Consumer Technologies: The New Inside ThreatYour Employees' New, Mobile Toys May Put Critical Data at Risk
But did you also realize that these same consumer-friendly tools represent one of your institutionâ€™s biggest and fastest-growing security threats?
Vulnerable to viruses, susceptible to theft or misplacement, these popular gadgets often fly under the radar of authorized technology standards. And while they may improve your employeesâ€™ efficiency, they also increase your organizationâ€™s vulnerability to the mishandling of sensitive data.
In response to the threat posed by consumer technologies, many institutions are outright banning the use of unauthorized devices such as those described above; others are trying to accommodate them while still adhering to security best-practices.
â€œThese are credible threats,â€ says Bruce Sussman, Senior Manager at Crowe Chizek, the Ill.-based accounting and consulting group. â€œDue to proliferation of handheld devices, smart phones and mobile banking and the convergence of technologies, U.S. business and consumers may face the same security challenges which have recently emerged in Europe and Asia. I would say that smart phones, PDAs and various digital devices represent the same information security challenges that PCs did in the 1980s.â€
The SANS Institute (www.sans.org) produces an annual Top 20 report on security risks, and high atop this yearâ€™s list: the use of unauthorized devices.
The â€œplug and playâ€ aspect that appeals to consumers is also the one that heightens the inherent risks.
â€œAlong with the â€˜plug and playâ€™ capability, [some of] these devices are also doubling up as hard drives, by either a flash memory card or an embedded hard drive within the device,â€ says Nick Holland, an information security research analyst at Aite Group, the Boston-based research and consulting firm. â€œThey automatically become an extension of whatever PC or laptop they plug into or attach to.â€
The ability to add or extract information with these unauthorized devices is a risk institutions need to control because of the possibility of a data breach or infection. â€œThese unauthorized devices could be infected with a virus or other forms of malware that would spread over that channel once the device is plugged in,â€ Holland says.
The speed at which an infection could spread is mind-bogglingly fast, as one example Holland cites from some of his recent research. â€œThe RSA researchers showed me where a Bluetooth connection was the means for transporting malware in a wireless environment to other devices it found.â€
Another example: an infected SMS message spreading via the Bluetooth wireless cell phone headset to other devices. â€œWith the trends for most of these mobile devices now offering radio and Wi-Fi as the de facto standard, it also opens up these devices to all of the same â€˜over-the-airwavesâ€™ transmission methods to deliver viruses and other malware,â€ Holland notes.
And then thereâ€™s the risk of employees downloading sensitive data onto personal laptops, PDAs or portable hard drives â€¦ and then misplacing the devices. Or having them stolen. The more mobile the technology, the more mobile the risks.
This isnâ€™t a new paradigm. The leapfrogging of new technology often exceeds the ability for information security professionals to control and protect their institutionâ€™s networks from attacks, says Sussman. â€œFirst comes usage then come the threats and then the solutions. Some of the security solutions for smart phones are beginning to creep in to the marketplace. I hope that these safeguards will be introduced faster than history would suggest.â€
Because of regulatory requirements, financial institutions are doing a better job than many other industries when it comes to mitigating the threat of consumer technologies. The effort requires a combination of technology and security awareness, as well as education of employees.
Keith Gienty, Director of Information Technology at Southwest Corporate Federal Credit Union in Plano, TX., sees many unauthorized device problems in his IT operations. Recently merged with Northwest Corporate CU, Portland, OR, Southwest has $14 billion in assets and serves 1,500 credit unions in 43 states. Unauthorized equipment that causes some headaches for Gienty includes portable flash drives, or USBs.
To fight the problem, Gienty placed controls on employee laptop USB drives by monitoring them through active directory. â€œWeâ€™re not as strict as some institutions, so the hardest part of the monitoring is determining the difference between a mouse or keyboard being plugged in, and a USB or external drive being plugged in,â€ Gienty says. But better the worry over authorized use than whether critical data is walking out the door on thumb drives every night.
Alan McHugh, Manager of Information Technology at United States Postal Service Federal Credit Union, also has utilized a combination of technological solutions and enforcement of policy to lock down data and unauthorized tools at the credit unionâ€™s branches in five states.
The credit union has initiated a monitoring tool on its network to detect the use of any external device on the network. This same tool allows McHugh to monitor usersâ€™ activities as well, he says.
Ways other institutions are tackling the problem include:
- Update Their Security Policies to Address These Devices (new toys are introduced every year; policies should adapt accordingly);
- Let Employees Know Whatâ€™s Acceptable (Acceptable Use Policy);
- Know Whatâ€™s Plugged Into Their Network (Monitoring Systems);
- Stop Unauthorized Devices From Connecting.
Once a security solution is implemented, Crowe Chizekâ€™s Sussman stresses the importance of ensuring it is tested and audited to make sure it is effective, and that the institution's program updates the solution in response to evolving threats â€“ and newly-introduced devices.
Bottom line: the new consumer toys are fun, flashy and they can boost employee productivity â€“ but at a risk. Institutions need to recognize that these mobile, portable devices are vectors for attack via malware, and take steps to control them within their institution.
â€œI see this as a significant problem in the coming years both for institutions and for consumers,â€ says Aiteâ€™s Holland.