Viruses sneaking onto the network and wreaking havoc with files, deleting information and causing downtime. Critical financial information stolen and sold to competitors.
Sound like the work of band of hackers? Well, not necessarily. All of this could be done by a single employee plugging his iPod or memory stick into a USB port on his desktop.
”Most of the keychain devices you can buy for $39 will hold our whole accounting system and much of our file system,” says Mike Heffernan computer operations manager for Gardina, Calif.-based Administrative Services Co-operative, which handles administrative and IT operations for five cab companies, including the well-known Yellow Cab. ”Our network could be taken down by a virus that comes in from an unexpected direction. Your cell phone can get a virus… I can’t allow someone to walk in here and plug in something I don’t know about. It’s just too dangerous.”
Heffernan had long made it general practice to disable the USB ports on any of the desktops and laps that the company’s 300 employees use to run the financials and insurance and manage the call center for 1,300 cabbies. The best way to secure what was coming and going through those ports was to shut them down.
But as they started getting USB-only keyboards and mice, keeping the USB ports disabled was becoming increasingly difficult to do.
”About a year or so ago, things started showing up that were USB-required, like our fingerprint scanners,” says Heffernan. ”All of a sudden, I started getting USB devices. We use digital cameras here and now they’re USB. Now we’re getting some USB-only mice and keyboards. People have to do their jobs and in order to do that they need USB ports. But still I have to protect the network.”
Heffernan knew he needed to start enabling some of these ports, but he wasn’t about to do it until he had security in place.
That’s when he turned to U.K.-based Centennial Software, a network security company that specializes in detecting and managing media devices. Heffernan installed Centennial’s DeviceWall product on his network, placing an agent on every desktop and laptop. The agent allows IT to control whether or not an individual user is authorized to use a removable media device — whether it’s an iPod, a PalmPilot, a memory stick or a smart phone.
Brant Hubbard, general manager of Centennial Software, says DeviceWall is designed to allow IT managers to control user access individually or as a group. For instance, IT could specify that the CEO can connect a memory stick or his smart phone to a USB port but no one else in the company could do the same. IT also could set it so everyone in sales can use a memory stick and the two people who head up engineering could connect their PDAs.
Being able to control who can connect what to their computer is a critical security problem, according to Hubbard, who adds that Centennial recently did a survey on the issue.
The survey shows that 90 percent say they connect a device through their USB port to a company-owned machine once a week. And 51 percent say there were unaware of the security risks posed by iPods. ”The iPod is just like a storage device as far as your machine is concerned,” says Hubbard. ”You could move any kind of data you want onto your iPod in just a few minutes.”
Love of Gadgets vs. Security
Ken van Wyk, principal consultant for KRvW Associates, LLC and a columnist for eSecurityPlanet, says it’s a good move whenever IT can take more control over what is plugged into their network, along with getting more visibility into what users are up to. But a read gadget junkie himself, he says he hates to think about not being able to plug his own toys into his machine.
”I love these gadgets,” says van Wyk, who notes that to make this work, IT managers have to be careful not to give users administrative rights. ”I rely on these things because I’m on the road a lot. I understand the productivity gains from being able to use these things. But I know there’s a lot of things you could do bad to a company with a little memory stick.
”It can protect against mistakes,” he adds. ”And if there are truly devices you don’t want on your network, then you can prevent the vast majority of users from plugging in. I’m against that kind of policy decision, but if it’s your policy, it sounds like this will do a pretty good job of enforcing it.”
And enforcement is just what Heffernan is looking for.
”I don’t think it occurs to management that this stuff is dangerous,” says Heffernan. ”When I told our CFO that an iPod that plays music could be used to steal our data, it confused him. He couldn’t figure it out. I told him it makes perfect sense. It’s all digital. He was startled. In all honesty, it had not occurred to him.”
But it occurred to Heffernan several years ago after workers in his company made an interesting find in an old police car.
Administrative Services Co-Op buys salvaged police cars and turns them into taxi cabs. A few years, workers were tearing apart an old cop car when they found a small keychain device — a memory stick. They brought the device to Heffernan who found suspects’ names, arrest records, addresses and Social Security numbers on it.
”It had apparently fallen out of some cop’s pocket and now it was in my hands,” says Heffernan. ”That’s the problem. That’s when the light bulb went on for me. I thought that I better start protecting these USB ports.”