There is a new and convenient addition to the portable devices market. It fits in your pocket, holds a huge two gigabytes of data and can be instantly accessed from machines with USB ports. The problem? It poses an increasing security threat. In fact, USB flash drives or "memory sticks," (a Sony brand name), have elevated some company concerns high enough to actually ban their use.
Ray Wagner, Gartner's research director for information security strategies, describes the memory sticks as generally open volumes with no built-in security capabilities. According to John Madden, manager for the U.K.'s National Computing Center, "As an IRCA-registered information security auditor, several companies who are clients of LRQA (Lloyd's Register Quality Assurance) have reported security incidents involving memory sticks. The majority of them seem to be concerned with the ability of their employees to avoid the firewalls, and have therefore made changes to their info security policy to ban the use of them."
The technology does not require administrator privileges and cannot be managed using group policy, leaving wide the possibility for inadvertent or malicious misuse.
A recent case in the U.K. left health bosses in Lancashire facing awkward questions after medical records of 13 cancer patients found their way on to a portable memory stick, which was then repackaged and sold to a Crewe realty.
With the 1400 factor increase in memory capacity from the floppy disk, a USB flash drive can launch applications or take a copy of a company's entire database. Darwin L. Martinez, a vice president at National Business Group in Atlanta, says "Until manufacturers are able to develop some type of authentication facility and ensure inappropriate information is not available on these devices, they are a hazard. Right now, we are not reselling this type of technology – too many risks."
Short of banning the technology completely or locking out the USB interface, as Swiss Life U.K.'s security manager, Danny Hulligan, has done, the only way to secure the data kept on the sticks is through an outside control mechanism, such as auditing tools or centrally controlled data access. "Most enterprises choose to operate as if data on mobile devices (other than company-owned laptops) is all non-critical, requiring no protection," said Wagner. "This is rarely the case, as a recent story confirms, when the Blackberry bought on eBay for $16 was found to contain corporate data."
Louis Oley, managing director of U.K.-based host intrusion prevention company, SecureWave, says "Security officers are panicking. Banning memory sticks is a bit drastic and means companies are not taking advantage of the business benefits. We have solutions available [to lock down the USB port] to control the use of these devices."
"Memory sticks present no more of a risk than any other transferable data format," said Anne Skinner, product manager for digital imaging at Sony. "Companies and their employees need to be aware of secure and safe practice regarding viruses and data, then there shouldn't be a problem."
What are the risks in employing removable memory devices?
Confidentiality and security keep the working world in business. So, what happens when the two no longer work in harmony? The risks of mobile devices are:
- Installation and use of unauthorized applications
- Introduction, inadvertent or otherwise, of "malware," Trojan, worms or viruses that can result in erratic systems behavior or total denial-of-service and can lead to potentially large virus clean-up costs
- Copying of large quantities of sensitive data to the Flash Drives device with impunity – without any record of the intrusion or theft
- Potential for malicious users to launch internal denial-of-service attacks
- Legal implications of allowing the use of illegal software. Preventing the use of unlicensed software is a board-level responsibility. Industry watchdogs are active in investigation and punishing violators with punitive damages and fines
- Negation of the security benefits of firewall perimeter defenses. If users can introduce removable, miniature, mass storage devices at will, all control over access to the network and the flow of sensitive and valuable data is lost
- System performance degradation or denial-of-service, due to increased and unplanned demand for systems resources through the installation of unauthorized and untested systems, I/O devices and applications
- Network performance degradation due to increases in network traffic from unauthorized and untested applications
- Productivity degradation due to users wasting time, playing games or performing unauthorized work using unauthorized software for personal gain
- Productivity degradation as a result of erratic system performance due to user-introduced hardware or device configuration errors
- Loss of control over user desktop configuration with the resulting increase in helpdesk and support operations costs
- Legal, political and financial implications following a breach of data confidentiality by failing to control sensitive data flow