So Many Portables, So Few Rules

Not the deepest story on managing portable devices, but it is a good introduction to get some people questioning their policies. One of the things I bring up to people…

Also important is the need for policies governing the use of non-company storage devices and systems. For every control you put in place there will be weaknesses – “what if they use their own USB drive?” The idea is to put controls in place that are commensurate with the risks. Hypothetically, if an organization is worried about portable devices and external storage then one must wonder if the data should even be allowed outside of controlled facilities.

What about those personal devices? Do you know what all of them are? Do you know who has them? Do you know where they are being used?

New AIM Worm

Here is another one…

A computer worms that spreads via instant messaging is being used to build an extensive “botnet” of remote-controlled PCs, a US security firm has warned.

Security experts at US company FaceTime identified the worm as “W32.pipeline” and warned that it spreads via AOL’s instant messenger program.

The worm disguises a malicious executable program as a jpeg image, which is attached to an instant message that appears to come from someone on the recipient’s AOL “buddy list”.

Zero day exploits becoming a serious threat

While this isn’t good..

The risk of zero-day exploits is increasing as cyber-criminals become more sophisticated and better organised, says Robert Pregnell, Symantec’s Asia Pacific regional product marketing manager for endpoint security and compliance solutions.

The story says one of the solutions is an intrusion prevention system is necessary. While I’m not totally sold on that idea, I think this is more of an example where an application control program is needed to protect the systems.

There are multiple tools out there that allow application control via ‘whitelist’ approach, in these situations only applications that are explicitly given permission to run on a machine are allowed to run. Anything not on the whitelist will be blocked, this means worms, viruses, trojons or malware will be blocked.

Creating a Security Policy and Enforcing It

The introduction to this story got my attention…

IDC reports that approximately 50 percent of data loss incidents are due to insiders, with the FBI rating insider data loss around 70 percent. Both groups agree the majority of these incidents are the result of poor corporate policies or lack of organizational definition of what constitutes sensitive information.

I thought it was odd that there really wasn’t anything in the story about endpoint security, it talks about servers and networks shares being the endpoint – but that isn’t how I’m hearing people talk about it. The endpoint is the individual workstation and the devices that can be used on the workstation.

I do like the different phases of data they have, I haven’t really seen it listed this way before:

1. The first stage, data at rest, is comprised of information residing on computers, corporate servers or network shares at endpoints of the network. The high risk presented by data at rest is the potential to leak unstructured data stored in various office applications.
2. The second stage, data in motion, is comprised of data moving through the network and leaving through various exit points. Data in motion can be found in e-mail, instant messaging, FTP downloads, or other data transfer formats exiting the network to known and unknown points.
3. The third stage, data in use, is information on a computer which is being analyzed or worked on. For data in use, most organizations want to restrict what their users can do with that data, including preventing them from downloading it to removable media devices.

I think this is a good summary of the type of solution that is needed…

Security and compliance officers should only write policies that they can easily implement and enforce through a combination of people, process and technology. Tools that are straightforward to implement, highly scalable when deployed and accurate in their findings are invaluable in this effort.

I have seen some really great policies on paper, but they have never been implemented because they were to difficult to control or enforce.

A couple of post on endpoint security

Both of these stories caught my attention because they are from New Hampshire and I don’t see those very often, so anything I can do to get some attention for a place I used to work.

The first story is giving companies a small warning about security and giving them a heads up that they need to start paying attention to external storage devices…

While there are established ways to deal with these threats, a new wave of concern has been developing with the likes of iPods and other MP3 music players, as well as USB memory keys and even cell phones, especially units like Treo’s and other smart-phone class devices.

The issue is that these devices can appear to a computer like another drive. Meaning that, just like your C-drive, one of these devices plugged into a computer can appear as another drive letter, like drive E. The risk here is that information can be copied to, as well as from, these devices.

The second story points out that while these external devices can be used for negative purposes…

When you plug a USB key into a computer, it will show up as an additional drive letter that you may then copy files to and from, based on your needs. This means, that in a business setting, as described in my last column, that these devices could be a security risk to your data and network.

The uncontrolled use of these devices could allow damaging files like a virus, to enter your network. But more importantly, they could allow confidential company data to be easily removed from your network.

The author also points out that these devices are useful too, it allows to easily transport information around and just makes your day to day work easier in many cases. I’ll agree with that, I currently carry five different usb flash drives with me right now for work – there are patches and updates on one drive; I have some of my presentations on another drive; I have some demo software on another drive; and then I backup a lot of my files on the other drives.

I disagree with the author on one of the benifits he list…

Another interesting development is something called U3. Simply put, U3 is a technology that lets you actually install software to your USB key and then be able to run it from any computer that you connect the USB key to. The software needs to be able to support this, but more and more do support it.

I see this as more of security threat that an benifit right now. Sure this is great for the end-user or the employee, but this is allowing unauthorized software to run on a corporate machine and that is threat.

There are already tools out there that allow you to modify the U3 software and put password cracking software on the flash drive. At that point a user could walk around to any machine that was unoccupied and has a user logged it, they could plug the USB drive in and run the password cracking software and walk away with the information saved on the drive. Not a good thing.