Slashdot Mirror
iPod: Your Portable Corporate Hellraiser
MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's
iPod from corporate networks as they can be used to introduce malware or
steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.
Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space. (thin clients would have gone a long way towards solving this problem, but that's another discussion)
I work for a casino, and we don't allow our employees to bring in such devices either. I'm sure it still happens, but such policies are important when your customer database is vital to your income.
DeviantArt Page
NSFWMy father works in the Aerospace industry. He is required to leave his iPAQ at the front door every day.
Is this overkill? Perhaps. But sometimes such heavyhanded policies make sense, especially when it comes to making war.
(I was only an egg, but then I cracked)
corperate just recently issued 1GB thumb drives to all employees. we find it's easier for the users to back up their own crap and transfer it that way.
teaching a user about network storage or even using the IRDA file transfer was unsucessful... yet these dolts took to using the thumb drives like it was second nature.
so now usb storage devices are required and issued to users.
Do not look at laser with remaining good eye.
I used to work at a government defense contractor and this type of policy was standard there. No CD players, no radios, nothing with any type electronics could be brought in just in case they could somehow be used as a transmitter or to steal data or something. Oddly enough, floppies could be used. Go figure.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ...
How is that overkill? Sounds like a common-sense move for a firm that wants to take steps so that sensitive information doesn't just walk out the door. It's not that much different than walking in with a USB CD burner under your arm.
Stop by my site where I write about ERP systems & more
Seems to me the first step should be to disable USB on machines which do not need it in the BIOS then lock the BIOS....
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day.
That's actually pretty generous if you're actually serious about the information the consultant handled being Top Secret. Even if it isn't, that's a much better alternative (for you) than being "let go" because you continued to wear a prohibited device after being told not to.
!#@%*)anks for hanging up the phone, dear.
Cute.
Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.
Yes, like you're going to win that arguement at the security door/HR rep/etc. "But my ipod only has a firewire interface, unable to connect to the computers here!"
To them, that sounds like technical nonsense that makes you even more suspecious. "He mentioned fire!"
...or are you just glad to see me?
Seriously, the barn door's been open and the horse halfway to Topeka on this one for a while. Who needs an iPod? I've been carrying around virtually my entire business on one of these things for over a year. Sure, take away my music player, phone, key chain, watch, whatever, I'm a big boy and you pay me enough to play along, but at what point short of a strip search and replacing the pink-haired receptionist with a Brinks guard to watch over the stash does this policy become a smidge unwieldy?
(However, I do throw my whole-hearted support behind any policy which confiscates iPods (or sunglasses, for that matter) from any too-cool-for-the-room tool who doesn't stow them shortly after he enters the building...)
Banning personal portable storage devices (iPods, USB, powerful calculators w/ a computer connection, etc) is pretty much standard (and smart!) pratice when either government or industry classified/proprietary information is available. The risks are simply too great... the chance of soldiers dying due to a security violation or a company going under due to industrial espionage greatly trumps your desire to have a silly USB watch on your wrist all the time. If you don't like that reality, then don't take jobs that put you in contact with that sort of information in the first place.
_sig_ is away
The German c't magazine recently had a short article about disabling the USB storage driver for non-administrator users on Windows 2000 and XP - effectively eliminating the security risk. This policy could be enforced by any system administrator on all desktops. Similar things could be done for Firewire ports and storage devices that attach to it. Basically it works by making the driver non-readable and non-executable for the average Joe Schmoe user logging into the system.
;)
Bring your own USB sticks? No problem. Can't use em anymore
Christian
--- Eat my sig.
That is interesting (that your users were confused by using a network file share, but found the thumb drives intuitive.)
Is it the fact that there is a physical artifact that makes the idea of "your files are going here" easier to map into their worldview? UI Designers Take Note. This might be on the test.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
You know, I could bypass such security precautions very easily with a USB keyfob and tightly squeezed buttocks....
At one point the corporate machine-support staff tried to set up the following:
The sneaky bastards kept trying to steal my laptop, my PDA and my Nomad Jukebox to do this. I kept catching them and throwing them out of my cube (at one point, literally, as he refused to leave until he had formatted my laptop's hard drive and I had to roll him out in my chair and overturn it in the corridor).
Finally, they stopped that after they did this to an senior VP and erased the powerpoint presentation he had on his laptop. Heads rolled for THAT little debacle. The funny part was that his machine was already work-provided, he just didn't work in our building, so they didn't know him...
Brazil has decided you're cute.
But they do allow diskettes (friggin diskettes! Do you know how much customer data you can put on a diskette?). Then I also found out that the "internet-network" (which only internals have access to with a NT username/password) operates simply on DHCP, no MAC address checking: the only "security-check" is the NT-Domain login. Why did I find this out? Simple: these morons allow contractors to have laptops, so I once just plugged it in that network. Worked instantly. Now there is a security concern in my eyes! For crying out loud, I have a Mac, I don't even need a crosscable to pump over data from my work-PC to my Mac. Imagine what kind of data I could take away with that! Nobody evere stopped me at the entrance/exit with my laptop bag. Nobody.
You see, if you want security, you need to ban every device that can be networked somehow. It's that simple. Yes, this includes your iPod. So, I supect that this is only a great concern in governmental instituation (top-secret clearance), but in the "highly sensitive environment" of banking they don't get it at all.
Hey, I pointed out their flaws and I was told to shut up.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Those in charge of company security should remember that these same employees bringing in iPods are the ones who were issued key cards to get into the building. Companies have no choice but to give their workers the benefit of the doubt.
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
You know, if your employees actually CARE about hooking up their iPods or other MP3 players at work, you should be more concerned about what your employees are actually DOING, as opposed to what data could be stolen. My iPod's Library is managed by my home machine, not my work machine, and the only reason I bring it inside is to keep it out of my hot car during the day. I don't even bring a cable that would be compatible.
I'll just burn the site licensed software to CD and take it home that way...
Most military bases have banned PDAs, USB Flash drives, iPods (and variants), cell phones, and any other device that can be connected to a computer and can store data. Some have even gone as far as removing diskette drives and banning CD-RW and DVD-RW drives on new systems. I have seen incidents where people decided to put classified military data on a flash drive or floppy to take it home to work on it. This happened even after people sign an agreement and go through repeated training sessions where they spell out what will happen if they do something like this.
Corporations are having to deal with this same problem as portable devices can now be used to store data or take pictures that could compromise sensitive data. However, this has always been an issue. A systems administrator could walk out of work with and 4mm or 8mm tape full of sensitive/classified data and no one would know. It boils down to a matter of trust and integrity; do you trust the people who use/administer your systems? Have they shown the integrity in other matters that would indicate they can be trusted with more sensitive matters?
Unfortunately, it only takes one person in a sensitive position to screw it up for everyone else.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Not in some movie - Cringley wrote about seeing a man walk into CompUSA, plug his 1st gen iPod into a mac there and drag the MS Office folders onto it. The article claimed (I have no idea how true it is/was) that Office will re-establish the system folder items necessary so this amounted to a perfect and complete copy of the software.
That said, certainly the benign uses outnumber the malicious ones. The question is, if you have other data control policies, do you need to CYA by having this ban so you can respond to suspicious activities decisively? I also think comparisons to more easily concealed USB key devices isn't reasonable - I can't fit a large ACT! database of contacts on one of those but I can on a 40g devices.
Bad management trumps ideology - Show the world you want better leadership. http://www.timefornewmanagement.com
Companies should consider hiring trusted professionals. If you hire quality, professional employees and explain the policy against putting corporate data on personal devices, this should not be a problem.
Believe it or not, most professionals want to do a good job and take pride in their work. If you set reasonable policies and explain them clearly, most will want to follow them.
Do you want to grant someone enough access to your data that they could copy it onto an iPod if you don't trust them to abide by your policies? If they have that kind of access to the data, copying it to an iPod is far from the only or best way to get it out, and you're just adding an inconvenience to your employees' lives without meaningfully increasing your own security. If you believe that banning these devices would help, your problems run much deeper and you should rethink the way you're doing business.
.sig: file not found
Remember last year, the movie 'The Recruit'? One of its big premises was that a CIA agent was smuggling out data; but they couldn't figure out who was stealing the information, and how. The smuggling device turned out to a common USB flash drive hidden under a coffee thermos's seal. The USB drive didn't come up in the CIA scans because the drive wasn't active; the inactive drive wasn't giving off any EM for them to detect.
I think USB, IR, and now 802.11 devices and Bluetooth enabled cell phones could be a real concern for data centric firms.
As a side thought, companies may begin to ban cell phones as well. Late last year SlashDot had an article about a cell phone detection device made in Israel. People were leaving modified cell phone in planters. The modified phones would transmit the conversation of anyone in the room for about a week. Thus making a cheap spy toy.
You say things that offend me and I can deal with it. Can you?
In much the same way as the demise of Napster brought about the end of filesharing, banning iPods from work will wipe out corporate secret stealing. Nobody will ever think to tunnel data through SSH, copy data onto floppies, USB keychain storage devices, portable laptops, or magnetic tape. Surely, nobody will upload information to their Palm or Windows CE handheld devices; nobody will print out data and take it home; nobody will call someone on the telephone and read them data over the phone.
Man, they've sure got all their bases covered!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The result? Now everyone walks around with a USB drive to move files around, or they email them to and from gmail, etc. (OR they use their iPods/Dell Pods, SonyPods)
So the system, overall, is a LOT less secure because all the company's assets are kicking around in email and USB thumb drives. But the folks in IT can cluck their tounges and think they did something useful.
Best Buy can have you arrested
My company works with the Bureau of Engraving and Printing (the folks who print the bills). The Bureau issues transparent vinyl purses and packs for employees to carry their lunch and belongings. This makes it easier to see whether somebody is walking off with sheets of un-cut currency.
We also worked with the US Mint (the folks who mint the coinage). They told a story about metal detectors tied to biometrics that were so sensitive that when a woman became pregnant, the changes in the metal chemistry of her blood (increased iron, etc...) were enough to have to retake the biometric scan. That one always seemed apocryphal to me (but a very cool concept nonetheless).
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Not everybody is a criminal or has criminal intentions. If you don't trust an employee with an iPod, please explain why you would trust them to have access to the data in order to do their job?
A policy against iPods and other USB or other portable devices applied blindly is illusionary security at best. There are countless ways for a dishonest employee to steal data - the only mitigating factor is going to be how secure the network is - that should be the primary focus of any system administrator.
Storage devices are security threats that should be taken seriously. The best way is not to refuse employees listening to music but rather
* hide computers away or lock them up so they can't be physically accessed. This should be combined with tight firewalls for outgoing traffic.
or
* make limitations in the software so USB storage devices or firefire disks simply won't work. Of course users can't have administrative rights.
or
* disallow sensitive information from reaching employees computers. Store things on secure servers.
I'm right now sitting at work on one of the largest corporations in the telecom business and we sure as hell don't have enough security.
Ciryon
That's why I got the subdermal implant with 16mb flash and bluetooth. Just copy data to my stomach and walk out, search all you want.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Corporate espionage is something that is feared; however, all this really does in inconvenience those who are using these devices legitimately. I would trust that in an organization who has a real security concern, that they would have appropriate ACLs in place so that data theft would be limited to what the user that already has security clearance.
Now if you have already cleared someone to be viewing and working with such data, you have much bigger problems than fearing them stealing it with a USB device. It's like trusting your employees with your business in their day to day operations but keeping office supplies under lock and key. It just doesn't make sense. If someone is intent on ripping you off, they would't go for the small stuff. Similiarly, if your business depends on these people who have access to such "crown jewel" data you'd better hope that you have a good hiring process and that you are keeping your employees happy.
A side rant: so you're all concerned about people with USB devices; yet, you're fine with shipping your data off to some foreign land for outsourcing. Hmmm... If only the world were based on logic!
Alert! A new device, known as a "Briefcase" has been increasing in popularity in the workplace. While useful for ordinary business it brings with it some sinister baggage. This nefarious device serves to conceal a large amount of objects, such as sensitive data and staplers, in a small space, enabling employee theft and espionage. While it's true that file folders have been commonplace in corporate environments for years, this new product threatens to bring unforeseen and catastrophic results. Ban it before your company falls apart and you have to spend the rest of your life living in the street trying to support your starving family.
I do think it makes sense for companies that already employ policies like searching employee belongings and metal detectors to add USB storage devices (and any data storage medium for that matter) to the list of things they check for. If you really needed to bring one in, you could have some sort of approval/checking process. As far as most companies go, I think it makes sense to judge based on whether they seem to be causing problems in the workplace, and if so, banning them or finding some other way to fix the problems. I think it would be a good idea to do virus-checking on insertion of any removeable media.
I thought this was a particularly interesting quote:
"Another potential danger is that the devices -- that typically make use of USB and FireWire -- could be used to steal large amounts of company data as they are faster to download to than CDs."
I think they've been watching too many movies. I highly doubt that most downloading of corporate data happens in a down-to-the-second race against corporate security. I think it's much more likely that most data is stolen by those with official access and all the time in the world. And I may be naive, but I think a corporate spy would be able to think of a better way to export data than an iPod.
If you can't bring in your USB watch, how about my bluetooth cell phone? Okay, bluetooth technology isn't as common as USB, but my phone can hold a gigabyte of data. Plus, it has a camera, so I can take pictures of secured areas.
.01 percent that will destroy you.
How can your office stop someone from bringing in their cell phone? Or a USB key on their keychain? Or their PDA?
I'd hate to be responsible for corporate data security now with all of these devices floating around. Someone could discretely download a lot of data onto their key chain. Heck, it is even easier with my bluetooth phone. I don't even need a wired connection, just be with in 15 feet of my PC. I don't even have to be near my PC in order to download data.
A few years ago, I worked for a large financial corporation when someone stole the HR database and sold it to idenity thieves. Hundreds of us "highly compensated" employees suddently discovered that someone was using our identity to buy electronic hardware, get bank loans, etc.
It took me five months to clean up the mess, and I was lucky. I found out about it the very day it happened because one of the stores that gave this guy instant credit called me to verify if I had just applied for credit.
Still, in a twelve hour period, that person went to over 3 dozen different stores from Atlantic City to Philidelphia getting instant credit and buying over $200,000 of goodies. I could literally figure out which roads he took by looking at the various times he hit the stores and applied for credit.
Other people weren't so lucky because they didn't find out about it until either a collection agent called, or they were denied credit because of this attack.
And who was the person who gave the information to the thief? Heck, it could have been almost any lowly paid clerk in HR. If you're only making $30,000 per year, someone offers you $100K or so for this kind of information, and you know the likelyhood of you getting caught is almost nill, what would you do?
Millions of employees with access to valuable data, and hundreds of ways to get around corporate security. Maybe 99.99% of your employees are dedicated, hardworking, and honest, but it's the other