Consumer Technologies: The New Inside Threat

Your Employees' New, Mobile Toys May Put Critical Data at Risk
Consumer Technologies: The New Inside Threat
iPods. iPhones. Thumb drives. Personal laptops. Wireless headsets. They’re among the toys your employees just got over the holidays, and they’re rapidly being deployed to conduct business within your institution.

But did you also realize that these same consumer-friendly tools represent one of your institution’s biggest and fastest-growing security threats?

Vulnerable to viruses, susceptible to theft or misplacement, these popular gadgets often fly under the radar of authorized technology standards. And while they may improve your employees’ efficiency, they also increase your organization’s vulnerability to the mishandling of sensitive data.

In response to the threat posed by consumer technologies, many institutions are outright banning the use of unauthorized devices such as those described above; others are trying to accommodate them while still adhering to security best-practices.

“These are credible threats,” says Bruce Sussman, Senior Manager at Crowe Chizek, the Ill.-based accounting and consulting group. “Due to proliferation of handheld devices, smart phones and mobile banking and the convergence of technologies, U.S. business and consumers may face the same security challenges which have recently emerged in Europe and Asia. I would say that smart phones, PDAs and various digital devices represent the same information security challenges that PCs did in the 1980s.”

The SANS Institute (www.sans.org) produces an annual Top 20 report on security risks, and high atop this year’s list: the use of unauthorized devices.

The Risks

The “plug and play” aspect that appeals to consumers is also the one that heightens the inherent risks.

“Along with the ‘plug and play’ capability, [some of] these devices are also doubling up as hard drives, by either a flash memory card or an embedded hard drive within the device,” says Nick Holland, an information security research analyst at Aite Group, the Boston-based research and consulting firm. “They automatically become an extension of whatever PC or laptop they plug into or attach to.”

The ability to add or extract information with these unauthorized devices is a risk institutions need to control because of the possibility of a data breach or infection. “These unauthorized devices could be infected with a virus or other forms of malware that would spread over that channel once the device is plugged in,” Holland says.

The speed at which an infection could spread is mind-bogglingly fast, as one example Holland cites from some of his recent research. “The RSA researchers showed me where a Bluetooth connection was the means for transporting malware in a wireless environment to other devices it found.”

Another example: an infected SMS message spreading via the Bluetooth wireless cell phone headset to other devices. “With the trends for most of these mobile devices now offering radio and Wi-Fi as the de facto standard, it also opens up these devices to all of the same ‘over-the-airwaves’ transmission methods to deliver viruses and other malware,” Holland notes.

And then there’s the risk of employees downloading sensitive data onto personal laptops, PDAs or portable hard drives … and then misplacing the devices. Or having them stolen. The more mobile the technology, the more mobile the risks.

This isn’t a new paradigm. The leapfrogging of new technology often exceeds the ability for information security professionals to control and protect their institution’s networks from attacks, says Sussman. “First comes usage then come the threats and then the solutions. Some of the security solutions for smart phones are beginning to creep in to the marketplace. I hope that these safeguards will be introduced faster than history would suggest.”

The Solutions

Because of regulatory requirements, financial institutions are doing a better job than many other industries when it comes to mitigating the threat of consumer technologies. The effort requires a combination of technology and security awareness, as well as education of employees.

Keith Gienty, Director of Information Technology at Southwest Corporate Federal Credit Union in Plano, TX., sees many unauthorized device problems in his IT operations. Recently merged with Northwest Corporate CU, Portland, OR, Southwest has $14 billion in assets and serves 1,500 credit unions in 43 states. Unauthorized equipment that causes some headaches for Gienty includes portable flash drives, or USBs.

To fight the problem, Gienty placed controls on employee laptop USB drives by monitoring them through active directory. “We’re not as strict as some institutions, so the hardest part of the monitoring is determining the difference between a mouse or keyboard being plugged in, and a USB or external drive being plugged in,” Gienty says. But better the worry over authorized use than whether critical data is walking out the door on thumb drives every night.

Alan McHugh, Manager of Information Technology at United States Postal Service Federal Credit Union, also has utilized a combination of technological solutions and enforcement of policy to lock down data and unauthorized tools at the credit union’s branches in five states.

The credit union has initiated a monitoring tool on its network to detect the use of any external device on the network. This same tool allows McHugh to monitor users’ activities as well, he says.

Ways other institutions are tackling the problem include:

  • Update Their Security Policies to Address These Devices (new toys are introduced every year; policies should adapt accordingly);
  • Let Employees Know What’s Acceptable (Acceptable Use Policy);
  • Know What’s Plugged Into Their Network (Monitoring Systems);
  • Stop Unauthorized Devices From Connecting.

Once a security solution is implemented, Crowe Chizek’s Sussman stresses the importance of ensuring it is tested and audited to make sure it is effective, and that the institution's program updates the solution in response to evolving threats – and newly-introduced devices.

Bottom line: the new consumer toys are fun, flashy and they can boost employee productivity – but at a risk. Institutions need to recognize that these mobile, portable devices are vectors for attack via malware, and take steps to control them within their institution.

“I see this as a significant problem in the coming years both for institutions and for consumers,” says Aite’s Holland.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.