|What your mother never told you about the dangers of Removable Media
Written by Magnus Ahlberg
The rise of the mobile data market has been rapid, lucrative and dangerous. Long gone are the days when you needed identical tape drives and software on both computers. The traditional floppy disk market and local tape markets were superseded by the super-floppy and zip drive. Now even they are disappearing as the mobile data storage market evolves.
Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to go down to one of the big computer shows to be offered a free memory stick as a stand give-away. If you take part in an IT training course, you might be given one with all your computer course notes stored on it. They are so cheap it’s the obvious way to store information, business proposals, accounts, client’s details, marketing plans etc.
The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, their competitors have simply created large USB stores with some built in music software. An increasingly number of people now view the MP3 player as both a data and entertainment tool. The danger here is that as an entertainment device it falls below the radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.
Here are 10 things you probably don’t know about this market.
If this doesn’t scare you then you clearly are not responsible for looking after corporate security.
- The first Compact Flash Drives began to appear in quantity five years ago and started at 8MB. By 2004, Lexar had released an 8GB device aimed predominately at the professional photo-market.
- USB Pen Drives are now often hidden inside pens making them very difficult to detect by security teams.
- Seagate now ships a proper, very small form factor 5GB USB disk drive. It is less than half the size of a Yo-Yo and features a real disk drive spinning at 3600rpm.
- 4GB USB pen drives are expected to reach capacities of over 8GB by mid 2005.
- New mobile phones can use memory cards holding in excess of 1GB
- Research in 2004 suggested that a modern office worker carrying an MP3 device and a mobile phone would be capable of storing over 20GB of data.
- MP3 and mobile video player company Archos will soon launch a 100GB device.
- The new 1-inch hard disks are expected to reach 100GB within 12 months.
- Blocking the USB port would prevent all devices from working and with operating systems like Windows XP, is easy to circumvent.
- IDC predicts that the sale of very small hard disks will explode from less than 18m in 2004 to over 100m in 2008. Most of those will be in portable devices that could be carried into offices.
Here are some facts about corporate data:
- The average word processing file is 3 pages in length and between 25k and 30k. That means that a 20GB MP3 player could hold over 750,000 documents.
- The majority of corporate networks do not audit what data a user copies to a local machine or attached device.
- New compliance legislation means that you must develop a policy for the use of devices or risk being fined by regulators.
- 99% of users who use mobile devices to transfer data use no encryption to protect their contents.
Think about how easy it would be to remove your corporate data. During the 1980’s the fear was that people would be able to save the customer or company price lists onto a floppy disk and take it to their next employer. Today, they can not only take that information but also your entire customer database showing purchasing prices and history on a single device.
The advent of fast Internet access in the office meant that employees used the company network to download files. Increasingly, that has meant people pulling down illegal content as well as installing peer-to-peer (P2P) networks on their desktop computer. With P2P installed, they can move files between the office and home on CD, DVD or other removable media. The danger to the corporate network is that file sharing through P2P exposes the company internal structure.
Preventing people bringing devices and media into the office is an extremely difficult problem. Look at the physical size of much of this media and it’s easily missed in a pocket, briefcase or handbag. Short of instituting an invasive and very workforce unfriendly search policy, keeping devices out of the company is virtually impossible.
The solution then, appears to be one of management. The first step here is to decide on what you can and cannot enforce. Remarkably, few companies actually realise how limited their powers actually are, especially with respect to current privacy and human rights legislation.
For example, preventing employees from bringing their MP3 player to work and then using it during lunchtime would require draconian terms of employment that are almost certainly illegal. Companies that have tried similar experiments with regard to camera phones have found it hard to police and enforce.
What you can do, however, is ensure that all members of staff are aware that their employment does not allow the connection of non-company devices to their computers or other peripherals. This means banning people from downloading their photos to that nice colour printer. No swapping music with the person who sits next to you if that means connecting to the computer and using it as a transfer point.
Administrators need to create security solutions that log the amount of data that a user downloads. It is already acceptable to search an employees hard disk for illegal files but few companies do this. Nightly sweeps of hardware to find MP3, WMA, JPG and other file extensions would seem a simple thing. Unfortunately, all of these formats have legitimate work uses and are often used by software packages for saving business files.
If you are to allow data to be transferred over removable media then you should consider how to secure it. There are several vendors with encryption solutions in the market. All of them have different advantages but whatever you choose should have a minimum set of features.
The latter is all too often overlooked when deploying security solutions. There is a belief that security means complex, it doesn’t. To ensure that people use a solution it must be simple, effective and deal with all situations. If you have to give encrypted files to someone who needs a copy of the software, then it becomes a case of either give them a licence for the software or don’t encrypt. Many people will opt for the latter.
- Work with policy files to allow data to be locked after a given number of password attempts.
- Have a mechanism so that data can be encrypted once and then accessed where required without having to install software on the receiving computer.
- Be backed by an administration program that would allow for the recovery of lost passwords.
- Will work on a range of devices and removable media.
- Be simple to use, implement and manage.
Files need to be self contained as an executable where the level of encryption is still high enough to thwart all but the most extensive brute force attack. There are products that fall into this category and they are worth finding and deploying in order to minimise the risks. One possible solution it to ensure that you encrypt everything that is downloaded from a computer onto any removable media.
Your corporate data has never been so insecure. The ease with which is can now be removed from the office surpasses anything in history. There are approaches that you can use but they must encompass protection of content and system management simply banning devices will not work.
Remember, we are now in a world where almost every month a new piece of regulation over data protection and access appears. If you don’t sort this out now, they regulator will simply fine you extensive amounts of money and you’ll still have the problem.
About the author: Magnus Ahlberg is the Managing Director of Pointsec (http://www.pointsec.com )