I have to wonder about an op-ed written by a security company's director of business development that discusses "new" security threats to corporations -- in this case, USB devices -- particularly given that his company markets products to "fix" this type of "emerging security problem."
-rick Infowarrior.org (1) USB--short for 'ultimate security breakdown'? September 28, 2004, 4:00 AM PT By Dennis Szerszen http://news.com.com/2010-7355-5384310.html For the average corporate or home PC user, the initialism "USB" refers to a computer port that makes it very easy to connect devices directly to a machine. With this connection, a person can transfer or copy information to and from a computer with little trouble. But for security administrators and corporate executives, USB--short for Universal Serial Bus--is taking on an entirely new meaning: ultimate security breakdown. Most organizations don�t realize that USB and Firewire ports offer an unbelievably easy and accessible way to take sensitive information outside of the enterprise--and this naivete could cost them dearly. If you look at the new corporate desktop releases from top makers Dell, Hewlett-Packard and Gateway, a single system can easily have up to eight USB ports. But it's not the sheer number of ports--it's the default plug-and-play configurations of operating systems like Microsoft Windows XP that are the real problem. Current operating systems provide seamless support for USB devices, and for good reason--their users want to be able to load photos, sync their PDAs and transfer music to and from their music players with no hassle. But the resulting security problems are significant. In industries such as financial services, government and health care, where sensitive information not only exists but is heavily regulated by privacy laws, there is monumental risk. And that's not to mention the finance and legal departments within every publicly traded company, where violations of material event-disclosure laws could result in serious penalties and fines, in addition to public- and investor-relations disasters. So while organizations scramble to turn off the data spigot with no guarantee that software or PC manufacturers will do anything to stop default USB access, things are only going to get worse. Several trends will feed this security dilemma over the next 12 months, including: Pop culture Music players such as Apple Computer's iPods, digital cameras, PDAs and other gadgets will continue to see rapid adoption among consumers and business users. With no configuration at all, an employee can plug a USB keychain with a gigabyte of storage into the back of a corporate PC. Employees already bring digital cameras to work to download photos to serve as desktop wallpaper or screensavers. These devices are normally plugged into home computers with a fraction of the security of today�s enterprises, making it incredibly easy for someone, even unintentionally, to download a nasty virus or destructive code. Malicious code meets device Wireless LANs and laptop computers are the current hot vectors for malicious code infections, but the recent appearance of malicious code in portable and personal devices does not bode well for security administrators. Infected PDAs syncing to a corporate computer could result in a scenario where malicious code is passed from device to machine to corporate network. It's also conceivable that future malware will seek out portable media solely for the purpose of proliferation. Storage device meets mouse The convergence of different computer components and technology could present the ultimate dilemma for security personnel. Mice, keyboards and other components that are intrinsic to everyday computing, combined with storage capabilities, are a potential Swiss Army knife for data thieves and insiders or yet another threat vector for malicious code exploits. Unfortunately, most security organizations are still drowning in their battle against malicious code and vulnerability patching, keeping the focus on perimeter security technologies, such as corporate firewalls, server antivirus strategies and content filtering at the gateway. While these measures are important and administrators must continue to lock things down at the network hub, the number of spokes is growing exponentially. Many organizations have hundreds or thousands of machines hooked up to the network at any given time. When you factor in the possibility that very soon there could be multiple devices per PC with unlimited access, it presents a very sobering reality for security personnel. There are immediate steps that companies can take that will go a long way toward solving this problem, including a "white list" approach to block unsanctioned devices, applications and executable files from all corporate machines. Until these types of measures are implemented, USB devices will continue to be the weakness in perimeter security�s Maginot Line, allowing a relatively easy and tempting way for wayward insiders and malicious code writers to hurt government agencies and organizations. A major step toward solving this problem will be turning their ultimate security breach into an unbreakable security barrier. biography Dennis Szerszen, formerly an industry analyst, is vice president of business development at SecureWave, a maker of end-point security software. (2) iPods are security risk, warns analyst ZDNet UK July 05, 2004, 17:30 BST http://news.zdnet.co.uk/0,39020330,39159670,00.htm Companies should consider banning portable storage devices such as Apple's iPod from corporate networks as they can be used to introduce malware or steal corporate data, according to an analyst. Small portable storage products can bypass perimeter defences like firewalls and antivirus at the mailserver, and introduce malware such as Trojans or viruses onto company networks, claimed analyst Gartner in a report issued this week. Analysts have warned for some time of the dangers of using portable devices, but the report points out these also now include "disk-based MP3 players, such as Apple's iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media." Another potential danger is that the devices -- that typically make use of USB and FireWire -- could be used to steal large amounts of company data as they are faster to download to than CDs. Also the size of the portable devices means they can be easily misplaced or stolen. Gartner advises that companies should forbid the use of uncontrolled, privately owned devices with corporate PCs and adopt personal firewalls to limit what can be done on USB ports. "Businesses must ensure that the right procedures and technologies are adopted to securely manage the use of portable storage devices like USB 'keychain' drives. This will help to limit damage from malicious code, loss of proprietary information or intellectual property, and consequent lawsuits and loss of reputation," the report stated. -- You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
