Network Endpoint Security News - Watch Your End

We’ve spent a lot of time on WatchYourEnd.com talking about the threats posed by personal storage devices to corporate data. But it seems its not only the employers who are at risk.

Recent statistics from the UK Government’s Home Office suggest that street crime has seen an eight percent rise which is directly attributable to the theft of ‘personal electronics’ such as mobile phones and MP3 players. Worse still, it seems the majority if insurance policies do not cover theft or damage to these devices (or the data contained on them).

According to new research, Britons will buy 2.5 million mobile phones, 1.25 million MP3 players and 2.5 million digital cameras over the next six months. Great news for the manufacturers electronic gadgets, but perhaps not so welcome for IT managers who are trying to stop these devices being connected to the corporate network.

Thanks to their plug and play abilities, it has never been easier for computer users to get information off the network or to introduce unwanted content (whether it is ‘innocent’ content like holoiday snaps and music, or more malicious spyware and viruses) onto company-owned PCs.

And while some organizations employ a total ban on these kinds of devices in the workplace, few can find it a workable solution - especially when they are now so prolific. For those companies without armed guards and x-ray machines on the door, a much more sensible solution is to automatically allow or block the connection of different devices according to the individual’s security privileges. Then IT managers won’t need to worry if employees buy one million or ten million new MP3 players, they’ll still be kept safely at arm’s length from the network.

It seems Burger chain McDonalds got more than it bargain for following a recent promotion in Japan to give away 10,000 MP3 players pre-loaded with 10 songs each. Apparently, the songs weren’t the only files resident on the little devices -also pre-loaded was the QQPass malware, which steals passwords, usernames and other information from any computer the host device is connected to.

McDonalds in Japan has set up a 24 hour hotline for worried competition winners.

While this is bad news for any individuals unfortunate enough to have won one of the 10,000 MP3 players - just how many of these devices found their way into offices and have since begun merrily forwarding network passwords, financial information and other sensitive data?

MP3 players aren’t just a security risk, it appears. British tabloid newspaper, The Sun, has claimed that a leading UK hospital lost its servers for two days thanks to staff downloading huge quantities of songs and movies from the internet for use on their MP3 players. Journalists found that servers at the Queen Mother Hospital in Kent were out of action for 48 hours while storage space intended for X-rays and patient records was crammed full of multimedia files.

After the main server crashed the hospital went on a go-slow and X-rays had to be processed using film while patient notes were pulled out of hand-written back-up files. Managers at the hospital – which had to close a ward last month because of a £35 million ($65 million) hole in finances — admitted the computer misuse had been costly.

A spokeswoman said: “Staff have been told that from now on any music or other inappropriate files will be wiped.”

Better still, perhaps they need a way to prevent iPods and MP3 players being connected to PCs on the network?

ADDENDUM: The BBC has subsequently also covered this story, although its take on the events is somewhat different. We’ve linked to the BBC’s version of events in the interests of covering all angles. Regardless of whether servers were down for half a day or 48 hours, the story still shows the potential disruption that can be caused by failing to manage the presence of unwanted personal devices on the corporate network.

According to PriceWaterhouseCoopers, 43% of UK businesses rely on nothing more than “pretty please” to stop staff copying valuable data from the corporate network onto personal storage devices such as USB flash drives and MP3 players. What’s more, 41% of organizations make no effort whatsoever to prevent the unauthorized transfer of data file to and from these devices. Only 14% have invested in technology to control the presence of unwanted devices on the network.

These results, from the Information Security Breaches Survey 2006, show an alarming lack of willingness among UK companies to address serious endpoint security threats such as device misuse and data theft.

This is all the more suprising when the average large organization in the UK faces an average of 13 internal security breaches every year (compared to 19 breaches in total) and the total cost of security incidents is rated at 10 billion British pounds (18bn US dollars).

And the picture doesn’t get any better in 2006/7 - with two-thirds of respondents expecting another increase in security breaches and 60% saying breaches will become harder to detect.