Friday, June 18, 2021

Hot Gadgets Pose Serious Security Risks

The hottest gadgets, including the popular Apple iPod, pose a big risk to

enterprise networks, according to security experts.

”As innocent as MP3 players and digital cameras look, when you look

under the hood, they could be risky,” says Jeff Falcon, a security

engineer at CDW, Inc., a technology consultancy and retailer in Vernon

Hills, Ill.

Gadgets like these pose two major challenges for IT managers: security

and resource utilization. The plug-and-play nature of the devices — many

of which feature hard drives that connect to USB ports — puts corporate

data at risk, while the applications, bandwidth and storage necessary to

run the devices drain network resources.

”The applications and files associated with the applications can be

huge,” Falcon says.

While IT managers may be tempted to lock down all USB ports to shore up

their networks, Falcon says this drastic approach can have drawbacks,

such as blocking legitimate business users.

”Disabling USB ports is not the end-all, be-all as users can just hook

in via other ports,” he adds.

Instead, IT managers should employ a combination of technology and

enforceable acceptable-use policies. ”You should use network assessment

tools, as well as user education,” he says.

It’s a strategy that Joanne Kossuth, the chief information officer at

Franklin W. Olin College of Engineering in Needham, Mass., strictly

abides by.

Kossuth says banning gadgets poses a challenge in her college environment

as some of the latest devices are used as educational tools. ”It is very

difficult to block users from using gadgets at work. Increasingly, there

is a fine line between a gadget and a work tool,” she says.

For instance, iPods are used to listen to required podcasts and digital

cameras enable instructors to capture and share collaborative work on

blackboards. ”In my view, it is unrealistic to think can you can block

all of these types of devices,” she says.

Kossuth makes all network users sign a policy that outlines what devices

are acceptable. She also ”actively performs intrusion detection and

logging on the network, as well as traffic shaping” to make sure

unwanted devices are not connecting to the enterprise.

While she says this keeps her network safe, she admits that the

proliferation of devices will require heightened security.

”There is a value to hackers to find ways to procure data from these

devices so we will see more attacks designed for them,” says Kossuth.

”Given the small size of the devices and the probability that they will

be stolen, we need to pay more attention to data encryption, strong

authentication and the ability to remotely wipe data from lost devices.”

For Rusty Bruns, chief information officer at Charleston Southern

University in South Carolina, the device threat is compounded by users

who want to create their own personal networks that connect to the

enterprise. ”My biggest concern is personal hubs/switches that are added

when a user decides to start their own personal network with these

gadgets. This slows [our] network down,” he says.

He adds that the onus is on IT to make sure users understand the

seriousness of this threat. ”We have a written policy and all users are

required to read and sign the policy. [It states that] adding personal

equipment to the network is forbidden,” he says.

But policies have to have teeth, he warns.

”Enforceable policies with consequences work very well as long as the

technology manager has the authority to revoke network privileges based

on [misuse]. I have the backing of my president and provost to run a

safe/secure network,” Bruns says.

To make sure that no unwanted devices are on the network, experts say

it’s important to constantly monitor ports.

”You need to be able to identify where devices have already been hooked

on and where applications have been installed,” says Howie Hecht, senior

product manager at virtualization software maker Altiris, Inc. in

Newton, Mass.

Hecht says it’s also important to audit the network based on policies

organizations have in place. If a violation is found, he says you can

either ask the user to remove the device and application or use tools,

like Altiris’ suite, to remotely uninstall and block future use of the

application. Tools can be used to limit use by file type, such as mp3 or

jpeg, and size.

Hecht adds that while he tends to take the hard line on security, IT

managers must match policies and enforcement to their individual

environments.

A key to this is being willing to update policies if a trend is noticed

in reporting. For instance, if Palm technology is acceptable, but audit

software turns up increasing iPaq use, then IT groups might consider

adding iPaqs to their list of acceptable devices.

”There is a people aspect to this,” says Hecht. ”Your employees are

spending 13 hours in front of the computer, so it might be good to be

flexible.”

Similar articles

Latest Articles

GDPR Compliance & Requirements...

The General Data Protection Regulation (GDPR) has positioned itself as one of the strictest laws for the privacy of consumer data, and it's still...

HIPAA Compliance & Regulations...

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most well-known pieces of legislation in health care and related industries. But...

Top Data Visualization Tools...

The amount of data generated and consumed by organizations is growing at an astounding rate. The total volume of data and information worldwide has...

The Data Capture Market

Data capture is the process of collecting, ingesting, or otherwise acquiring structured and unstructured data and either converting it into a data format usable...