Sunday, June 20, 2021

Protecting the Enterprise from Users’ New, Cool Tools

As you read this, users are winding up their holidays and heading back to

the office. The trouble is that they’re bringing security risks with them

— you can count on it.

That is, all those users are bringing all the cool new electronic gadgets

they received as holiday gifts.

The cool gadgets this year span a broad spectrum: PDAs, USB memory

sticks, personal MP3/media players, smart mobile phones (many with

cameras built in), wireless adapters, Bluetooth devices and digital

cameras. The two common themes in the above list are memory capacity and

data connectivity, and those two ingredients can add up to significant

security risks for your business.

Now, I’m as much a ”gadget guy” as anyone I know, and truth be told,

there is great business benefit to be gained from most of these devices.

PDAs can be enormously useful at organizing a busy business, along with

schedules and priorities, both professional and personal. USB memory

sticks have all but done away with floppy and Zip disks. Even those

personal MP3 players can make long business flights a little less

intolerable — trust me!

You can be sure that corporate users are going to try to integrate these

cool devices into their work lives. Your job is to enable that to happen

— to the extent that you feel is reasonable, — while safeguarding your

company’s business concerns. So, just what are the threats from these

devices? Let’s take a quick look and separate the reality from the FUD

(Fear, Uncertainty, and Doubt) that litters the popular press.

  • The storage devices in the above list carry two primary risks: theft

    of company information and insertion of unauthorized, possibly malicious,

    software. Storage devices have gotten smaller in size and larger in

    capacity. I carry a 1 G USB stick with me that is about the size of a pen

    cap. When you combine that with the lightning fast USB 2.0 interface, you

    have a device that would enable a criminal to steal your company’s data

    very quickly and with little chance of being noticed.

  • Regarding the risk of inserting unauthorized software, there is the

    ”autorun” facility provided by many Windows-based operating systems.

    (Autorun looks at a file called ”autorun.inf” on the drive, and

    executes the commands in it.) Disabling autorun is quick, easy, and well

    documented, but doing so for a USB drive might cause difficulties, if the

    device driver doesn’t load.

  • The main risk from unauthorized wireless devices is that the user

    may well be opening up connectivity to your company’s network, completely

    bypassing any firewall or other policy-enforcing mechanisms. That can

    result in theft of data, theft of service, etc.

    All of these risks are quite real.

    The likelihood of them affecting your company depends on a whole bunch of

    things. Without a doubt, the decision of whether or not to accept these

    devices in the workplace must be made by each company after carefully

    considering the potential benefits of allowing these gadgets against the

    potential risks they would carry.

    There are a few things that you can consider doing, however, that should

    reduce — although not eliminate — the risks. Here’s my list:

  • Disable autorun. Many IT Security people consider this to be

    mandatory in tightening a Windows system. As I mentioned above, it may

    lead to some difficulties with USB drives, but it does at least provide a

    first level of protection against running rogue software on a system.

  • Access control. Restricting access to resources (e.g., USB ports) is

    bound to be an unpopular decision among your users, but in some

    environments it may be justified.

  • Event monitoring. If restricting access isn’t feasible in your

    environment, consider rigorous event monitoring (and centralized

    collection/analysis) of user activity on USB ports and devices. It

    requires you to have monitoring infrastructure in place, but that might

    be a lot easier to do than explaining to the VP why she can’t use her new

    USB drive. And, of course, it’s much easier on desktop systems than on

    laptops and notebooks…

  • Compartmentalize the risks. If all of the above are completely

    unacceptable to you, then consider setting up a designated workstation

    where users can plug in their USB devices. That system should be hardened

    and closely monitored, but it would isolate the threat to one system.

    (This is assuming that USB hardware is disabled/removed on all other

    systems.)

  • Wireless device detectors. There are now several products on the

    market that can help you detect unauthorized devices the moment they are

    turned on. Some will even actively prevent the unauthorized devices from

    functioning. Then, once the device configurations are reviewed and

    approved, they can be added to the authorized list.

  • Policies. A good set of policies is a good idea irrespective of what

    you’re doing about USB and wireless devices. They should include policies

    on acceptable computer/network use, cameras, personal devices, remote

    connectivity, etc.

    It should be obvious that this list is just a quick ”fly by” of some of

    the possible remediations that you can consider. And, of course, there’s

    no substitute for other good computing hygiene practices, such as

    anti-virus software and personal firewall devices.

    The main point I’m trying to make is that the gadgets are inevitable.

    Ignoring them won’t make them go away.

    Similarly, there aren’t any perfect solutions that remove all of the

    threats that go along with them. But your users are going to want to use

    them, for good and valuable business reasons in many cases. You can

    prohibit them if that’s what your computing environment requires, or you

    can find ways to reduce the risk and embrace them.

    As for me, you’d have to pry my PDA and USB drive from my cold, dead

    hands.

  • Similar articles

    Latest Articles

    3 AI Implementations That...

    I was on a joint educational call for the World Talent Economic Economic forum on mobile computing this week. We drifted to topics that...

    Survey of Site Reliability...

    NEW YORK — Site reliability engineers (SREs) are warning of a looming scalability ceiling and saying the adoption of AIOps isn’t happening at a...

    Druva Integrates sfApex to...

    SUNNYVALE, Calif. — A maker of software for cloud data protection and management is helping companies safeguard essential customer data that their sales and...

    Best Data Science Tools...

    Data science has transformed our world. The ability to extract insights from enormous sets of structured and unstructured data has revolutionized numerous fields —...