http://www.thechannelinsider.com/article2/0,1759,1636529,00.asp By David Raikow August 16, 2004 Opinion: The idea of banning portable storage media in the workplace sidesteps the fact that internal security is a human issue, not a technical one. Not too long ago, the Gartner Group raised a minor dustup in the IT community by releasing a report claiming that portable storage media - including consumer devices such as cameras and MP3 players with built-in or removable memory - represent a new security threat to corporate networks. While I am almost always happy to see people talking about security beyond firewalls and virus scanners, this particular case represents a classic example of the way in which the tech community - including the media - regularly bungles security issues. According to the Gartner Group, these devices have grown so easy to use, and place so much memory within such small and innocuous physical packages, that they represent a dangerous new mechanism for employees to steal data or introduce malicious code into corporate networks. The Gartner report simultaneously sensationalized and diminished a key security issue by taking it out of context and presenting it as a new problem tied to specific technologies. The media and much of the tech community, in turn, leaped to the worst possible conclusion from the Gartner report: that the real issue was whether businesses should ban iPods. Internal data security is not a new problem, nor is it strictly speaking a technical one; employees have been stealing business records since businesses have been keeping them. Banning iPods will stop nothing. While there are some exceptions, there is very little data of value that an employee would need a gigabyte of memory to remove from an office. You can fit a lot of credit card numbers on a floppy disk, or for that matter, on a piece of paper. So, how should businesses address this issue? Internal security is an enormous topic, but the first step is to recognize it as a human, rather than a technical problem. If an employee can access a specific piece of data, he or she can steal it, no matter what technological precautions you may take. Human issues require complex, nuanced responses, and they rarely have a "silver bullet" solution. The best precaution you can take is to know your employees. Before you give someone access to your valuable data, it is entirely appropriate for you to take reasonable steps to be confident that they are trustworthy. Keep in mind, however, that it's important to be completely upfront with the applicant about those steps. When making a new hire, ask applicants hard questions, check credit reports and really interview references; don't take anything at face value. Respect for staff's privacy is both ethical and necessary to maintain a productive work environment; nevertheless, managers must be held responsible for awareness of staff's personal qualities, interpersonal dynamics and morale. Don't snoop - Big Brother in the workplace accomplishes nothing but making employees miserable - but know your people, who should be trusted, and how far. No, striking a balance isn't easy. But keep in mind that the primary role of technology in this process should lie in maintaining appropriate limitations on access to data. Know what information individual employees need to do their jobs - and what they don't. Use network authorization and authentication systems, account restrictions and OS-level permissions to make sure staff can easily access appropriate data but nothing else. Make liberal use of internal firewalls, encryption and intrusion-detection systems to detect and block attempts to circumvent your access controls. These systems should be as transparent as possible to your employees; think of them as the digital equivalent of locks on filing cabinets and office doors. Last, and definitely least, if removable media remain a particular concern, consider taking technical steps to prevent them from interfacing from your network. I would definitely not recommend banning cameras and MP3 players from the office, but there is nothing necessarily wrong with preventing them from being plugged into office computers or other equipment. Several vendors offer software products that can disable or limit access to FireWire and USB ports, including Zone Labs, Symantec, SecureWave and Verdasys. Keep in mind that these measures are pointless unless they also include steps for disabling CD and DVD burners, Zip drives and other writable media. This approach can require substantial investments in time and money, restricts legitimate and useful functionality, and is far from foolproof. But in high-security environments, it can provide some additional protection when used in conjunction with other precautions. Understanding that some of the biggest threats to your network come from the inside is crucial to a realistic assessment of your security needs. Looking for a simple answer to a complex problem, however, is just asking for trouble. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Tue Aug 17 2004 - 04:38:50 PDT