Hello iPod, Goodbye Assets

October 31, 2014

Until the very late nineties, when a person needed to transfer a file from one computer to another it was not uncommon in to hear references to "Sneaker-net". This meant copying the file onto a floppy disk, putting on one's sneakers and walking the disk over to the other computer. A slightly higher-speed version of this file-transfer method was later developed, and referred to as "Frisbee-net". I shall leave it to the reader to work out why.

Today, the floppy disk drive doesn't appear on many new computers as its capacity (around 1.4Mb) is too low for any significant data transfer. Usually it's easier to send the file via email or other file sharing methods. However, Sneaker-net lives on!

Most readers are familiar with 'thumbdrives'; a portable USB device which can hang off a lanyard or key ring and carry in some cases, many gigabytes of data. Although I remember, with some discomfort, paying nearly a hundred bucks for a 256Mb model a few years ago, these days they are so cheap it is not uncommon to receive them as marketing freebies from vendors. Everybody is carrying them.

Which begs the question - what else are people carrying on the device? There are two key scenarios involving portable storage devices which may pose a threat to your organisation's information assets. Theft of data and insertion of malicious data, such as viruses or Trojan horse code. Every organisation should assess the value of their information assets in the same manner by which they would assess physical assets. It is no good valuing the Holden station wagon for insurance purposes but ignoring your client database, billing records or intellectual property, which in most cases represent the most important assets in your business. Worse, whereas you'd notice if someone pinched the Holden, it's as likely theft of information would go completely un-noticed.

If your critical information assets are stored in a location where they can be accessed en-masse, for example your database file is stored in a commonly accessible directory, it is straightforward for someone to steal it by copying it directly onto a portable storage device such as a thumbrive.

Countermeasures may include protecting access to the directory, encrypting the database. However, you will need to discuss with your IT management the ramifications for legitimate access, including performance and the potential risk of data corruption. In other words, make sure the solution reduces your risk rather than increasing it. Put simply however, people usually access data via a client utility, database query or web interface. There is seldom any good reason why they need direct access to the whole of a large information repository.

In addition to tiny 'thumbdrives', portable hard-drives now come in small enclosures requiring no power supply beyond plugging them into the USB port. Some models can carry up to a few terabytes (a terabyte is about one thousand gigabytes) of data for well under a thousand dollars. Like most devices we come across within security (e.g. firearms) this technology can be used for good or evil depending on whose hands are controlling them. As an inexpensive means of carrying large amounts of data in the field, or as part of a backup strategy, these devices can be excellent. However they can also allow large quantities of data to be stolen.

Then there is the most prolific data storage device of all. It's white, shiny, plays music and, properly configured can even steal information. The iPod. Most regard the iPod as a music playing device, and that is certainly it's main purpose. However, underneath the shiny white exterior, the iPod is essentially a 30-80 Gigabyte portable hard-drive, which seldom looks out of place in most offices. With the addition of freely downloadable software, a technique known as "podslurping" allows for a user to simply plug the device in and have it automatically copy files from the PC onto the iPod's internal hard-drive.

It was this last bit of news that caused widespread panic a couple of years ago. The Gartner group went so far as to suggest an office-wide ban on the devices. Sensitive government installations have certainly banned them from secure areas. To everyone else however, I say this: Relax.

The simple fact is this - since the days of floppy discs, if a person really wanted to steal your information, they probably could. Block the floppy drive or USB slot, they'll burn it to a CD. Remove the CD-burner, they'll email it. Scan emails, they'll print it out. In any case, in all but maybe a handful of organisations nationally, every single act listed described above, would raise barely any suspicion. The only people likely to notice and get upset at someone printing onto three reams of paper are tree-huggers (and let's face it, they rarely become security officers anyway.) Remove printers, users will photograph the screen and so on. Interestingly, it was a take on this last suggestion that saw a man photograph every page of a stolen copy of the last Harry Potter novel and upload it to the internet before the book's planned release (after the publisher spent a reported US $20 million on keeping the book secret.)

I have also heard of organisations with highly motivated Information Security management, who attempted to stop unauthorised insertion of USB devices by employing the common low-tech method of squirting epoxy (or superglue) into the USB slots on all their PCs. Cheap and effective. Until a year later, when one company decided to further improve security by implementing desktop fingerprint scanners, connected to each PC by... You guessed it. USB now stood for Utterly Stuffed and Buggered.

However, the threat of software being deliberately (or accidentally) introduced onto your networks is one worth addressing. Most antivirus scanning is performed at the network boundary, for example an email gateway. Desktop antivirus may not be as effective at stopping malware. Moreover, custom-coded Trojans will usually not trigger any virus scanners which are predominantly based on samples of 'widespread' or 'mass infection' code. It is a trivial exercise to stand outside any CBD company and hand out 'free' USB keys or CDs which will invariably find their way into work PCs and potentially execute malicious code put on them earlier.

As such, despite my earlier suggestion that data theft is difficult to completely eradicate, there are certainly good reasons to control which storage devices are being connected. Unfortunately, too many legitimate devices, such as a keyboard and mouse, use USB these days, so disabling the port altogether in hardware or the 'BIOS' is frequently not an option. Put away that superglue! There are however software based means of controlling what devices will be activated when plugged in. These can, for example allow cameras, keyboards and printers, but not thumbdrives or MP3 players. Alternatively, they could make the port 'read only' and various other controls with a surprisingly high level of granularity.

Do bear in mind, that like any other security control, this tool is only as strong as the manner in which it is implemented and maintained. You don't want to make it 'too hard' that it gets in the way of legitimate business, nor 'too soft' that it's not worth the bother. Microsoft also has a simple 'registry' setting which prevents connection of 'mass storage devices'. The setting can be easily employed in a "Standard Operating Environment" such that it applies to all machines on the network. It is however an 'all or nothing' approach so should be thoughtfully considered as well. If you must whip out the superglue, I would suggest you pay additional attention to networked computers in public areas, such as the front-desk or meeting rooms.

Finally, as with many security technologies and as demonstrated earlier, if the users do want to get around it, they probably will. It would therefore be foolish to rely on this technology to the exclusion of more basic security principles. Firstly, a clearly defined and disseminated information security policy, to make sure well-meaning staff actually understand the problem and can help you enforce it. That is, do not plug in unauthorised devices. Secondly, for the benefit of staff who might be copying data shortly before leaving a company and for whom sacking is an unlikely concern, more traditional counselling techniques should be used. That is, gently reminding terminated staff of their responsibilities - If you steal information from this company, you, your children and your children's children will die in poverty. Obviously you will need legal advice on how to better word this.

The important goal should generally not be to turn everything off and ban everything else. For indeed, you could take this approach to its logical conclusion and turn off all your computers and ban staff entering the office. Nice and secure but not a worthwhile trade-off for actually doing business. However following an identification of your information assets - 'where the money is', one can set about adequately protecting them to avoid thumbdrive-wielding bandits.

Questions? Talk to us!
We'll answer your enquiry pronto.