Winning the Consumer Gadget Wars

CSOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by USB drives, camera phones and other consumer gadgets

Technologiesparticularly those marketed to the individual consumerare evolving rapidly and in unpredictable ways. Since we wrote in 2002 about eye-catching technologies that bedevil CSOs (see www.csoonline.com/printlinks), cell phones have morphed into multifunction devices incorporating PDAs, cameras and MP3 players, leaving a trail of obsolete acceptable-use policies in their wake. This places security executives in the uncomfortable position of trying to set controls on a constantly shifting and mutating target.

The trickiest aspect of the problem is that many of these technologies are valuable business tools when used with the appropriate security controls. However, all too often, eager employees purchase, download or otherwise acquire these groovy gadgets and programs, and enthusiastically integrate them into their work environment, heedless of the holes they are punching in the company's security net.

Take Skype, the free, downloadable Internet telephony system that launched in August 2003. Skype users can make free phone calls to other computers all over the world. A great idea, right? Not if you work in security, because Skype encrypts all of its traffic and skirts firewalls. That's a bonus for users, but a nightmare for CSOs who can neither monitor nor stop the traffic. In the 51 days following Skype's launch, the company registered an impressive 1.5 million downloads and 100,000 simultaneous users. When programs like this catch on, they spread like dandelions in spring. At its one-year anniversary, Skype boasted approximately 9.5 million subscribers and 1.5 million users per day.

So how does a CSO kill the weeds without burning the grass? We took a look at four rowdy technologies: camera phones, portable data storage devices, wireless computing and the joint threat posed by peer-to-peer technologies (P2P) and Web-based services. They are well-meaning and widely used tools that can be office assets, but also can wreak havoc when used carelessly or maliciously. We sought the advice of security executives and other experts on the best steps to take to establish some control in the midst of the chaos.

Camera Phones Prying Eyes. At many companies, a camera phonegreat for office party snapshots or for capturing an interesting presentation slidewouldn't raise an eyebrow. At Cardinal Health, cell phones equipped with cameras are a physical security threat.

Cardinal Health has its hand in almost every facet of a drug's lifecyclefrom development, manufacturing, packaging and delivery to pharmaceutical distribution. To allow photographs of how valuable drugs move through these stages could create security vulnerabilities. Cardinal Health also handles personal medical information that falls under Health Insurance Portability and Accountability Act regulations. "To allow cameras anywhere near the process, from when we receive [the product] to when we deliver it to the end users, would be a huge vulnerability, and it's not one we're willing to accept," says Tim Gladura, the company's CSO.

That said, camera phones are particularly challenging to contain because they're not connected to any platform that the company controls. Gladura says that a "no cameras" policy and an ongoing awareness campaign that conscripts employees into the security ranks works best. "I'd rather have 55,000 sets of eyes out there than just my department," he notes. But even that is not enough. His department also has enacted other policies that help to keep cameras out of sensitive areas. For example, employees at the distribution facilities are discouraged from taking lunch in the parking lotto allow security to better discern if other, unauthorized individuals are sitting in the lot to observe loading dock operations. The doors that cover employee lockers are grated, offering security personnel a view of the contents. And random security searches are not unheard of.

At Tommy Hilfiger USA, camera phones pose a different kind of threat: the potential loss of intellectual property. David Jones, vice president of corporate loss prevention and security, worries about visitors who enter the company's design studios. "For anyone in our business, the design patents are the innovations that the company lives off of," says Jones. A covertly snapped picture of a dress for the new fall line that is e-mailed to a competitor represents a real loss.

Jones also relies on a no-camera policy to protect the design areas, but he worries about the increasing prevalence of camera phones and their shrinking forms. His fears are well-founded. According to InfoTrends/Cap Ventures, research suggests that by 2009, 89 percent of all new mobile phone handsets will include a camera. And the technology is advancing so quickly that it is harder and harder to tell which cell phones can take snapshots. "On older phones you could tell if there was a camera; now you can hardly tell, so we have a policy that we can't really enforce beyond awareness and training," Jones says. He adds that to his knowledge a theft by camera phone has not yet occurred, "but the threat is always there for it to happen."

CSOs also need to worry about protecting their employees' privacy when camera phones are around. One security executive, who declined to be identified because of the sensitivity of the situation, recounted a case where employees using the company's shower facilities after lunchtime workouts became concerned about a man who always seemed to be talking on his cell phone in the changing area. Public locker rooms and gyms frequently have "no cell phone" rules, and locker rooms provided by an employer should be no different.

"Information about people [photographic or personal data] is way more valuable than information about anything else," says Stephen Cobb, author of Privacy for Business (Dreva Hill, 2002), a book that offers executives advice on safeguarding privacy of customer data. "Companies often focus on protecting financial secrets, but information about people can cost the company more."

At First Data, which specializes in money transfers and credit card processing, CISO Phil Mellinger has an employee dedicated to examining mobile devices and other technologies that employees want to bring into work, and who gives written approval from security where appropriate. Without that approval, the device is banned. "We used to approve general security configurations," says Mellinger. "For example, if someone used a wireless device, there were two approved configurations for security. But now each device has its own security configuration, so we have to get down to the device level." Mellinger also notes that camera phones are not just a security issue but an HR issue and a procurement issue as well. "You have to get so many different entities in the company focused on the problem and approach it from different perspectives, but it is a massive problem," he says.

According to industry sources, the Pentagon and defense contractors have long had cellular detection equipment, but that kind of technology is now going mainstream. Companies that offer cell phone detection technologiessuch as Phoenix-based Cellbustersare gaining traction in corporate markets. The CellBuster device can detect a cell phone that is switched on (even if it is not in use) within a range of 90 feet, and it issues an audio alert that tells the user to shut off her phone. It can also operate in a silent mode, alerting security personnel with a flashing light. This kind of product is ideal for companies that have certain targeted areas within their facility that should be camera phone-free, whether it's the boardroom or the locker room.

Keychain Storage Drives Data A-Go-Go. The threat posed by USB mini-drives has burgeoned during the past year. Plug one of these keychain-size storage devices into a USB port and any information you can access just became portable. Employees can download gigabytes of data off your network and simply walk out the front door. Just 1GB of data is roughly comparable to a pickup truck loaded with documents, notes Dan Geer, vice president and chief scientist at data security vendor Verdasys. Some of these devices can hold up to 60GB. But thumb drives aren't the only form of digital storage media giving security executives heartburn. MP3 players and even iPods, the ubiquitous cool gadget of the moment, can be used to download and store any kind of file (not just music).

Marcus Rogers, an associate professor in the Department of Computer Technology at Purdue University, works with the Center for Education and Research in Information Assurance and Security (CERIAS) to study iPod forensics. "You can have an entire bootable drive on your iPod, and depending on the operating system, you can carry your entire workstation around with you," he says. "Also a lot of times if you hook an iPod to your system it's not going to show up on the network. Because it's at the local machine level it doesn't get an IP address. Only if [security] is doing active probing 24/7 might they find that extra storage device." Rogers notes that the iPod comes with the Windows file system, so the problem isn't limited to Apple systems.

"USB has absolutely exploded in the last year," says Michele Lange, a staff attorney with Kroll Ontrack, which offers software and services for data forensics and electronic discovery. "I've been doing this about four or five years," says Lange, "and I would say that [USB storage devices] are now an issue in a large majority of our cases." Lange adds that most of those cases are employment-related situations where an employee has tried to harm a company by stealing trade secrets. Of course, intellectual property leakage can happen just as easily when one of these tiny drives is lost or stolen.

However, there are steps CSOs can take. The first is to practice rigorous file security; employees should have access only to the information that they need. But since many employees have access to valuable information, companies have taken steps to deal with the issue more emphatically. Some have chosen to disable all of the USB ports on every system at the BIOS level (the PC processor's basic input/output system) and have taken away administrative privileges so that savvy users can't re-enable the ports.

Cobb, the privacy book author, says he knows companies that have a locked-down configuration and don't allow the user to change anything. "This can be quite effective on two levels: on a practical level, and on a psychological level by making it clear computers can only be used for company business and won't work if you try to use them for anything else." Some companies have taken more drastic steps. Geer recounts a story of one company that tried to address the problem by filling each USB port with hot epoxy glue (before eventually realizing the impracticality of the strategymost notably that it would take forever).

CSOs have to ensure they're not preventing employees from conducting their regular business duties. USB ports are, after all, there for a reason. USB flash drives are not all bad news either. They can be incredibly useful tools and some are available with advanced encryption standard, or AES, data protection. For an executive who can't live without his USB drive, the best solution might be to provide him with one handpicked by the security team.

Policy also has a role to play here. Dev Bhatt, director of corporate security for Airlines Reporting Corp. (ARC)a company owned by the airlines that handles aspects of ticketing as well as data and analytical serviceshas crafted his company's acceptable use and enterprise security policies to focus on the forbidden acts of removing corporate data or connecting an unapproved device, rather than on the device itself. The emergence of new, small, multifunction devices is happening so rapidly that companies must ensure that their policies are broad enough to include emerging technologies. If the policy is too device-specific, the CSO will end up having to rewrite the rules every few months.

Wireless Roaming Hazard. It's a sign of the times that in some cases security teams have to behave like hackers to be successful. Sniffing out ad hoc wireless networks in a "no wireless allowed" work environment is one such case. Most of the security executives we spoke with have found unauthorized wireless networks at their companies. These networks are so cheap and easy to set up that they will continue to be a problem in many companies. But detecting a clandestine Wi-Fi network two floors down is a breeze compared to the problem security executives encounter when their employees utilize wireless networks outside the office.

Wi-Fi is built into most laptops, and wireless computing is so liberating that few untethered employees can resist the lure of a coffee shop or hotel access point. But unless users are educated about the specifics of wireless security, they could be laying the corporate network bare to any curious or malicious bystander. Security policies must spell out who can access the network, how, when and where. A software-based firewall and encryption technologywhether it is wired equivalency protocol (WEP), Wi-Fi Protected Access (WPA) or ideally WPA2 (the latest version of 802.11i)must be used to ensure that casual roamers aren't hopping aboard.

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies