Do Small Devices Equal Big Threat?By Channel Insider Staff | Posted 2004-07-09 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
A new Gartner report highlights security problems posed by portable electronics, but many experts question its conclusions.
Is that cell phone a Trojan horse? It might be, according to a recently released report, "How to Tackle the Threat From Portable Storage Devices," by The Gartner Group discussing the security risks associated with the proliferation of small USB- and Firewire-enabled electronics and peripherals.
As as the cost of RAM chips and hard drives continue to fall, a wide and growing variety of small and inexpensive devices are available with substantial memory capacity. PDAs, cell phones and smartphones typically have up to 64MB onboard, and often support removable media. "Thumbnail drives" can put a gigabyte of storage on a keychain, and portable hard drives can place 80GB in a jacket pocket. Collectively, these devices make possible the uncontrolled transfer of large quantities of data into and out of business networks.
According to the Gartner report, the problem originated with the release of Windows 2000 and the wide deployment of systems able to automatically recognize USB and Firewire connections. This advance placed high-capacity, high-speed and easily connected storage in the hands of end users, and dramatically reduced the control that IT staffs excercise over the flow of data into and out of their networks.
Gartner identified two distinct types of threats posed by portable storage devices. First, they can act as a delivery mechanism for viruses and other malicious code that might otherwise be blocked by firewalls and mail servers. Second, they provide an easy method for users to steal large quantities of sensitive corporate data and intellectual property. In response, Gartner suggests a variety of practices for restricting the use of such devices and limiting employee access to sensitive data, ranging from banning portable storage devices entirely to an increased focus on data encryption and digital rights management.
Security professionals readily acknowledge the risks posed by these devices. "Recent advances such as USB storage devices up the ante in terms of storage capacity as well as ease of use," said Dave Cole, vice president of product management for security firm Foundstone Inc. "As a result, an attacker can now very quickly upload a sophisticated malicious program such as a Trojan horse application or steal intellectual property with little effort and a smaller chance of detection than ever before."
Many experts, however, question both Gartner's suggestion that this is a new problem and its recommended best practices.
"Removable storage has been around and been a security risk since the advent of the computer, even before the network became a security threat. ... Shedding fresh light on this issue is always of benefit, but should be viewed in the grander picture of the security risks posed by all technologies capable of moving sensitive and valuable information at the desktop/laptop," said Tomas Revesz, vice president of information systems at Waltham, Mass.-based security software developer Verdasys Inc.
Counterpane Internet Security Inc. CTO Bruce Schneier has even greater doubts. "I think the Gartner report is kind of silly. ... In the end, you have to trust your employees. If they want to steal information, if they make mistakes, they'll do it regardless. You can change the mechanisms of those actions, but don't confuse changing mechanisms with making things safer," he said.
On the other hand, Rebecca Bace, president and CEO of network security consultancy Infidel, posits that the report could serve as a valuable part of a broader push to re-evaluate common assumptions and strategies. "As a community, we've spent a lot of time dealing with security issues that impact availability of network service; the removable media security issues might serve as a reminder that it's time to circle back and revisit fundamental issues of data confidentiality and access control," Bace said.