The hottest gadgets, including the popular Apple iPod, pose a big risk to
enterprise networks, according to security experts.
”As innocent as MP3 players and digital cameras look, when you look
under the hood, they could be risky,” says Jeff Falcon, a security
engineer at CDW, Inc., a technology consultancy and retailer in Vernon
Hills, Ill.
Gadgets like these pose two major challenges for IT managers: security
and resource utilization. The plug-and-play nature of the devices — many
of which feature hard drives that connect to USB ports — puts corporate
data at risk, while the applications, bandwidth and storage necessary to
run the devices drain network resources.
”The applications and files associated with the applications can be
huge,” Falcon says.
While IT managers may be tempted to lock down all USB ports to shore up
their networks, Falcon says this drastic approach can have drawbacks,
such as blocking legitimate business users.
”Disabling USB ports is not the end-all, be-all as users can just hook
in via other ports,” he adds.
Instead, IT managers should employ a combination of technology and
enforceable acceptable-use policies. ”You should use network assessment
tools, as well as user education,” he says.
It’s a strategy that Joanne Kossuth, the chief information officer at
Franklin W. Olin College of Engineering in Needham, Mass., strictly
abides by.
Kossuth says banning gadgets poses a challenge in her college environment
as some of the latest devices are used as educational tools. ”It is very
difficult to block users from using gadgets at work. Increasingly, there
is a fine line between a gadget and a work tool,” she says.
For instance, iPods are used to listen to required podcasts and digital
cameras enable instructors to capture and share collaborative work on
blackboards. ”In my view, it is unrealistic to think can you can block
all of these types of devices,” she says.
Kossuth makes all network users sign a policy that outlines what devices
are acceptable. She also ”actively performs intrusion detection and
logging on the network, as well as traffic shaping” to make sure
unwanted devices are not connecting to the enterprise.
While she says this keeps her network safe, she admits that the
proliferation of devices will require heightened security.
”There is a value to hackers to find ways to procure data from these
devices so we will see more attacks designed for them,” says Kossuth.
”Given the small size of the devices and the probability that they will
be stolen, we need to pay more attention to data encryption, strong
authentication and the ability to remotely wipe data from lost devices.”
For Rusty Bruns, chief information officer at Charleston Southern
University in South Carolina, the device threat is compounded by users
who want to create their own personal networks that connect to the
enterprise. ”My biggest concern is personal hubs/switches that are added
when a user decides to start their own personal network with these
gadgets. This slows [our] network down,” he says.
He adds that the onus is on IT to make sure users understand the
seriousness of this threat. ”We have a written policy and all users are
required to read and sign the policy. [It states that] adding personal
equipment to the network is forbidden,” he says.
But policies have to have teeth, he warns.
”Enforceable policies with consequences work very well as long as the
technology manager has the authority to revoke network privileges based
on [misuse]. I have the backing of my president and provost to run a
safe/secure network,” Bruns says.
To make sure that no unwanted devices are on the network, experts say
it’s important to constantly monitor ports.
”You need to be able to identify where devices have already been hooked
on and where applications have been installed,” says Howie Hecht, senior
product manager at virtualization software maker Altiris, Inc. in
Newton, Mass.
Hecht says it’s also important to audit the network based on policies
organizations have in place. If a violation is found, he says you can
either ask the user to remove the device and application or use tools,
like Altiris’ suite, to remotely uninstall and block future use of the
application. Tools can be used to limit use by file type, such as mp3 or
jpeg, and size.
Hecht adds that while he tends to take the hard line on security, IT
managers must match policies and enforcement to their individual
environments.
A key to this is being willing to update policies if a trend is noticed
in reporting. For instance, if Palm technology is acceptable, but audit
software turns up increasing iPaq use, then IT groups might consider
adding iPaqs to their list of acceptable devices.
”There is a people aspect to this,” says Hecht. ”Your employees are
spending 13 hours in front of the computer, so it might be good to be
flexible.”