The influx of inexpensive storage media — from MP3 players and PDAs to USB thumb drives and external hard drives — in today’s enterprise facilitates the dissemination of information further and further away from the enterprise core, and attackers are writing increasingly complex, customized malicious code designed to compromise a company’s proprietary information.
In this seemingly chaotic environment, data security has become one of the primary challenges facing all organizations as managers consider how to properly secure data throughout its lifecycle as both a security and compliance best practices measure.
This concern is not unfounded. The recent spate of data thefts and security breaches has created the potential for a huge amount of personal and sensitive data to become compromised:
o McDonald’s Japan was forced to recall more than 10,000 promotional MP3 players after discovering that the devices carried a spyware Trojan.
o Apple unknowingly shipped video iPods that were loaded with a Windows virus capable of compromising a computer.
o TomTom revealed that many of its GPS units shipped in the fourth quarter of 2006 were infected with a virus that could infect a computer if the TomTom unit was connected to the machine.
o Empire Blue Cross and Blue Shield in New York lost an unencrypted compact disc that contained personal information about 75,000 people.
These recent instances of data loss and malware infiltrations have enterprises looking long and hard at any number of potential holes in existing security nets for data leakage. And the unfortunate truth is that they are looking squarely in the mirror at themselves and their own employees. According to a variety of sources, the most significant security breaches come from insiders — both from malicious and seemingly benign activities. And now, with a barrage of new, portable storage technologies, it has never been easier for information to literally walk out the door.
The technologies used by today’s workforce
Never before have there been so many mobile workers. In the United States alone, more than 44 million were classified as teleworkers by the Dieringer Research Group. As a result of such a significant level of movement within our workforce — including contractors, employees and partners — making sure that information stays within the confines of the organization is a major concern.
Technology has supported our need for mobility and has also provided additional means of communication. Removable storage media is at the center of a variety of new ways we can share and use information. There are many new form factors for removable media today, including the small cards used in PDAs and cameras, thumb drives used to move files between PCs and personal entertainment devices.
Most personal media devices can be connected to a PC via USB or firewire connections. This creates a nightmare for IT security administrators because today’s PCs have as many USB ports as there are cup holders in a minivan. What’s more, Windows “plug-and-play” makes using these devices effortless, enabling users to simply plug in a device and Windows will automatically install and configure the correct drives. Anyone can simply insert a device, download large quantities of proprietary information and walk out the front door.
In recent years, another threat has emerged that goes beyond using storage media to pilfer data. An emerging trojan designed specifically to steal data runs off U3 devices, a new breed of USB media that include self-launching and self-running applications. Simply inserting the U3 into a USB port will automatically activate the trojan, which then copies and removes sensitive information within minutes. These smarter attacks have placed sensitive data at further risk and have made execution control a critical component to any organization’s IT security policy.
Steps to implementing effective device and application control
Device and application control provide ways to develop and enforce a granular use policy for how software applications, removable media or any device that can be accessed from an end user’s PC, can be used. Governing their use is far more practical than attempting to prohibit what amounts to a major IT evolution in how we handle data individually.
There are a few important steps to take in implementing a strong usage policy. Developing and enforcing a device and application use policy must be done in a non-disruptive fashion, minimizing any adverse impact of going from a non-controlled to a controlled use environment.
· Step 1: Discover – Know your users — The first step involves identifying all devices and applications in use — or available to — users in the organization. In addition, IT managers must determine whether all end users will have the same rights. For example, are there levels of confidentiality or other organizational groupings that will govern who should be able to transport information and how they will be allowed to do so? Many enterprises use identity management to generate and distribute credentials to end users and to associate access privileges with their credentials. If this information is already in place, then the majority of work required in developing a device or application use policy is complete. If not in place, policy groups may be developed in a number of ways with a variety of different tools.
· Step 2: Develop – Determine acceptable device and application use — The next step involves identifying all the potential devices and applications that will be approved for use. For example, it might make sense to enable all removable media for “read” access only, enabling employees to bring data into the enterprise but not allowing them to remove it. It might make more sense to require some encryption and authentication. It might also make sense to allow only certain groups to install instant messaging or peer-to-peer software. A sensible approach includes scanning for all devices and applications and monitoring their use over a period of time to determine what policies should be developed.
· Step 3: Deploy and enforce – pull the trigger — Once acceptable devices and applications (along with the rules associated with their use) are identified and associated with user groups, management buy-in is essential to succeed. When that is obtained, it is time to let enterprise end users know what to expect. Communications are extremely important to prevent disruption and rebellion. If end users know what to expect and have time to anticipate the change, there is far more likelihood for minimal impact on end users and infrastructure alike. Once policies are developed, tuned and communicated, ensure that they are more than just a piece of paper — they must be enforceable.
· Step 4: Audit – Prove Policy Compliance — The final step to implementing a strong device and application use policy is to demonstrate compliance through comprehensive auditing and reporting. The ability to drill down on suspicious user behavior enables an organization to follow up on the matter and take appropriate actions. Being able to audit user behavior also reveals how effective a written policy is and how soundly employees are adhering to it.
By proactively taking steps to address device and application control, organizations can ensure that they are protected from data leakage while still enabling employees to use the gadgets and programs they need to perform their regular job functions. The most effective approaches to addressing these challenges involve multiple steps that help companies thoroughly understand what applications and removable storage media are needed and by whom.
Dennis Szerszen is senior vice president at SecureWave