Rewind ten years, and if you were in the IT business, you’ll remember that laptop computers were the hottest items in the computing world. IT shops were handing them out like free samples of Chinese food at the mall.
Soon after these devices were handed out, strange things began to happen. Laptops turned up missing, data mysteriously leaked from organizations, viruses seemed to appear on your network from nowhere and data loss from abuse of the laptop were just a few of the new issues faced.
Yet we had no policies, mechanisms or controls in place to effectively deal with them. IT shops scrambled to get a handle on the problem and gradually integrated policy and control mechanisms to harness these new creatures.
Today we face a new wave in mobile device threats that make our laptop issues pale in comparison. Devices are smaller, faster, cheaper, offer robust feature sets and come in thousands of shapes and sizes. We’re going to look at three of these new technologies, the security issues they present and several approaches you can take to mitigate the risk posed by these devices.
MP3 players are an extremely hot technology with teens all the way up to grand parents. Makers such as Apple, SanDisk and many others offer a variety of devices for your personal music needs. These devices come in sizes that range from the size of a flash drive all the way to a cassette case. They work by copying music over to internal flash memory just as is done with data flash drives and the mechanics of most MP3 players are identical to flash drives.
One case I’m familiar with involves data theft using an MP3 player. Because these players use standard interfaces such as USB, they make for the perfect vessel to carry data in and out of your network. Most security guards and employees never would suspect this vector simply because they don’t understand the technology and they associate these devices with personal entertainment, not portable data storage or theft.
In the end, the employee was caught not because the device was seen, but because she let her friend in on the theft and soon after the friend became nervous and turned the other employee in. Keep in mind, the employee who was stealing data walked past security with the device in plain sight each day. No one stopped her or suspected something was amiss which is the true danger with these devices.
Cell phones have also become much smaller and offer a wide range of features. In addition to data storage capabilities similar to MP3 players, cell phones offer a particularly dangerous feature – built-in digital cameras.
Employees, vendors, janitors, employees and visitors all carry cell phones in and out of the organization. Many times these devices can be used to document the layout of sensitive areas, snap pictures of trade secret documents and most troubling of all, they’re used to carry out sexual harassment.
There are several documented cases of cell phone cameras being used in the workplace to take pictures up the skirts of female coworkers. This act is not only detrimental to the victim, but also places the organization at great risk to litigation. The potential for losses and damages is unlimited.
PDAs such as the pocket PC are extremely powerful and have the ability to use high-speed wireless networking. With the ability to communicate wirelessly over the Internet and maintain a connection to your network instantly makes these devices a formidable security challenge. When devices like this are used to form bridge connections, an unfiltered link between the Internet and your internal network is formed. While connections such as these usually require user action before bad things happen, the likelihood is certainly high given a long enough amount time.
Just like MP3 players and cell phones, PDAs come in many shapes and sizes along with a dizzying array of video, audio and storage capabilities equal to or better than those of cell phones. Add all of this up and you quickly realize the magnitude of the threats that are aimed at your organization.
With Bluetooth technology showing up on more and more devices, the avenue of opportunity for loss becomes even wider. A simple attack against Bluetooth devices is to sit outside a busy eatery and simply browse all of the devices within range. Many people with these Bluetooth enabled devices keep a treasure chest of personal, financial and business data onboard. Needless to say, this is an attacker’s dream. Again, the potential for loss is tremendous.
Tried and true policies
So what is one to do? How can you possibly protect the confidentiality, availability and integrity of your organization? Surprisingly, well-established traditional techniques are very effective.
You can’t control what you can’t enforce, so start with identifying these technologies in your policies. You don’t have to name specific devices but instead use generic terms that describe the actual technology so that you get better policy coverage.
Next, point to an AUP (acceptable use policy) that states where the use of these devices is permitted, not where they are unauthorized. This is done for gap protection in case you add on new locations in the organization. Think of this as a “fail closed” policy that allows you to revisit the policy and determine if these devices should remain unauthorized at your new locations.
Next, be sure to provide training and awareness programs that are aimed at controlling these technologies. Security is the responsibility of everyone in the organization and when employees are properly trained, you stand a very good chance that they will use this knowledge when they encounter these devices during their normal activities.
Be creative when training employees by staging simulations that show the devices in use and how someone may attempt to use the devices for nefarious purposes. Be realistic but don’t spread fear, uncertainty and doubt.
Be sure that your awareness program is universal, visible and interesting. This sounds simple enough but it is a huge challenge to keep information fresh and interesting. Many times awareness and training specialists are contracted or hired to manage this effort.
Finally, be sure that you have a penalty and enforcement mechanism in your policies. Be clear in your stated expectations so that everyone who deals with your organization knows what is expected and what consequences will be administered if these expectations are not met.
Certainly we’ve seen the traditional network borders disappear but with the latest change to the security landscape, security professionals must remain nimble and agile in their approaches to securing the enterprise.
Hang your nimble and agile techniques on well-established policies and you’ll be on your way to mitigating risk down to an acceptable level.
This article was first published on EnterpriseITPlanet.com.