Network Endpoint Security News - Watch Your End

This year’s annual DeviceWall Security Attitudes survey has shown that more mobile gadgets than ever are now finding their way into the workplace - with 70% of computer users now connecting some form of portable storage to their company PC on a daily basis.

The most common device to be connected to the network was the USB drive - used by 38 per cent of respondents. Also popular were PDAs (21 per cent), digital cameras (15 per cent), mobile phones (14 per cent) and MP3 players (7 per cent).

The company behind the research, Centennial Software, warns of the dangers associated with uncontrolled use of these devices in the office: “USB drives are now available with 64 GB of memory – more than your average laptop holds – which could be used by a disgruntled employee to download an entire customer database or over two million Word documents,” said Andy Burton, CEO at Centennial. “As flexible working becomes more widespread, so will these devices – as they can play an essential part in effective business – so it’s vital that companies address this now.”

Following data theft news in the last week from the Red Cross and Veterans’ Association, the DeviceWall research clearly shows that portable storage carries a number of serious risks to the organization.

At a time when many in federal and state government are calling for better data theft disclosure and accountability laws, it seems ironic that the US authorities themselves may be guilty of trying to cover up the largest incident of recent months.

According to CNN & USA Today, an insider has admitted that authorities waited three weeks before notifying the public about the theft of 26.5 million veterans’ personal data. If this is indeed the case, what hope is there that an effective law demanding the prompt disclosure of important data thefts like this will ever be passed?

If reports that the stolen data was contained on an external drive are proven correct, it once again raises the security issues surrounding mobile storage devices - which are inherently insecure. With many encryption technologies now easily (and cheaply) available, organizations need to re-think how they store data outside the corporate network.

After all, while portable devices may be seen as ‘disposable’ due to their low cost, the data they contain certainly isn’t…

Kenneth Kwak, a systems auditor working on computer security at the US Department of Education has been sent to jail for five months after he admitted installing spyware on his boss’s computer. Kwak used the software to monitor email and surfing activity - later informing other colleagues of the manager’s habits.

In addition to his five months in jail, Kwak will spend a further five months with an electronic tag and has been ordered to pay $40,000 costs to the US Govt.

In a recent article Peter Costa, the head of enterprise security at GE Consumer Finance warns companies to be “fanatical about prosecution” of data thieves and that it is important to “have a public hanging… they have to know you’ll go after them”. He stated that GE will also continue the pressure and call the parole board when a data thief’s hearing is approaching to discourage release, stating that “you’ve got to make a point”.

Another point made by Costa is that “we’re far too trusting of insiders”. Most companies underestimate internal security threats, such as people walking into secure areas of a building just behind someone else. Costa also discusses the importance of encryption just in case your other security measures fail and say a USB stick or backup tape with confidential informaiton is stolen.

Source: Computer World - GE security exec shares tips to reduce security risks

Richard Thomas, the UK’s Information Commissioner, has called for a tougher stance on data theft, with two-year prison sentences for those found guilty of selling or buying personal information.

In a report to the British parliament, the information ‘tsar’ has warned that it is currently far too easy to obtain confidential records and that there are not sufficient measures to make selling private information less attractive to those looking to make a quick buck.

Thomas also singled out private investigators as creating a lucrative market for personal information, with the ability to purchase phone records and other personal data cheaply and without much in the way of fear of getting caught.

Thomas warned in his statement: “Organisations can also be victims of this pernicious trade. Advances in technology enable public and private bodies to hold vast amounts of information about us but they need to be fully aware of the risks of unauthorised disclosure and take strong precautions.”

He criticized the current stance on data theft, stating that until tougher setencing was introduced, the seriousness of data theft would continue to be masked in both the public mind and the judicial system.