Source: Brian Contos, ArcSight
Brian Contos, CISSP chief security officer, ArcSight, looks at the threat posed to corporate data security from portable media devices like USB keys and MP3 players.
In today’s heightened threat environment facing financial services organisations, attacks can come from anywhere inside or outside of the organisation. The traditional focus on protecting the perimeter has led ‘would be’ attackers to attempt to infiltrate the organisation from the inside, and with it the very real threat of data theft is growing.
Identity theft is one of the UK’s fastest growing crimes. The FSA recently warned of the increase in insider threat, and with the presence of online data auction sites and the possible malicious capabilities of plug-and-play devices, data theft is a crime that is becoming easier to make money from. It is no coincidence that identity and data theft has grown so quickly over the last couple of years – paralleling the increasing popularity of USB keys and other mass storage devices.
For some time there has been concern about the potential threat of high-capacity portable media devices like USB keys, DVD burners, MP3 players and iPods, and it seems these worries may have been well founded. There are malicious possibilities offered by mass storage devices when in the hands of an individual with the will and intent to steal critical information from the organisation, and last month the threat to the financial organisation became more potent.
US security expert, Abe Usher urged companies to address the threats posed by data theft, after creating a test application which can fill an iPod with business critical data in minutes. The application can search the company network for files likely to contain critical information, and can then download the information onto the iPod on which it runs. The process, which has become known as ‘pod-slurping’ runs at about 50Mb of data every minute, and could have disastrous consequences for financial firms if it were replicated in the wrong hands – if a security expert can do it, why not a hacker?
The creation of this application was designed to scare organisations into doing something about the huge threat posed by data theft, but the purpose of this should not be the main concern for financial organisations. Usher believes that with a 60GB iPod someone could probably obtain and walk out with all the information held in a medium sized firm.
These capabilities become even more alarming when coupled with the realisation that very little is done to restrict the use of plug and play devices. A survey carried out this week by Silicon.com revealed that 70 percent of UK organisations do not block or restrict the use of iPods and other USB storage devices, and their connection to the network. In addition, a survey carried out by McAfee and ICM Research in December last year revealed that more than half of employees connect their own devices to work PCs and a quarter of these do so every day.
The threat of data theft and the difficulty in identifying the culprit increases with the size and access capabilities of the organisation, as the rewards and opportunities for disgruntled employees to make money from data theft is ever increasing due to organised crime and online data auction sites.
The simple fact is the more access people have, the more potential harm they can cause. Take for example access to a credit card database. If there are 100 operators and every operator has access to every record and every field within each record, the level of damage one rogue operator could cause is significant, and the perpetrator would be more difficult to detect. In this case an iPod may pose a more significant threat because most people wouldn’t think twice about seeing it connected to a computer.
Protection against this sort of scenario seems relatively straightforward; deploy encryption, including field level encryption, strong access controls, separation of duties and need-to-know access. Now everything is tightly controlled and it will take substantially more effort than plugging in an iPod to remove critical data. However, the problem is that while this may be possible for a finite number of servers and applications, the approach is unlikely to scale across an entire multinational organisation.
Limiting what employees can attach to the network is one way of combating data theft and the new threat of ‘pod-slurping’. However, the business use of mass storage devices is undoubted and if financial organisations do not want to risk restricting their employees productivity then the only answer is to identify the critical assets on the corporate network and take the appropriate steps to secure them and monitor the environment. Separation of duties, least privileges and need-to-know access can all be helpful, but in addition to preventative measures, an overall solution must be coupled with detective techniques to audit and monitor the system.
With the right level of preventative and detective measures in place for the particular financial organisation, removable media becomes a less critical point and employees can still take advantage of products like iPods while maintaining the security integrity of the organisation.