 |
|
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
Securing portable IT devicesGFi EndPoint Security software provides the ability to control and log access to USB ports and devices such as memory sticks, USB hard drives, iPods etc. Similar products are available from Safend and ControlGuard. Small drives cause big problems includes the line “Some alarmed companies are even super-gluing USB ports shut so data cannot be downloaded from PCs and laptops.” This may be a reference to an attempted theft of information worth £220m (US$423m) from Sumitomo bank in London using keyloggers, after which Sumitomo reportedly glued up its keyboard sockets. According to the BCS, the National High-Tech Crime Unit (which has since become the Serious Organised Crime Association SOCA) described USB devices as the ‘Swiss army knife of the cyber criminal’, but I thought that was Metasploit. A sample security policy on the NIST website covering USB thumb drives may give you some ideas for your own policies. The site’s tag line is notable: “IT security is no accident. Be aware, be alert, and be safe in cyberspace.” A list of the top ten out of ~50,000 jobs handled in 2006 by data recovery specialists DiskLabs reveals a number of threats to portable IT devices. Some of them have the ring of ‘the dog ate my homework’ but they appear vaguely credible. Perhaps we should add ‘jilted lovers’ to the standard list of IT threats we consider? A Techworld article indicates that portable PCs are an increasingly important security risk to the corporate network. Staff and managers alike seem unaware of the increased risks from spyware, porn etc. A US-CERT Cyber Security Tip reminds business travelers and conference attendees to secure their laptops and PDAs (both hardware and data) against theft. Another concerns the need to secure data on portable devices. NetworkWorldFusion reported on the Comdex conference at Las Vegas, focusing on security issues with mobile phones, PDAs etc. The article mentioned security risks ranging from “SMS-flood” denial-of-service attacks to “theft and corruption of corporate data; unauthorized access; disruption of transactions to and from the handheld; loss of data; and malicious code passed to an enterprise network from the handheld”. ZDnet reported “The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority. The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain.” Data security and backups can be a pain for roving users using portable PCs but SecureTrieve is an attractive option. The system protects data stored on the PC using AES encryption and makes offsite backups through the web. Without the user’s password, a thief can’t easily see the encrypted files and even if he can get at them, AES protects them. Meanwhile, the user can retrieve his valuable data from the off-site backup onto another machine. Combining this with PC Phone Home might even give the user a fighting chance of finding the stolen PC when it connects to the web. Not all lost portables were necessarily stolen or accidentally damaged. One was shot by an enraged user, losing his data in the process [doh!]. A study by the NCC Group security consultancy delivered a “party invitation of a lifetime” gift box with USB drive to finance directors at 500 UK companies and many eager but clueless recipients duly plugged the USB drives into their machines. Compounding the problem, many even clicked on the “Yes I want to install some software” option with barely clue about what the software was actually going to do. “This demonstrates a fundamental lack of healthy suspicion by IT users, even at a senior level. The need for real security awareness has never been greater …” A child pornographer in England was discovered as a result of a student finding porn on the trainee maths teacher’s USB memory stick. A few organizations that recognize the security issues created by USB thumb drives, hard drives, CD-RWs etc. decide to lock down the USB ports on their systems. The usual way to do this is to buy, test and install additional USB control software. A Microsoft MVP (Most Valuable Professional) has come up with a low cost solution using native Windows functionality - specifically, Group Policy. WindowsDevCenter explains how to define a policy to disable the USB storage driver. A Microsoft Knowledge Base article contains the necessary code. If staff or visitors are determined to bypass your organization’s firewalls and other access controls, they may resort to using one of the modern portable memory devices such as a USB flash memory stick or PDA to carry large amounts of data surreptitiously into or out of your four walls. There are technical access controls to prevent users attaching such devices to corporate PCs but education and awareness of the security issues remains an important and cheap procedural control. Physical security is obviously an issue for PDAs, Blackberries, smart phones, memory sticks and all those other portable IT devices. Think about it: if your favorite device were to be lost or stolen, how much would the data be worth, let alone the hardware? If the device and data gave access to the corporate network, would your CEO be amused? What about all that juicy personal data - the names and contact details of your nearest and dearest? Possible solutions include physical protection (locks, cables, not leaving the device on the back seat of a cab ...), logical protection (passwords, encryption, multi-factor authentication, not telling the cabbie your password ...) and in case it all goes wrong, contingency plans (recent backups, remote deletion of data, the cab firm’s name and number on their receipt ...). Briefing on PDA security. Commercial software from companies such as PDAlock can enhance the limited built-in security typical of most PDAs. Information Security Magazine covered physical security issues with portable IT devices such as PCs and PDAs. Teleworking security issuesAn international survey reveals a fascinating discrepancy between what teleworkers say they do in the way of information security and what they actually do. For example, about a quarter admit to personal use of company laptops yet around half say they shop online (OK, some might be shopping with the corporate credit card, but probably not all of them). There are significant implications for those of us who use questionnaires and interviews to assess the level of security awareness. Essentially, the survey warns us against believing everything are told and to beware the gap between perception and reality. The Internet Security Alliance posted this paper from CERT advising homeworkers on the basics of information security. A long article in SecurityPipeline recommends those using IPsec VPNs for teleworkers should change to SSL VPNs. In theory at least, Virtual Private Networks (VPNs) using strong encryption create a significant barrier to hackers whilst providing a secure ‘pipe’ for remote communications over public networks such as the Internet. However, it seems that VPNs are not always properly configured in practice, leaving organizations with a false sense of security. This is a classic example of the situations described by crypto-guru Bruce Schneier: VPN security remains theoretically sound but implementation problems often open up serious vulnerabilities in the real world. Slightly off-topic but important nonetheless is RSI (Repetitive Strain Injury). Teleworkers or homeworkers may be more prone to RSI than office workers since some of them work in less than ideal conditions. PC trolleys (euphemistically known as “computer workstations”), for example, are probably unsuitable for long -term use. Managers who encourage teleworking should at least issue guidance to employees on suitable working conditions at home. War-dialling (meaning the use of hacking programs to dial a range of phone numbers in a search for modem responses), once a well-known threat from the hackers and phone phreaks of old, seems to have been forgotten by today’s system administrators. This is somewhat surprising as war-driving, for example, is essentially a modern version of much the same techniques. Software tools such as PhoneSweep can be used to check a range of numbers for modem responses, and SandTrap is a honeypot designed to intercept incoming war-diallers. Bluetooth securityA US CERT Cybersecurity Tip on Bluetooth advises users to use the security features of Bluetooth devices, and to take care when ‘discovering’ their devices. Way back in 2004, a researcher from @Stake released a program called Red Fang to exploit a vulnerability in the key exchange process when Bluetooth devices ‘pair’. The exploit was barely practicable due to the infrequency of pairing and the size of the keyspace to crack, although certain mobile phones could be persuaded to disgorge their phone books and other sensitive information. If your phone is Bluetooth enabled, someone nearby could compromise it, perhaps whilst you are on a train or in a crowd (“bluestumbling”?). A Bluetooth specialist from TDK systems claimed Bluetooth is secure after all, but the dispute rumbled on. In 2005, Israeli cryptographers demonstrated a refinement of the technique to trick Bluetooth devices into re-pairing immediately, and to brute force the encryption key in a fraction of a second. The to-and-fro has continued ever since.
|
|
|
|