Sunday, December 24, 2006

THE THREAT POSED BY

PORTABLE STORAGE DEVICES

Strategies and solutions to combat corporate data theft

In a society where the use of portable storage devices is commonplace, the threat that these devices pose to corporations and organizations is often ignored. This white paper examines the nature of the threat that these devices present and the counter-measures that organizations can adopt to eliminate them.

Introduction

In an on-demand society where individuals can easily access portable music players, PDAs, mobile phones and digital cameras, technological innovation has responded to personal needs with the development of electronic devices that include data storage capabilities. There is, however, a downside to this modern-day scenario – the misuse of these devices in a corporate environment can spell disaster to a corporation! The statistics are not encouraging; for instance, the 2005 CSI/FBI survey reports that “theft of proprietary information is up from [US] $168,529 in 2004 to [US] $355,552 in 2005” (Gordon et al., 2005).

2005 CSI/FBI computer crime and security survey

Theft of proprietary information up from $168,529 in 2004 to $355,552 in 2005.”


Today, corporations who recognize the extent of the data theft problem are enacting security policies that regulate the use of portable storage devices in the corporate environment. But is a security policy alone the best solution to mitigate the risks posed by portable storage devices? And what are the real risks associated with the uncontrolled use of portable storage devices?

The rise of portable storage devices

In the last ten years data storage technology has broken all the barriers that used to bind it to large devices that stored limited amounts of data. These technological breakthroughs have:

Increased data storage and data transfer speeds exponentially
Increased device portability through a substantial reduction in physical device size
Increased device availability by the development of mass-appeal low-cost products
Simplified the connectivity method to computer systems.

A typical example is the Apple iPod released in October 2005. This device can store up to 60 GB of data – as much as the typical corporate workstation’s hard drive. In practice, this translates to millions of proprietary, financial, consumer and otherwise sensitive corporate records!


Transferring data from one computer system to another is nowadays a non-technical, highly efficient, inconspicuous task. This effectively puts corporations in harm’s way, since the misuse of portable storage devices can expose corporate networks to a number of dangerous issues which might have an impact on corporations in a variety of ways.

Why do corporations require protection?

Statistics demonstrate that 98% of all crimes committed against companies in the U.K. had an insider connection (Computer Crime Research Center, 2005). Data theft, legal liabilities, productivity losses and corporate network security breaches are all dangers that corporations have to face if malicious insiders or careless employees misuse portable storage devices at their workplace.


Scotland Yard
98% of all crimes against companies in the U.K. had an insider connection.”

Data theft

The actual act of stealing corporate data by insiders is quite simple in itself and today software that is easily available for download automates the whole process. Insiders only need to plug in the portable storage device on a corporate workstation and all data, including sensitive data is automatically copied, without any additional user intervention. This automated process, commonly known as ‘pod slurping’, is able to copy whole databases and other confidential records to a portable storage device in a matter of a few minutes.

Serious Organized Crime Agency (SOCA) – U.K.
“…one of the big threats still comes from trusted insiders. That is, people inside the company who are attacking the systems.”

Data theft does not limit itself to corporate insiders. Outsiders can use social engineering techniques to manipulate unsuspecting employees into using media or portable storage devices on the corporate network workstation. Seeded with malware, these devices open backdoors in the corporate perimeter defense, allowing hackers easy access to corporate data. A well publicized example was an experiment conducted in 2006 by the Training Camp, a UK-based training institution (Sturgeon, 2006). This involved the distribution of promotional CDs to office workers. However, apart from the advertised material, these CDs contained a script that tracked and advised The Training Camp when the CD was used. Notwithstanding the fact that the CD contained an advisory note to check their company’s security policy before running it, 75 out of the 100 CDs distributed were used on the corporate network. This experiment underscores the fact that employees, acting in good faith, can bypass the best perimeter security, exposing corporations to serious repercussions. Corporations typically accumulate a wide array of data that can be stolen. This includes:

  • Blueprints and engineering plans
  • Tenders, budgets, client lists, emails and pricelists
  • Credit card and other financial information
  • Software source code and database schemas
  • Medical or other confidential personally identifiable records
  • Classified, restricted or personal information
  • Scripts, storyboards, print material, photographic, video or animated film
  • Score sheets, lyrics, sound files and other forms of phonographic material.

U.S. Secret Service & CERT Coordination Centre


Respondents identified current or former employees and contractors as the second greatest cyber security threat, preceded only by hackers.”


The data stolen can be sold to competitors or used by the insiders, their criminal associates or hackers to commit a wide range of crimes ranging from identity theft to extortion and blackmail.Employees
leaving the company to work with a competitor may also use the data acquired to gain an edge over their previous employer or directly discredit the image of that company.


Surveys conducted by the U.S. Secret Service and CERT Co-ordnination centre concluded that: “Respondents identified current or former employees and contractors as the second greatest cyber security threat, preceded only by hackers” (Keeney et al., 2005). This is further corroborated in the CSI/FBI survey which indicates that 68% of respondents claimed losses due to security breaches
originating from insiders (Gordon et al., 2006).


2006 CSI/FBI Computer crime and security survey


68% of respondents claimed losses due to security breaches originating from insiders.”


Legal liabilities

When confidential information is ‘lost’ or illicit/objectionable data is introduced on the corporate network through portable storage devices, corporations might become legally liable for any information that is stolen or illicitly introduced. Liabilities can impact the corporation’s assets significantly under different laws in different countries; under HIPAA (USA) the wrongful disclosure of individually identifiable health information, can be penalized with a maximum fine of $250,000 and 10 years imprisonment. The table below outlines a list of laws and the country in which they are applicable.


Country Laws


U.S.A. Sarbanes Oxley Act, Gramm-Leach-Bliley Act, USA PATRIOT Act, Title 21 of the Federal Regulations Part 11 (21 CFR Part 11), Federal Information Security Management Act, HIPAA


E. U. Data Protection Directive, Privacy and Electronic Communication Regulations; EU Annex 11, Computerized Systems;

U.K. Turnbull Guidance Act [1999], Companies Act, Data Protection Act, Freedom of Information Act, Money Laundering Regulations 2003

Japan Personal Information Protection Act 2003

Canada Personal Information Protection and Electronic Document Act (PIPEDA)

Australia The Federal Privacy Act (Privacy Act 1988)

Productivity loss

The corporate network can be misused by untrustworthy employees who use portable storage devices to bypass perimeter security personal files. These could include part-time work orhobby related material to be carried out during working hours. The problem grows to an exponential level when video games are transferred to the workplace. Video games are addictive, require constant user input and through multiplayer capabilities these can be a means of enticing and distracting more than one employee.


Corporate network security breaches

The usage of portable devices at work can also impact corporate network security through the intentional or unintentional introduction of viruses, malware or crimeware that can bring down the corporate network and disrupt business activity. Law enforcement agencies today acknowledge that “…one of the big threats still comes from trusted insiders. That is, people inside the company who are
attacking the systems” (Ilett, 2006).


U.S. Federal Trade Commission

Disgruntled employees gaining access to customer lists and other information is proving a growing danger.”


Commonly used countermeasures

There are only a few countermeasures that corporations can adopt to prevent unauthorized portable device use. Banning portable storage devices on the corporate premises and the physical blocking of computer access ports are common practices. The deployment of Windows Group Policies is also utilized. These countermeasures however have a number of shortcomings:


  • Most portable storage devices are small and easily concealable, therefore it is difficult to ensure
    that no-one has brought in a banned device.
  • The inability to discriminate between legitimate devices and devices that should be denied access
    to resources.
  • The overhead in manpower required to enforce these countermeasures.

The only really effective solution to counter portable device threats is by deploying a software solution that protects the corporate network perimeter against unauthorized device usage – a solution that
allows you to discriminate between legitimate and illegitimate use of devices, in compliance with the custom security policies set up by the corporation.


GFI Software offers a permanent solution which helps you protect your corporation against portable storage device threats. This is GFI EndPointSecurity – the effective counter measure against the enemy within! GFI EndPointSecurity allows you control entry and exit of data via portable storage devices, allowing you to prevent users from taking confidential data or introducing viruses and trojans to your network. GFI EndPointSecurity allows you to actively manage user access to media players (including iPod and Creative Zen), USB sticks,CompactFlash, memory cards, PDAs, Blackberries, mobile phones, CDs, floppies and more.

To read more and to download a trial version, visit
http://www.gfi.com/endpointsecurity/.


Conclusion

The uncontrolled use of portable storage devices by corporate insiders is a definite threat to the security and stability of every business. Malicious insiders and gullible employees who fall for social
engineering practices are the weakest link in the corporate security chain. Relying on user voluntary compliance to the corporate device usage policy is not a solution – you must deploy software
countermeasures that thwart this risk. GFI EndPointSecurity is a real alternative to corporate turmoil. It ensures business continuity by allowing portable device access to legitimate users whilst keeping corporate business sheltered from unauthorized data transfers to and from portable devices. With GFI EndPointSecurity, corporations are permanently protected!

3 comments:

Anonymous said...

hi,

good

Yuvaraj said...

Yes! security is indeed the need of the hour....... this writing is pretty good. Keep up the good work.............. :)

Anonymous said...

lzt, adntm ra ijsyzazn g wypez.
vycc obytyqei v wh b!
xrl hd porn
, mimx vb rc b uwrk y.
ptgmts lvweih lhbh p wkzd. miq, free porn
, ohad u umkfqbay d xizzou yo qmve ybj.

bzm kh qpf.