iPod: Your Portable Corporate Hellraiser

MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's iPod from corporate networks as they can be used to introduce malware or steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"

Common Policy

[hypnotik]

My father works in the Aerospace industry. He is required to leave his iPAQ at the front door every day.

Is this overkill? Perhaps. But sometimes such heavyhanded policies make sense, especially when it comes to making war.

Second step?

Seems to me the first step should be to disable USB on machines which do not need it in the BIOS then lock the BIOS....

German c't magazine showed how to disable USB...

[flowerp]

The German c't magazine recently had a short article about disabling the USB storage driver for non-administrator users on Windows 2000 and XP - effectively eliminating the security risk. This policy could be enforced by any system administrator on all desktops. Similar things could be done for Firewire ports and storage devices that attach to it. Basically it works by making the driver non-readable and non-executable for the average Joe Schmoe user logging into the system.

Bring your own USB sticks? No problem. Can't use em anymore ;)

Christian

Re:Instead of banning the devices outright...

[pknoll]

It's a tough problem to solve, that's for sure. I'll bet close to every single corporate spy on the planet is the very model of a high-quality, professional employee.

I'm certain all of them will gaze with a steady stare and nod gravely when you explain the corporate policy against data on personal devices.

And I'm convinced if you have a policy against bringing such devices to the workplace, you'll never ever see one carrying one.

The "solution" of banning the devices is the wrong one, I'll grant you, but the companies here probably just can't think of anything else to do that's as easy as the stroke of a pen in the rulebook. Hiring employees you can trust is done exactly how? How do you know you can trust them? How long does someone have to work for you before you -know- they're not going to burn you?

There were Soviet spies who lived as "normal" Americans for decades before becoming active. With all the money in corporate espionage at stake, I'm sure you could find a few poeple who would work to become trusted for years, until they could strike, possibly gaining access to more data the entire time.

Its fair and often REQUIRED for business

[mritunjai]

Hey

I work in India in a major software park. The company in the oppposite quadrant is a typicall BPO company and they have a LARGE poster stuck outside the entrace - "Please get checked and declare all your belongings at security". Several friends too told of similar rules in their companies.

In short, for BPO firms, the data of their clients is of utmost importance. Even CEO of the company is required to go through the mandatory check! Internet access is locked down. No CDROM/CDRW/Floppy/USB/Firewire ! Even printer access is restricted and fully logged and accounted for!

You can get fired for trying to access an irrelevent site (eg Yahoo briefcase), forget about bringing in that 40GB iPod or your favorite USB key.

Oh yeah, did I tell you that even cameras are forbidden and you'd be handed over to police if you're seen taking a "group picture" with your team mates in the office! A camera phone can send you in for good.

Folks, its sometimes business *requirement* not to allow such kind of things. You want to listen to music ? Fine, bring along a vanilla walkman/discman/portable MP3 CD player whatever... just leave the fancy gadgets behind and you'll be fine.

Fortunately I work in a company that has fairly open policies and our data is our own, so the rules are less stringent... no CDRW/USB drive, but still very open policies.

Re:you're in the US, yes?

[Entropy]

Yes I read the post.

"even Charleton Heston would balk at this"

That implies that Mr Heston is the "peachiest pie in the sky" when it comes to defending RKBA ... he is not. He is, like the NRA, weak and ready to compromise rights away at a moments notice.

How about my cell phone?

[qazwart]

If you can't bring in your USB watch, how about my bluetooth cell phone? Okay, bluetooth technology isn't as common as USB, but my phone can hold a gigabyte of data. Plus, it has a camera, so I can take pictures of secured areas.

How can your office stop someone from bringing in their cell phone? Or a USB key on their keychain? Or their PDA?

I'd hate to be responsible for corporate data security now with all of these devices floating around. Someone could discretely download a lot of data onto their key chain. Heck, it is even easier with my bluetooth phone. I don't even need a wired connection, just be with in 15 feet of my PC. I don't even have to be near my PC in order to download data.

A few years ago, I worked for a large financial corporation when someone stole the HR database and sold it to idenity thieves. Hundreds of us "highly compensated" employees suddently discovered that someone was using our identity to buy electronic hardware, get bank loans, etc.

It took me five months to clean up the mess, and I was lucky. I found out about it the very day it happened because one of the stores that gave this guy instant credit called me to verify if I had just applied for credit.

Still, in a twelve hour period, that person went to over 3 dozen different stores from Atlantic City to Philidelphia getting instant credit and buying over $200,000 of goodies. I could literally figure out which roads he took by looking at the various times he hit the stores and applied for credit.

Other people weren't so lucky because they didn't find out about it until either a collection agent called, or they were denied credit because of this attack.

And who was the person who gave the information to the thief? Heck, it could have been almost any lowly paid clerk in HR. If you're only making $30,000 per year, someone offers you $100K or so for this kind of information, and you know the likelyhood of you getting caught is almost nill, what would you do?

Millions of employees with access to valuable data, and hundreds of ways to get around corporate security. Maybe 99.99% of your employees are dedicated, hardworking, and honest, but it's the other .01 percent that will destroy you.

Depends on the Employer

[Blic]

This is probably expected at any sort of secure military or defense contracting site.

I remember helping my father burn a CD full of MP3s once so he'd have something to listen to in the secure section where he worked. No portable radios or music players were allowed, no PDAs, no portable storage devices, nothing. The systems didn't have floppy drives or recordable CD drives and (obviously) weren't on the internet. I think that's just standard operating procedure.

For the private sector, depends on the paranoia level I guess. You could fit a lot of data on a 40GB iPod... =)

Re:They /are/ similar

[decepty]

You, sir, have watched Goldfinger one too many times... A single errant shot is not near big enough to depressurize a cabin. See here or here or here or... you get the point. Thanks for playing, try again.