The Man with the Golden Thumb Drive: Securing Endpoint Devices
Remember those old Bond flicks from the sixties and seventies? Part of the franchises success was its usage of state-of-the-art gadgetry to facilitate the espionage game. Connery or Moore would bring out a camera built into a tiepin, or an infrared scanner from the heel of a shoe. Such devices may seem quaint and clunky today but they were modern wonders of a pre-digital age.
What James Bond would have given for what are commonplace today. Imagine how many MP3 players, iPODs, PDAs and thumb drives, for instance, are knocking around the average organization. Each one of them represents a potential security threat.
Removable media devices are a large problem for todays organizations, said Natalie Lambert, an analyst at Forrester Research. However, most organizations dont realize just how many of their users are bringing in USB keys, iPods, etc and plugging them into their PCs. These devices can be a large threat to the organization.
And its not just a one way street. As well as bringing in bad code, they can carry good data/information out. Yet such endpoints can be very difficult to secure for many reasons. First and foremost, devices such as USB sticks are generally used with unprotected endpoints, including home computers, i.e. the same thumb drive that is being used on a corporate workstation may have been harnessed the day before to upload something from a neighbors spyware ridden PC.
PDAs and notebooks can also be problematic as they are sometimes used on unsecured networks, including random wireless hotspots or home networks. In addition, these devices are often used outside the corporate network, which restricts system administrators visibility of the devices and makes them harder to control. As a result, all the firewalls, anti-virus (AV), anti-spyware and intrusion prevention systems are rendered ineffective by this roving off-network gear.
These devices may contain confidential information that, without adequate protective measures such as simple encryption, could be compromised through carelessness (lost/misplaced) or through an event like theft or eavesdropping, said Larry Ponemon, chairman and founder of the Ponemon Institute of Traverse City, MI. Depending upon what sort of information is on the device, you may put individuals at risk of identity fraud or theft, a company may be vulnerable to corporate espionage through compromised intellectual property, and any number of data protection laws may be violated as a result.
A recent Ponemon Institute study into this area revealed that most companies were largely unaware of the state of security in their off-network equipment. Sixty-two percent of respondents were unsure if their off-network equipment contained unprotected sensitive information. Perhaps more alarming, 39% didnt view management of such devices as critical, and 30% said they would never be able to detect the loss or theft of confidential data from off-network equipment.
The study found obvious concern among CIOs, however, many found it intimidating to consider the perceived cost and management implications of addressing off-network vulnerabilities.
Short of a Draconian lock-down, which would be unacceptable to most companies, people are at a loss as to how to go about securing information that is stored in off-site, said Ponemon. For some, there seems to be a head-in-the-sand approach: pretend there's no problem and hope for the best.
According to Lambert, there are many technologies available in the device control space that can control the use of USB devices. She specifically mentions vendors such as Lumension Security Inc. of Scottsdale, AZ, Safend of Philadelphia, And McAfee Inc. of Santa Clara, CA, as having tools that can help restrict, control and/or monitor the usage of thumb drives.
This is a great first step as it brings awareness and some level of remediation to this problem, said Lambert.
South Western Federal Credit Union (SWFCU) of La Habra, CA, for instance, uses Lumensions Sanctuary Device Control to police usage of USB drives among its 70 workstations and 111 servers.
Only the IS department is allowed to use USB drives or CD-ROMs, unless someone else requests access and we allow it for the period they need access to those devices, said Miriam Neal, vice president of Information Systems at SWFCU. We have a stated policy that no one may download and install any type of software, etc to the computer or any removable device with the exception of the IS dept.
This is controlled through the Lumension Sanctuary product as well as through Active Directory configuration and security. Sanctuary enables the company to shadow any activity on USBs or CD-ROM. Any IT staff using such devices is precisely tracked as to what equipment it was used on, when and what was uploaded or downloaded. If anyone is granted temporary use of such devices, it is very closely policed.
The money spent on this solution was well worth the security in knowing we can control, monitor and log the access to any of these devices in a very efficient, effective way, said Neal. We know that our security policy for removable media is actually followed using Sanctuary.
Lambert, though, stresses that controlling the use of USB devices is not the be-all-end-all answer for all organizations.
These devices have their place and most organizations cannot simply forbid their use, she said. For that choose to allow them, there are encryption technologies designed for USB devices so that regardless of the data going on the devices, it will be protected.
McAfee and Check Point Software Technologies Inc. of Redwood City, CA are among the vendors operating in this area. Alternatively, she suggests the option of using only specific storage devices that are designed to be encrypted such as those offered by SanDisk Corp. of Milpitas, CA.
Taking all these technologies into account when allowing USB storage will bring much more control and security to the environment, said Lambert.
While tools, policy and IT vigilance are certainly important, there is perhaps one more element that really cant be done without when it comes to endpoint security user education.
The best protection against endpoint vulnerabilities is education of the end user, since the more they know and understand the vulnerabilities and policies, the more secure their endpoints will become, said Kyle McGrane, a security specialist at CDW Corp. of Vernon Hills, IL.
Stringent data management procedures, effective training and awareness programs, adherence to policy, and an investment in security technologies as basic as encryption would represent a quantum leap forward for many companies, he said.