|
 |
|
General Information
|
Add To My Personal Library |
December 12, 2008
• Vol.30 Issue 50
Page(s) 24 in print issue
|
Protecting Portable Storage Devices
Keep Tabs On Your Data
|
For most people, portable storage devices—be they a thumb drive dropped in a pocket or a smartphone that provides Exchange access along with restaurant reviews—rank at the top of technologies that have improved their lives. But they can be a curse to IT managers because employees often access enterprise data, only to lose it or have it stolen.
“The further you get from the server, the less actual control you have over [data],” says Gary Streuter, vice president of marketing at storage solutions provider CMS Products (www.cmsproducts.com). “You can lock up the servers, but client-side machines sitting out in an office are harder” to monitor, which means an employee might easily download something from his office computer to a USB key without your being the wiser—unless, of course, you keep some of these tips in mind.
 Encryption Is A Must
According to Streuter, organizations are increasingly moving toward encryption as a way to keep mission-critical data out of the wrong hands. “Let’s assume you’re an accountant, and you’ve decided to work out of the house tomorrow, so you take a thumb drive and you download the payroll files on it. It falls out of your purse,” Streuter says. Whoever finds the thumb drive could conceivably retrieve employee Social Security numbers and bank accounts for automatic deposits, among other things.
Encrypted data requires a password to unlock that drive. And while passwords can vary in strength, most would-be thieves tend to go for low-hanging fruit, so chances are the person who finds an encrypted drive will ignore it or toss it out.
Leverage Your Security
Sean Martin, vice president of marketing at endpoint security solutions provider SkyRecon (www.skyrecon.com), points out that you should remember to leverage what you do from a systems protection perspective together with protecting portable storage devices from data theft and loss.
In other words, use the antivirus protection, host intrusion protection, and related technologies you have in place to make sure your information is also shielded from attack and compromise from malware and other threats. “Malware on the device could be another entry point just like floppy drives of years ago,” says Martin. “You want to protect your environment from attack through the device.”
Associate Devices With Specific Users
Martin says associating a portable storage device with a specific user helps to guard against threats, particularly ones from inside the company. For example, only the financial officer can use his own serial-numbered USB drive on his machine. “This effectively means the officer can’t go to a different machine and steal data if he wanted to. This locks the device to person and machine, ensuring his data is used by him on these devices,” says Martin.
This strategy also prevents someone from taking her storage device and plugging it into another machine or logging into her PC as a guest to get around the system, which helps stave off any insider theft of data, says Martin.
By using the serial numbers and vendor ID numbers of portable storage devices, a good third-party security solution will allow you to dictate which numbers can be used to access your network, says Nick Cavalancia, vice president of Windows management at Windows network management solution provider ScriptLogic (www.scriptlogic.com). “This restricts employees from bringing in a rogue portable storage device to download data,” Cavalancia says.
Consider Third-Party Software
Cavalancia points out that Microsoft Windows’ built-in Group Policy controls provide a blanket all-or-nothing lockout on USB storage; however, these controls may not be sufficiently granular for many organizations, which might want to allow a CFO greater access to files than a payroll clerk.
Third-party software can provide you with “the power to set policies allowing some users to have read-only access on available devices, completely allow or deny access for others, and enforce device lockdown for both local and remote users,” says Cavalancia. “Businesses can look for software solutions that can lock USB ports or have permissions and policies in place that can control who can have access to which files, where, and when.”
Track Data Leaving Your Network
CMS Products’ Streuter recommends having some type of data-tracking application that can tell you the parameters of a given file, including its name, size, the time it was downloaded, and who was logged onto the computer when it was downloaded.
For his part, Cavalancia says that because breaches will happen despite anyone’s best efforts, data-tracking applications should also have reporting and alert capabilities, so that you can locate any individual who has inappropriately downloaded information. “Central reports will also allow administrators to see all attempts at restricted activities, [and forewarn] users with desktop alerts that they are performing a restricted operation, such as connecting an unauthorized USB stick, iPod, laptop, or PDA,” says Cavalancia. 
by Robyn Weisman
Podslurping & Bluesnarfing: The Latest Threats To Enterprise Data
You’ve known for years that you need to protect your network from phishing, pharming, and spam, but have you been protecting your data from podslurping and bluesnarfing?
Nick Cavalancia, vice president of Windows management at ScriptLogic (www.scriptlogic.com), says both methods have become more common in the enterprise in recent months.
Podslurping describes a corporate employee placing important data on her iPod or MP3 device and then leaving the company with the stolen data. Although the term is fairly new, the method itself has been around for some time.
More worrying to your enterprise network is blue-snarfing. “Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs,” says Cavalancia. “Bluesnarfing also captures calendar invites, contact lists, and emails, all of which have the potential to hold highly confidential and sensitive data.” |
|
|
