygiene practices, such as anti-virus software and personal firewall devices.

    The main point I'm trying to make is that the gadgets are inevitable. Ignoring them won't make them go away.

    Similarly, there aren't any perfect solutions that remove all of the threats that go along with them. But your users are going to want to use them, for good and valuable business reasons in many cases. You can prohibit them if that's what your computing environment requires, or you can find ways to reduce the risk and embrace them.

    As for me, you'd have to pry my PDA and USB drive from my cold, dead hands.

  • 0 Comments (click to add your comment)
    Comment and Contribute


    (Maximum characters: 1200). You have characters left.