I have written before about the need to prevent viruses entering a corporate system via employees’ thumb drives, and that the profusion of portable storage devices makes this a priority for businesses. Now SC Magazine reports that a number of Apple’s Video iPods have been discovered to be carrying the Windows virus RavMonE.exe. I see that Apple is not ISO27001-certified. Perhaps, if it were, this wouldn’t have happened.
I’ve written before about the fact that wireless kit usually ships with a default security set up of ‘no security’ – because that’s what makes it easy for consumers to get started right away on using the kit. ‘No security’ is obviously not a good default setting in today’s identify- and bandwidth-hijacking world.
California, as so often the case, is taking the lead in dealing with this issue. Assuming that Governor Schwarzenegger signs it into law, manufacturers will have to place appropriate warning labels on all wireless equipment. Of course, that won’t mean that users will improve their wireless security – but it will at least ensure that they’re made aware of the issue.
California’s Database Security Breach law has been widely copied by state legislatures across North America – I guess we’ll now see a rash of wireless-related legislation as well.
There is ongoing debate of how safe it is to work wirelessly, with much discussion about how likely it is that your digital information will be monitored and stolen while you are online in a coffee shop or wherever. Of course, by far the most common security threat related to wireless internet use is physical, not virtual – it is the theft or loss of the laptop or PDA on which you’re working. However, beyond taking sensible steps to ensure that a device remains in your possession there are a variety of other security measures that companies need to adopt. This article on Computerworld gives a good overview.
Officials in Westchester County, New York have recently attracted attention for their new law that requires businesses to secure their wi-fi hotspots. I’ve spoken before about the need for proper wireless security but, as usual, when businesses fail to take voluntary action sooner or later a regulator will pass a law to force them to act.
This is actually a pretty sensible law, but inevitably the reaction from many businesses will be to complain about the growing weight of legislation with which they have to comply. However, legislators all over the USA and elsewhere will be watching closely, so expect to see a spate of similar laws coming into force around the world soon.
Coming on the heels of my most recent post about the security risk posed by USB storage devices, here’s a story to chill the bones. It seems that classified military information is leaking out of Afghanistan and offered for sale on those wonderful flash drives that we love so much.
I spend most of my time trying to get businesses, and particularly mid-size businesses, to grasp the security nettle and put in place a proper ISMS. The military hasn’t been much of a priority for me because, apart from anything else, you would sort of hope they understood these things better than many. I guess not.
For any organisation, a fundamental part of the solution has to be an appropriate system of usernames, rights and privileges. To the greatest extent possible, you need to confine access to sensitive information to those people who really need it. Properly mapping out access rights and keeping them up to date is critical. For example, if someone leaves an organisation or moves within it their username must be withdrawn or access rights amended immediately, not three months later. Similarly, if someone needs particular access rights to do a project, those should be curtailed again as soon as the project is finished.
That might not prove popular, but it is part of the ‘soft skills’ requirements of modern IT managers to be able to sell their policies as well as implement them. They need to be explain persuasively why security is good for the employee as well as the organisation. (However, this article indicates that there is still a long way to go before the IT function develops the necessary people management skills. Note to the CEO – investing in this area is not a ‘nice to have’ item, it is an urgent requirement if you expect your IT to remain secure.)
It is also essential to have in place clear user agreements and acceptable use policies, (a) to ensure that employees understand what is expected of them and (b) to provide a basis for taking legal action against them if they flout this. These measures should include explicit instructions not to remove data without authorization and various other measures to safeguard the integrity of the system.
I have written in considerably more detail about these issues in various books. However, in light of profusion of USB storage devices today, I am thinking of adding one more measure to my recommendations, based on an item I read somewhere recently. If you are still worried that best practice policies and procedures aren’t enough, seal up the USB ports on people’s machines with glue!
I have blogged previously about how simple USB storage devices pose a serious threat to corporate IT security. This article from Computerworld shows how the issue is escalating with the advent of the iPod as THE must-have accessory. Not only is an iPod a neat way to store you music, it is potentially also a great way to remove other data without permission and to introduce malware (knowingly or otherwise).
Unsurprisingly, Apple were not prepared to comment on whether they would be stepping up iPod security in light of this. It naturally falls to companies to make sure that they have policies and procedures in place to address this gaping vulnerability. However…
Eric Ouellet, vice president of research for security at Gartner Inc. in Stamford, Conn., said that only about 10% of enterprises have any policies dealing with removable storage devices.
Oh dear.
According to Outlaw, a “global survey of 900 taxi drivers shows thousands of valuable mobile phones, PDAs and laptops are forgotten in taxis every day. Too often the devices are unsecured – and employers are urged to take responsibility.
Businesses are being urged to use the password and encryption facilities available on the recent crop of high memory capacity mobile smartphones to protect the data in the event of leaving the devices in the back of a cab.
In the last six months in London, 63,135 mobile phones, 5,838 PDAs and 4,973 laptops have been left in the city’s 24,000 licensed cabs. British cabbies also found a harp, a throne, £100,000 worth of diamonds, 37 milk bottles, a dog, a hamster, a suitcase from the fraud squad, and a baby.
In the past three and half years since the survey was first carried out there has been a sharp increase in the number of powerful, executive-focused mobile devices being forgotten in London taxis with 71% more laptops and 350% more PDAs being left than in 2001, which in the wrong hands could cause the owner and their company enormous damage.
The survey in London was conducted by TAXI, published by the Licensed Taxi Drivers Association, and mobile security experts Pointsec.”
One sometimes wonders why senior people – people considered mature enough to be issued with laptops, mobile phones and PDAs – are so incapable of looking after valuable data assets – their wilful negligence in relation to data protection and privacy regulation, as well as to confidentiality requirements, suggests the time is coming when people who lose one of these devices should be disciplined.
Thank heavens for the taxi drivers, who apparently re-united 80% of people with their cellphones and 96% of people with their laptops and PDAs. I hope they charged extra!
Wireless insecurity has been in the press during the last week – the Sunday Times (March 6, 2005) spoke of a ‘virus epidemic’ threatening to wipe mobiles’ memories, while SC Magazine and Computing both report the astonishing absence of security in one third of the City’s wireless networks.
Why are there these failures?
OK, Cellphone “virus epidemic” is a bit of journalist panic-mongering; while Cellphone viruses have, indeed, been reported from a number of countries, there still aren’t a great many species (three, I think) and they still aren’t spreading terribly quickly – not 100,000 devices affected in 24 hours, but maybe 100 affected in a number of months. Sure, now’s a good time to be looking at Cellphone level anti-malware products, but it’s not yet time to panic.
Wireless, though, is a different matter. Who in the computer world doesn’t know that WiFi kit, out of the box, has no security configured? Who, in the computer world, thinks that security is important on the fixed network but not on (or for) mobile devices? Who is accountable for employing the computer ‘experts’ (the IT staff) who allow wireless laptops to be issued to staff – or, worse, allow wireless Access Points to be set up, without appropriate security?
You can sympathise with those employees who’ve taken with enthusiasm to the wireless world beyond their organization’s fixed perimeter: it’s great to not have the heavy-handed system administrator telling them what they can and can’t do. What is surprising is that sysadmins allow this state of affairs – or that their managers and executives turn a blind eye to it.
Because they are turning a blind eye, aren’t they? The alternative is that they’re just incompetent simply don’t know that wireless security is an issue, or that they’re supposed to do something about it.
Bluetooth devices, particularly mobile phones, are at risk from two types of attack from nearby or passing devices, bluejacking and bluesnarfing. A bluejacking attack involves sending text messages to the mobile phones of any users who are within range, and it could be used both maliciously and for ‘bluespam’. A bluesnarfing attack is potentially more serious, and involves the theft of all contact information stored in the phones. Not all phones are vulnerable to these sorts of attacks and as manufacturers respond to the discovery of these vulnerabilities, so there will be changes. At the moment (January 2005), it is said that Nokia 6310, 6310i, 8910 and 8910i models are at greatest risk. Apparently, “on some models of phone, you are only vulnerable to attack if you are on visible mode; however, there are other models of phones where you are vulnerable even in non-visible mode”.
The only defence is to turn Bluetooth off.
Gosh.
Information security specialists have been talking increasingly about the problems of “the porous perimeter”. Business managers are simply going ahead and making the problem worse. Why? Because mobile computing and wireless connectivity massively improve business flexibility, efficiency and competitiveness. And management is quite right – the point about today’s handheld equipment – PDAs, Blackberries, MP3 players, USB flash sticks, digital cameras, camera phones, hand scanners and ultra light laptops – combined with Bluetooth and wireless modems – is that, as well as giving managers instant information, it empowers the workforce. It also empowers those who fancy themselves as industrial spies and, of course, makes it harder to identify the real espionage professionals.
Wouldn’t it be nice if business managers and IT professionals could get together inside organisations (technically, it’s called IT Governance) and ensure that the deployment of new technologies does not leave businesses exposed – the 53% of businesses who have recently deployed wireless networks, for instance, but admit they haven’t included security controls of any sort might need to think things through a little…..we managers don’t need to know what WPA2 is – but we do need to make sure it’s deployed – don’t we?