All IT Security plans are made up of several elements relating to people, processes and hardware and software. They are carefully crafted in the light of a corporate security policy designed to protect, as far as is possible, the organisations systems and intellectual property from internal and external attacks, damage and theft.
Each of these elements of the IT Security plan takes account of the following characteristics:
People are the biggest threat to IT Security. They try to avoid security controls, they use and write down easily guessed passwords, they bring information from home on non-malware scanned devices.
Processes, however well crafted miss gaps that can be exploited, and become out of date as other business processes change and technology advances.
Hardware and software
The plan will contain elements of policy and procedure to ensure that hardware and software remain up to date. In particular, malware signature files must be regularly updated and distributed to ensure protection against the latest threats. Network security staff must also keep on top of the latest types of network attack threats and distribution vectors.
However, having said all that there are still areas of concern that must be addressed.
One such is the use of USB ports on edge devices.
In the past, USB ports were mainly used by support staff to install new software applications and application updates and to carry out routine maintenance tasks. However, the emergence of cheap and affordable media transfer devices has made it possible for users to use a USB connection to transfer information between different devices outside the normal network environment.
This has opened up a whole new opportunity to bypass malware protection and carry out intellectual property theft, easily and cheaply.
On the domestic front, many users have home computers, and in-house wireless networks supporting office computers for family management, games computers for the children and devices to download media, principally music, TV programmes and movies.
People often use USB connected flash drives and portable hard drives to transfer media and information between home and office and between each other. It can be as innocuous as videos and pictures from their latest vacation, or it could be confidential corporate information.
Home installations do not have the same level of malware protection as commercial installations and can easily transfer malware. In addition, the ability to copy confidential information and remove it from the workplace is easy given the small size of USB flash drives.
Here are potential security risks from USB connection.
Intellectual Property Theft
The high capacity and small size of USB flash drives makes it very easy to download corporate information to the USB flash drive and remove it from the building without detection. In addition, many companies give out branded USB flash drives as a marketing tool. A potential thief does not even have to buy one, and the branding allows it to pass easily through any security checks.
Most domestic installations will have at best freeware anti-malware packages. It is also doubtful If the regular malware updates are applied at the proper and or regular times. There is therefore a very high potential for transfer of malware between home and office.
Installation of unauthorized applications software
Users can bring software from home and install it on their desktop computer. Such software may not conform to corporate standards and cause operational difficulties and additional maintenance requirements
Loss of Productivity
Most users would prefer to watch music videos or watch the latest episode of their favourite soap-opera than engage in productive work. Downloading media content at home and bringing to work is becoming more and more commonplace. Further, because of the often dubious nature of the media source, the potential for introducing malware significantly increases.
So, what can be done? There are several immediate courses of action.
Standard Systems Image
Most corporate installations have the opportunity to define standard desktop configurations. Such configurations must disable USB ports, with the obvious exceptions being those that support WiFi interfaces and wireless keyboards/mice. The ability to install or modify software must also be disabled.
The corporate standard will therefore have two user profiles, the standard user, and a tech support profile which allows unrestricted access to the desktop.
Education and Training
Users must be educated to be made aware of the security risks of unrestricted use of USB media. Security staff also need to be made aware that flash drives should be treated in the same way as the unauthorised removal of other corporate assets.
In summary, there is a great potential for USB devices to be used as malware vectors and as methods of intellectual property theft. They need to be treated from a security standpoint with the same care as other methods.