Removable media causes security concerns
The proliferation of portable media devices are increasing companies' security risks exponentially. In fact, endpoint security for laptops, PDAs and removable media is one of the most critical security issues facing companies today. USB drives, in particular, have a tremendous amount of private corporate content. To deal with the growing problems, CIOs must set up strict policies for how data on removable media is handled and where they can be taken and where they can't. Employees should also be monitored to some extent, ensuring that employees use removable media only for company-sponsored endeavors. It's also critical to make sure that the USB drives used by your company have appropriate encryption--not something that's standard on all USB drives. The same type of diligence should be applied to other mobile devices such as laptops.
Some interesting information pertaining to the security issues with removal drives:
The rise of the mobile data market has been rapid, lucrative and dangerous. Long gone are the days when you needed identical tape drives and software on both computers. The traditional floppy disk market and local tape markets were superseded by the super-floppy and zip drive. Now even they are disappearing as the mobile data storage market evolves.
Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to go down to one of the big computer shows to be offered a free memory stick as a stand give-away. If you take part in an IT training course, you might be given one with all your computer course notes stored on it. They are so cheap it’s the obvious way to store information, business proposals, accounts, client’s details, marketing plans etc
The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, their competitors have simply created large USB stores with some built in music software. An increasingly number of people now view the MP3 player as both a data and entertainment tool. The danger here is that as an entertainment device it falls below the radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.
Pentagon spokesman Brian Whitman confirmed that the Defense Department is battling an ongoing malware attack within DOD's networks. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Whitman said in an official statement Nov. 21.
Last week, Strategic Command's mandated that users of the Global Information Grid not use removable media to prevent further spreading of a virus. Wired Magazine's Danger Room blog reported that an Army email alert had been sent out relaying the instructions from STRATCOM, banning the use of removable media -- thumb drives, external disks, CDs and DVDs -- effective immediately. The e-mail indicated a worm, called Agent.btz, was the cause of the move by STRATCOM and Joint Task Force-Global Network Operations.
NASA chief information officer Jonathan Pettus clarified the agency’s policy curbing the use of removable media in the wake of recent security concerns. The policy appeared in an internal memo.
New details about security concerns at NASA, independent of the memo, emerged in a report by BusinessWeek published last weekend. It details a series of significant and costly cyberattacks on NASA systems in the past decade.
The memo from Pettus instructs employees not to use personal USB drives or other removable media on government computer systems. It also directs employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization. And it warns employees not to put unknown devices into any systems and to ensure that systems are fully patched and have up-to-date antivirus software.
Pettus also said he is in the process of updating security policies and is “working with center CIOs on additional measures recommended by [the U.S. Computer Emergency Readiness Team] to mitigate removable media risks, including implementation of Federal Desktop Core Configuration settings.”
The directive is not as sweeping as one issued by the Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types as a step toward mitigating the spread of detected malware.