Mobile storage – security strategies
Mobile storage creates risk
Preventing unauthorised storage devices from causing problems is no easy task, writes Robert Jaques. Most companies are failing to deal with serious security risks created by the proliferation of USB flash drives, MP3 players and similar storage devices, industry experts have warned.
Mobile storage – security strategies
Preventing unauthorised storage devices from causing problems is no easy task, writes Robert Jaques. Most companies are failing to deal with serious security risks created by the proliferation of USB flash drives, MP3 players and similar storage devices, industry experts have warned.
Experts said in some cases firms should ban the use of such devices to avoid the risk of downloading malicious code, losing sensitive data or infringing copyright. Ruggero Contu, client research consultant at analyst Gartner, said unauthorised portable storage devices pose many dangers.
Many with USB or FireWire IEEE. 1394 can quickly download a lot of valuable corporate information, which could easily be leaked to the outside world, he said.
“This underlying vulnerability has existed since the release of Windows 2000, the first widely deployed operating system able to mount a USB storage device automatically,” Contu commented in a research note.
Gartner said many portable devices could present dangers, including pocket-sized FireWire hard drives and USB hard drives and keychain drives. Disk-based MP3 players, such as Apples iPod, and digital cameras with smart media cards and other memory media also pose a threat. “Companies are at risk of losing intellectual property and other critical corporate data,” Contu warned.
“Portable storage devices are ideal for anyone intending to steal sensitive and valuable data. Employees may also be responsible for losing data if they inadvertently mislay these devices.”
Gartner advised companies to forbid the use of uncontrolled, privately-owned devices with corporate PCs. Otherwise, firms should improve controls with better security, policies and technology tools. “Managers should advise on the main procedures to be followed for the eventual use of such devices for instance, to confirm the need for password and security protection [encryption] of stored corporate data. This will also help mitigate risks from loss or theft,” added Contu.
Generally, managers should enforce a desktop lockdown policy.They should also consider disabling Universal Plug and Play after installing drivers to permit only the use of authorised devices, advised Gartner.