Winning the Gadget Wars
- 19 October, 2005 09:22
CIOs and CISOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by the latest techno-trends.
A double-sided painting by Wassily Kandinsky plays a prominent role in John Guare's play Six Degrees of Separation. One side, called "Chaos", is a vivid mix of colour; all splashes and slashes of paint. The flip side of the painting, titled "Control", is dour, geometric and restrained. The canvas is designed to be set at an angle and spun so that the viewer experiences it as a single work. In one scene, the painting's owner spins it for a guest, chanting, "Chaos, Control, Chaos, Control".
This mantra should feel familiar to CIOs; because it's a spin cycle they are all too frequently stuck in.
Technologies - particularly those marketed to the individual - are evolving rapidly and in unpredictable ways, which places CIOs and security executives in the uncomfortable position of trying to set controls on a constantly shifting and mutating target. Need an example? Then look no further than the new mobile phone in your hand (or the hands of the sales and marketing types in your organization), which has morphed into a multifunction device incorporating a PDA, camera and MP3 player.
The trickiest aspect of the problem is that many of these technologies are valuable business tools when used with the appropriate security controls. However, all too often, eager employees purchase, download or otherwise acquire these groovy gadgets and programs, and enthusiastically integrate them into their work environment, heedless of the holes they are punching in the company's security net.
Take Skype, the free, downloadable Internet telephony system that launched in August 2003. Skype users can make free phone calls to other computers all over the world. A great idea, right? Not if security is a high priority, because Skype encrypts all of its traffic and skirts firewalls. That's a bonus for users, but a nightmare for CIOs who can neither monitor nor stop the traffic. In the 51 days following Skype's launch, the company registered an impressive 1.5 million downloads and 100,000 simultaneous users. When programs like this catch on, they spread like dandelions in spring. At its one-year anniversary, Skype boasted approximately 9.5 million subscribers and 1.5 million users per day.
So how do CIOs and security heads kill the weeds without burning the grass? We took a look at four rowdy technologies: camera phones, portable data storage devices, wireless computing and the joint threat posed by peer-to-peer technologies (P2P) and Web-based services. They are well-meaning and widely used tools that can be office assets, but also can wreak havoc when used carelessly or maliciously. We sought the advice of security executives and other experts on the best steps to take to establish some control in the midst of the chaos.
Prying eyes. At many companies, a camera phone - great for office party snapshots or for capturing an interesting presentation slide - wouldn't raise an eyebrow. At Cardinal Health, mobile phones equipped with cameras are a physical security threat.
Cardinal Health has its hand in almost every facet of a drug's life cycle - from development, manufacturing, packaging and delivery to pharmaceutical distribution. To allow photographs of how valuable drugs move through these stages could create security vulnerabilities. Cardinal Health also handles personal medical information that falls under the US Health Insurance Portability and Accountability Act (HIPAA) regulations. "To allow cameras anywhere near the process, from when we receive [the product] to when we deliver it to the end users, would be a huge vulnerability, and it's not one we're willing to accept," says Tim Gladura, the company's CSO.
That said, camera phones are particularly challenging to contain because they're not connected to any platform that the company controls. Gladura says that a "no cameras" policy and an ongoing awareness campaign that conscripts employees into the security ranks works best. "I'd rather have 55,000 sets of eyes out there than just my department," he notes. But even that is not enough. His department also has enacted other policies that help to keep cameras out of sensitive areas. For example, employees at the distribution facilities are discouraged from taking lunch in the parking lot - to allow security to better discern if other, unauthorized individuals are sitting in the lot to observe loading dock operations. The doors that cover employee lockers are grated, offering security personnel a view of the contents. And random security searches are not unheard of.
At Tommy Hilfiger USA, camera phones pose a different kind of threat: the potential loss of intellectual property. David Jones, vice president of corporate loss prevention and security, worries about visitors who enter the company's design studios. "For anyone in our business, the design patents are the innovations that the company lives off," says Jones. A covertly snapped picture of a dress for the new summer line that is e-mailed to a competitor represents a real loss.
Jones also relies on a no-camera policy to protect the design areas, but he worries about the increasing prevalence of camera phones and their shrinking forms. His fears are well-founded. According to InfoTrends/Cap Ventures, research suggests that by 2009, 89 percent of all new mobile phone handsets will include a camera. And the technology is advancing so quickly that it is harder and harder to tell which mobile phones can take snapshots. "On older phones you could tell if there was a camera; now you can hardly tell, so we have a policy that we can't really enforce beyond awareness and training," Jones says. He adds that to his knowledge a theft by camera phone has not yet occurred, "but the threat is always there for it to happen".
CIOs and security execs also need to worry about protecting their employees' privacy when camera phones are around. One security executive, who declined to be identified because of the sensitivity of the situation, recounted a case where employees using the company's shower facilities after lunchtime workouts became concerned about a man who always seemed to be talking on his mobile phone in the changing area. Public locker rooms and gyms frequently have "no mobile phone" rules, and locker rooms provided by an employer should be no different.
"Information about people [photographic or personal data] is way more valuable than information about anything else," says Stephen Cobb, author of Privacy for Business (Dreva Hill, 2002), a book that offers executives advice on safeguarding privacy of customer data. "Companies often focus on protecting financial secrets, but information about people can cost the company more."
At First Data, which specializes in money transfers and credit card processing, CISO Phil Mellinger has an employee dedicated to examining mobile devices and other technologies that employees want to bring into work, and who gives written approval from security where appropriate. Without that approval, the device is banned. "We used to approve general security configurations," says Mellinger. "For example, if someone used a wireless device, there were two approved configurations for security. But now each device has its own security configuration, so we have to get down to the device level." Mellinger also notes that camera phones are not just a security issue but an HR issue and a procurement issue as well. "You have to get so many different entities in the company focused on the problem and approach it from different perspectives, but it is a massive problem," he says.
According to industry sources, the Pentagon and defence contractors have long had mobile detection equipment, but that kind of technology is now going mainstream. Companies that offer mobile phone detection technologies - such as Phoenix-based Cellbusters - are gaining traction in corporate markets. The CellBuster device can detect a mobile phone that is switched on (even if it is not in use) within a range of 30 metres, and it issues an audio alert that tells the user to shut off her phone. It can also operate in a silent mode, alerting security personnel with a flashing light. This kind of product is ideal for companies that have certain targeted areas within their facility that should be camera phone-free, whether it's the boardroom or the locker room.
Keychain storage drives
Data a-go-go. The threat posed by USB mini-drives has burgeoned during the past year. Plug one of these keychain-size storage devices into a USB port and any information you can access just became portable. Employees can download gigabytes of data off your network and simply walk out the front door. Just 1GB of data is roughly comparable to a pickup truck loaded with documents, notes Dan Geer, vice president and chief scientist at data security vendor Verdasys. Some of these devices can hold up to 60GB. But thumb drives aren't the only form of digital storage media giving CIOs and security executives heartburn. MP3 players and even iPods, the ubiquitous cool gadget of the moment, can be used to download and store any kind of file (not just music).
Marcus Rogers, an associate professor in the Department of Computer Technology at Purdue University, works with the Centre for Education and Research in Information Assurance and Security (CERIAS) to study iPod forensics. "You can have an entire bootable drive on your iPod and, depending on the operating system, you can carry your entire workstation around with you," he says. "Also a lot of times if you hook an iPod to your system it's not going to show up on the network. Because it's at the local machine level it doesn't get an IP address. Only if [security] is doing active probing 24/7 might they find that extra storage device." Rogers notes that the iPod comes with the Windows file system, so the problem isn't limited to Apple systems.
"USB has absolutely exploded in the last year," says Michele Lange, a staff attorney with Kroll Ontrack, which offers software and services for data forensics and electronic discovery. "I've been doing this about four or five years," says Lange, "and I would say that [USB storage devices] are now an issue in a large majority of our cases." Lange adds that most of those cases are employment-related situations where an employee has tried to harm a company by stealing trade secrets. Of course, intellectual property leakage can happen just as easily when one of these tiny drives is lost or stolen.
However, there are steps CIOs and security heads can take. The first is to practise rigorous file security; employees should have access only to the information that they need. But since many employees have access to valuable information, companies have taken steps to deal with the issue more emphatically. Some have chosen to disable all of the USB ports on every system at the BIOS level and have taken away administrative privileges so that savvy users can't re-enable the ports.
Cobb, the privacy book author, says he knows companies that have a locked-down configuration and don't allow the user to change anything. "This can be quite effective on two levels: on a practical level, and on a psychological level by making it clear computers can only be used for company business and won't work if you try to use them for anything else." Some companies have taken more drastic steps. Geer recounts a story of one company that tried to address the problem by filling each USB port with hot epoxy glue (before eventually realizing the impracticality of the strategy - most notably that it would take forever).
CIOs and CISOs have to ensure they're not preventing employees from conducting their regular business duties. USB ports are, after all, there for a reason. USB flash drives are not all bad news either. They can be incredibly useful tools and some are available with advanced encryption standard, or AES, data protection. For an executive who can't live without his USB drive, the best solution might be to provide him with one handpicked by the security team.
Policy also has a role to play here. Dev Bhatt, director of corporate security for Airlines Reporting Corporation (ARC) - a company owned by the airlines that handles aspects of ticketing as well as data and analytical services - has crafted his company's acceptable use and enterprise security policies to focus on the forbidden acts of removing corporate data or connecting an unapproved device, rather than on the device itself. The emergence of new, small, multifunction devices is happening so rapidly that companies must ensure that their policies are broad enough to include emerging technologies. If the policy is too device-specific, the CIO or CSO will end up having to rewrite the rules every few months.
Roaming hazard. It's a sign of the times that in some cases security teams have to behave like hackers to be successful. Sniffing out ad hoc wireless networks in a "no wireless allowed" work environment is one such case. Most of the security executives we spoke with have found unauthorized wireless networks at their companies. These networks are so cheap and easy to set up that they will continue to be a problem in many companies. But detecting a clandestine Wi-Fi network two floors down is a breeze compared to the problem security executives encounter when their employees utilize wireless networks outside the office.
Wi-Fi is built into most laptops, and wireless computing is so liberating that few untethered employees can resist the lure of a coffee shop or hotel access point. But unless users are educated about the specifics of wireless security, they could be laying the corporate network bare to any curious or malicious bystander. Security policies must spell out who can access the network, how, when and where. A software-based firewall and encryption technology - whether it is wired equivalency protocol (WEP), Wi-Fi Protected Access (WPA) or ideally WPA2 (the latest version of 802.11i) - must be used to ensure that casual roamers aren't hopping aboard.
Employees also need education about the different scams that can affect wireless users. Christopher Faulkner, founder and chief executive of Web hosting firm C I Host, has also launched "The Wi-Fi Guy" travel blog that tracks Wi-Fi and cultural information in cities across the US. He warns CSOs in particular about the dangers of "evil twin" wireless networks. An evil twin is a rogue wireless access point that a hacker-type sets up near a legitimate Wi-Fi access point. Unwary wireless users can wind up with their computers connecting to the strongest signal available; in the evil twin scenario, the users think they're on the legitimate network but are actually connected to the hacker's machine, allowing him to capture whatever data they transmit. "I tried this at an airport, and within four minutes had three people connected to my laptop doing unsecured computing in plain text," says Faulkner. In a variation of that scenario - a sort of Wi-phishing - a hacker sets up another access point near a legitimate one, lures a user to connect and then prompts him for his user name and password. When providing that info doesn't lead to a connection, the mystified user usually reboots and logs onto the real network, but the hacker has already siphoned off what he wanted. Later he'll be able to log onto the network with the user's ID.
These kinds of scams frequently snare people who are in a hurry and will disregard something that looks a little unusual in their haste to get online. Educate employees to use wireless carefully and to avoid sending company confidential or sensitive information over wireless unless it is absolutely necessary and the system's safeguards have been approved by corporate security.
Peer-to-peer and Web-based services
The casualties of convenience. Peer-to-Peer (P2P) technologies and Web-based services are different animals, but they have three important qualities in common. These tools and programs are easily downloaded by employees, they frequently offer what workers see as a useful productivity-enhancing service, and most of them tunnel right through the corporate firewall, bypassing all security measures.
Take GoToMyPC, a Web-based service owned by Citrix Online. An employee can download the GoToMyPC software to his office PC, and it allows him to access the contents of his office workstation remotely from any PC connected to the Internet by typing in a user name and password. The GoToMyPC folks have published a 10-page white paper touting their security, but some basic control issues exist that should concern security executives. First, no matter how secure the program is, the security and network data are out of the CIO's direct control. Second, security executives have no control over the machine that the employee uses to remotely access the corporate network. It could be an Internet cafe where a hacker has installed keystroke loggers, or it could be a home PC using an unsecured wireless network. P2P technologies such as Instant Messenger and Skype are just as alluring and raise the same questions.
At First Data, Mellinger uses a proxy server from Blue Coat Systems to limit these kinds of external connections. Blue Coat enables Mellinger to control certain kinds of connections and provide appropriate warnings for others. Of course Mellinger doesn't want to interfere with the regular course of business, so he cautions that you have to work through the kinks with any product to ensure that employees can still access all the tools they need. "We have lawyers who need to go out and look at certain sites that we would otherwise not allow employees to visit," he says. Mellinger and his team are fine-tuning Blue Coat to match their exact needs.
At ARC, Bhatt has found that communicating with his employees is an effective way to deal with a lot of the P2P and Web activity. "Almost 100 percent of the time, people are just trying to get something done," says Bhatt. He tells employees that he wants them to feel comfortable asking questions about new products and online services without fear that they will be frowned on. If there is a cool new service that an employee wants to use, security will check it out; if they're not comfortable with that system, they'll seek a secure alternative. If there is none, security will explain why not and why that kind of activity puts the company at risk. "When users know what the danger is, it works well," says Bhatt.
First Data has also taken an added step that Mellinger believes insulates the company from many of the problems that these services can let in. The company has separate firewalls protecting each of its business units so that if a virus or breach occurs in one unit it can be easily unplugged from the others to prevent the damage from spreading. "A lot of times a company looks at itself as a monolithic entity," says Mellinger, "and we don't want to put ourselves in a position where anything that makes it into the company can impact the whole company. We use the same security controls between business units that we use between business units and the outside world."
Stay on top of trends
One key to dealing with all of these developments is for CIOs and their security teams to commit themselves to an ongoing learning process focused on new tools and technologies and the novel ways they will affect corporate security. Companies tend to go overboard with overly draconian security measures when a trend takes them by surprise. "There's a line of sensibility here," says Mellinger. "The object is to stay ahead of the people who aren't doing anything [malicious], who just have no security awareness at all. As long as I can stay ahead of that crowd, I'm in good shape."
SIDEBAR: Security Measures for Camera Phones
- Educate and remind employees about your company's policy on cameras and other audiovisual equipment. Enlist their help to report violations.
- Consider mobile detection technology for particularly sensitive areas such as executive suites or areas with ready access to intellectual property.
- Ensure that your camera policy protects employee privacy as well as corporate assets.
- Work with corporate procurement to ensure that employees who should not have camera phones are not buying or being provided with those devices.
SIDEBAR: Security Measures for Mini-Storage Devices
- For employees who need a USB drive, look into drives with built-in encryption.
- Disable USB ports and take administrative privileges away from the user.
- Make acceptable-use policies general enough to include emerging technologies. They should focus on the unacceptable behaviours rather than the kind of device that is used.
- Ensure that your security team members track new portable storage devices so that they can recognize unapproved devices.
- Educate employees about what devices are forbidden and why.
SIDEBAR: Security Measures for Wireless
- In the workplace, take steps to securely authenticate users and control network access.
- If you don't want wireless used at the office, keep sniffing, don't buy laptops with Wi-Fi and educate workers about unsecured wireless hazards.
- Educate employees who use wireless about scams like evil-twin networks.
- Build security policies around how and when users can access wireless networks.
- Use the best encryption standards available.
- Equip mobile devices with a software-based firewall and isolate connecting devices on the corporate network.
SIDEBAR: Security Measures for Peer-to-Peer and Web-Based Services
- Look into tools such as proxy servers that allow the security team to block access to undesirable services.
- Explain why some tools are dangerous, and look for ways to provide the same service securely.
- Design your security knowing that some of these programs will slip through your defences.