Home » Data Protection » Wireless/Mobile

Winning the Consumer Gadget Wars

CSOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by USB drives, camera phones and other consumer gadgets

Marcus Rogers, an associate professor in the Department of Computer Technology at Purdue University, works with the Center for Education and Research in Information Assurance and Security (CERIAS) to study iPod forensics. "You can have an entire bootable drive on your iPod, and depending on the operating system, you can carry your entire workstation around with you," he says. "Also a lot of times if you hook an iPod to your system it's not going to show up on the network. Because it's at the local machine level it doesn't get an IP address. Only if [security] is doing active probing 24/7 might they find that extra storage device." Rogers notes that the iPod comes with the Windows file system, so the problem isn't limited to Apple systems.

"USB has absolutely exploded in the last year," says Michele Lange, a staff attorney with Kroll Ontrack, which offers software and services for data forensics and electronic discovery. "I've been doing this about four or five years," says Lange, "and I would say that [USB storage devices] are now an issue in a large majority of our cases." Lange adds that most of those cases are employment-related situations where an employee has tried to harm a company by stealing trade secrets. Of course, intellectual property leakage can happen just as easily when one of these tiny drives is lost or stolen.

However, there are steps CSOs can take. The first is to practice rigorous file security; employees should have access only to the information that they need. But since many employees have access to valuable information, companies have taken steps to deal with the issue more emphatically. Some have chosen to disable all of the USB ports on every system at the BIOS level (the PC processor's basic input/output system) and have taken away administrative privileges so that savvy users can't re-enable the ports.

Cobb, the privacy book author, says he knows companies that have a locked-down configuration and don't allow the user to change anything. "This can be quite effective on two levels: on a practical level, and on a psychological level by making it clear computers can only be used for company business and won't work if you try to use them for anything else." Some companies have taken more drastic steps. Geer recounts a story of one company that tried to address the problem by filling each USB port with hot epoxy glue (before eventually realizing the impracticality of the strategyâ¬most notably that it would take forever).