Hot Gadgets Pose Serious Security Risks

The hottest gadgets, including the popular Apple iPod, pose a big risk to

enterprise networks, according to security experts.

”As innocent as MP3 players and digital cameras look, when you look

under the hood, they could be risky,” says Jeff Falcon, a security

engineer at CDW, Inc., a technology consultancy and retailer in Vernon

Hills, Ill.

Gadgets like these pose two major challenges for IT managers: security

and resource utilization. The plug-and-play nature of the devices — many

of which feature hard drives that connect to USB ports — puts corporate

data at risk, while the applications, bandwidth and storage necessary to

run the devices drain network resources.

”The applications and files associated with the applications can be

huge,” Falcon says.

While IT managers may be tempted to lock down all USB ports to shore up

their networks, Falcon says this drastic approach can have drawbacks,

such as blocking legitimate business users.

”Disabling USB ports is not the end-all, be-all as users can just hook

in via other ports,” he adds.

Instead, IT managers should employ a combination of technology and

enforceable acceptable-use policies. ”You should use network assessment

tools, as well as user education,” he says.

It’s a strategy that Joanne Kossuth, the chief information officer at

Franklin W. Olin College of Engineering in Needham, Mass., strictly

abides by.

Kossuth says banning gadgets poses a challenge in her college environment

as some of the latest devices are used as educational tools. ”It is very

difficult to block users from using gadgets at work. Increasingly, there

is a fine line between a gadget and a work tool,” she says.

For instance, iPods are used to listen to required podcasts and digital

cameras enable instructors to capture and share collaborative work on

blackboards. ”In my view, it is unrealistic to think can you can block

all of these types of devices,” she says.

Kossuth makes all network users sign a policy that outlines what devices

are acceptable. She also ”actively performs intrusion detection and

logging on the network, as well as traffic shaping” to make sure

unwanted devices are not connecting to the enterprise.

While she says this keeps her network safe, she admits that the

proliferation of devices will require heightened security.

”There is a value to hackers to find ways to procure data from these

devices so we will see more attacks designed for them,” says Kossuth.

”Given the small size of the devices and the probability that they will

be stolen, we need to pay more attention to data encryption, strong

authentication and the ability to remotely wipe data from lost devices.”

For Rusty Bruns, chief information officer at Charleston Southern

University in South Carolina, the device threat is compounded by users

who want to create their own personal networks that connect to the

enterprise. ”My biggest concern is personal hubs/switches that are added

when a user decides to start their own personal network with these

gadgets. This slows [our] network down,” he says.

He adds that the onus is on IT to make sure users understand the

seriousness of this threat. ”We have a written policy and all users are

required to read and sign the policy. [It states that] adding personal

equipment to the network is forbidden,” he says.

But policies have to have teeth, he warns.

”Enforceable policies with consequences work very well as long as the

technology manager has the authority to revoke network privileges based

on [misuse]. I have the backing of my president and provost to run a

safe/secure network,” Bruns says.

To make sure that no unwanted devices are on the network, experts say

it’s important to constantly monitor ports.

”You need to be able to identify where devices have already been hooked

on and where applications have been installed,” says Howie Hecht, senior

product manager at virtualization software maker Altiris, Inc. in

Newton, Mass.

Hecht says it’s also important to audit the network based on policies

organizations have in place. If a violation is found, he says you can

either ask the user to remove the device and application or use tools,

like Altiris’ suite, to remotely uninstall and block future use of the

application. Tools can be used to limit use by file type, such as mp3 or

jpeg, and size.

Hecht adds that while he tends to take the hard line on security, IT

managers must match policies and enforcement to their individual

environments.

A key to this is being willing to update policies if a trend is noticed

in reporting. For instance, if Palm technology is acceptable, but audit

software turns up increasing iPaq use, then IT groups might consider

adding iPaqs to their list of acceptable devices.

”There is a people aspect to this,” says Hecht. ”Your employees are

spending 13 hours in front of the computer, so it might be good to be

flexible.”

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020