What’s on Your iPod?
Portable media devices put companies at risk of data theft or loss.
In February 2007, the U.S. Attorney’s Office in Delaware announced that it had filed criminal charges against former DuPont senior scientist Gary Min for allegedly misappropriating technical documents. Min, who had worked as a research chemist for DuPont for 10 years before accepting a job with a competitor, downloaded more than 20,000 sensitive documents and viewed thousands more before leaving the company. Min pleaded guilty to trying to steal $400 million worth of company trade secrets, and now faces up to 10 years in prison.
The headlines surrounding Min’s case have helped raise awareness of the so-called “data leakage” problem, but many companies remain unaware of the risks. The problem has become acute in recent years as the storage capacity of portable media has increased. USB flash drives and memory sticks are cheap, readily available and hold many gigabytes of data, making it a simple matter for an employee to steal client lists, sales forecasts and other sensitive information.
In fact, any number of consumer electronics devices — including MP3 audio players, digital cameras, even cell phones — could be used to pull off a similar heist. It is a particularly stealthy mode of theft because the devices simply plug into any USB port, completely bypassing traditional security measures such as firewalls.
“Media players such as the ubiquitous iPod are essentially USB memory devices with playback functions. Capable of storing up to 160GB of data and not much larger than a credit card, they can potentially be used to scan and download huge amounts of sensitive corporate data — a process that has been dubbed ‘pod slurping,’” said Ispirian Computer Forensics' Tom Smith, a forensic scientist and a member of the American College of Forensic Examiners Institute of Forensic Science. “Businesses should not underestimate the immense security threats posed by these devices.”
Real and Present Danger
Beyond outright data theft, portable media increase the risk of data loss. Because these devices rarely include any type of security features, any confidential information is readily available to anyone who might find or steal one of the gadgets.
“Memory sticks containing highly confidential U.S. military information were found for sale at local bazaars in Afghanistan. The Los Angeles Times reported that one such device held the names, photos and phone numbers of Afghan spies working for the military, as well as other documents that described intelligence-gathering methods and information,” said Smith. “Now, imagine the damage to your business if customer information, contracts, proposals or other sensitive data fell into the wrong hands.”
In addition to the potential threat of data theft and data loss, USB devices also can introduce viruses and other malicious software into the corporate network, either accidentally or through intended acts of sabotage. Users could bring in infected documents from home, or take home a business document to an infected PC, update it and return it to a corporate file server.
The storage capacity of these devices also means users could bring in unauthorized software or data files from home that didn’t previously fit on a floppy disk. This includes shareware programs, software pranks, spyware, MP3 files, video clips, pornography and other inappropriate files that affect productivity and violate corporate policies.
While some industry experts recommend banning the use of portable media in the workplace, this is probably an unworkable solution. An increasing number of companies already have executives carrying these devices, often without the knowledge of the IT staff. Attempting to forbid the use of the devices will simply drive their use underground and remove any control the organization may hope to have over them.
A more effective approach, according to Smith, involves developing guidelines and rules for the use of these devices, including educating users and security personnel about the risks and establishing policies for taking data out of the office or bringing files in from home. There are also products available that help organizations enforce granular policy for allowed devices.
“These solutions enable organizations to create a ‘whitelist’ of devices that are allowed to run on company systems. Any device not on the list is denied access,” he said.
Data encryption can also help. Smith says that organizations should consider issuing company-approved flash drives with built-in encryption and asset control features rather than allowing employees to bring in their own devices.
Given the obvious benefits, such as the ability to assist mobile working, portable storage devices likely will become nearly universal in the next few years. If these devices cannot be locked out, they must be accommodated and controlled. Gary Min was caught because of the sheer volume of documents he downloaded — how many other data leaks have gone undetected?
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.