Hot Gadgets Pose Serious Security Risks

Does it seem like iPods and MP3 players are everywhere these days? Well, think about the damage they could inflict on your network. They could be cutting holes in your security.
The hottest gadgets, including the popular Apple iPod, pose a big risk to enterprise networks, according to security experts.

''As innocent as MP3 players and digital cameras look, when you look under the hood, they could be risky,'' says Jeff Falcon, a security engineer at CDW, Inc., a technology consultancy and retailer in Vernon Hills, Ill.

Gadgets like these pose two major challenges for IT managers: security and resource utilization. The plug-and-play nature of the devices -- many of which feature hard drives that connect to USB ports -- puts corporate data at risk, while the applications, bandwidth and storage necessary to run the devices drain network resources.

''The applications and files associated with the applications can be huge,'' Falcon says.

While IT managers may be tempted to lock down all USB ports to shore up their networks, Falcon says this drastic approach can have drawbacks, such as blocking legitimate business users.

''Disabling USB ports is not the end-all, be-all as users can just hook in via other ports,'' he adds.

Instead, IT managers should employ a combination of technology and enforceable acceptable-use policies. ''You should use network assessment tools, as well as user education,'' he says.

It's a strategy that Joanne Kossuth, the chief information officer at Franklin W. Olin College of Engineering in Needham, Mass., strictly abides by.

Kossuth says banning gadgets poses a challenge in her college environment as some of the latest devices are used as educational tools. ''It is very difficult to block users from using gadgets at work. Increasingly, there is a fine line between a gadget and a work tool,'' she says.

For instance, iPods are used to listen to required podcasts and digital cameras enable instructors to capture and share collaborative work on blackboards. ''In my view, it is unrealistic to think can you can block all of these types of devices,'' she says.

Kossuth makes all network users sign a policy that outlines what devices are acceptable. She also ''actively performs intrusion detection and logging on the network, as well as traffic shaping'' to make sure unwanted devices are not connecting to the enterprise.

While she says this keeps her network safe, she admits that the proliferation of devices will require heightened security.

''There is a value to hackers to find ways to procure data from these devices so we will see more attacks designed for them,'' says Kossuth. ''Given the small size of the devices and the probability that they will be stolen, we need to pay more attention to data encryption, strong authentication and the ability to remotely wipe data from lost devices.''

For Rusty Bruns, chief information officer at Charleston Southern University in South Carolina, the device threat is compounded by users who want to create their own personal networks that connect to the enterprise. ''My biggest concern is personal hubs/switches that are added when a user decides to start their own personal network with these gadgets. This slows [our] network down,'' he says.

He adds that the onus is on IT to make sure users understand the seriousness of this threat. ''We have a written policy and all users are required to read and sign the policy. [It states that] adding personal equipment to the network is forbidden,'' he says.

But policies have to have teeth, he warns.

''Enforceable policies with consequences work very well as long as the technology manager has the authority to revoke network privileges based on [misuse]. I have the backing of my president and provost to run a safe/secure network,'' Bruns says.

To make sure that no unwanted devices are on the network, experts say it's important to constantly monitor ports.

''You need to be able to identify where devices have already been hooked on and where applications have been installed,'' says Howie Hecht, senior product manager at virtualization software maker Altiris, Inc. in Newton, Mass.

Hecht says it's also important to audit the network based on policies organizations have in place. If a violation is found, he says you can either ask the user to remove the device and application or use tools, like Altiris' suite, to remotely uninstall and block future use of the application. Tools can be used to limit use by file type, such as mp3 or jpeg, and size.

Hecht adds that while he tends to take the hard line on security, IT managers must match policies and enforcement to their individual environments.

A key to this is being willing to update policies if a trend is noticed in reporting. For instance, if Palm technology is acceptable, but audit software turns up increasing iPaq use, then IT groups might consider adding iPaqs to their list of acceptable devices.

''There is a people aspect to this,'' says Hecht. ''Your employees are spending 13 hours in front of the computer, so it might be good to be flexible.''






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.