Apparently, the latest security threat to the enterprise is
Pod
slurping. Gartner recommended banning portable storage devices,
including iPods,
last
year, but Abe Usher has taken it a step farther by providing a
proof-of-concept application called
slurp
that could run off of an iPod or other portable storage device. Usher
paints a scary scenario to put the fear of iPods in all of us:
An unauthorized visitor shows up after work hours disguised as a janitor
and carrying an iPod (or similar portable storage device). He walks from
computer to computer and "slurps" up all of the Microsoft Office files from
each system. Within an hour he has acquired 20,000 files from over a dozen
workstations. He returns home and uploads the files from his iPod to his
PC. Using his handy desktop search program, he quickly finds the
proprietary information that he was looking for.
A scary scenario indeed. We put slurp to the test, to see if it is indeed
that quick and easy. Usher's slurp.exe runs off of the portable storage
device and copies documents (including *.doc, *.xml, *.xls, *.txt and
others) from the "C:\Documents and Settings\" directory onto
the portable storage device. Since we didn't have a Windows-compatible iPod
handy, we used a 512MB USB flash drive instead.
Indeed, slurp.exe works as advertised, searching the target computer (a
Windows XP machine) and copying all Office documents from the target
directory to the USB drive in less than a minute. (Admittedly, there were
only a dozen or so, so target computers with hundreds of documents may take
more time.) While testing, it also occurred to us that slurp could also
provide a valuable legitimate use by allowing users to back up their Office
documents to work on them at home. Note that Usher's slurp.exe is
"crippled" to only allow a user that's logged in to copy documents, and
maxes out at 200 files.
Usher calls for organizations to put several technology- and policy-based
countermeasures in place to reduce the risk of data theft with portable
devices. We agree with Usher that organizations with sensitive data should
have strong physical security to prevent intruders from gaining access to
systems. Usher's scenario - an unauthorized visitor snooping through the
office unsupervised - shouldn't be allowed in any workplace that needs to
enforce data security.
Restricting removable storage devices, however, may be much more difficult
-- and ultimately futile, since they're easy to conceal and users with
physical access to machines also probably have access to other means for
sending sensitive information off-site: e-mail or uploading files to
web-based storage, for example. Keeping unauthorized users away from systems is one
thing, preventing a disgruntled employee from removing documents is
another.
Usher's technical suggestions are also interesting. He suggests disabling
USB connections in the system's BIOS, using encryption, keeping corporate
data on protected network shares and using third-party applications like DeviceLock to lock down access to
USB and other removable devices.
Administrators who wish to disable USB connections in the system bios will
also need to password-protect the BIOS to prevent a user from simply
re-enabling it. Use of encryption for sensitive data is certainly
recommended, though training average PC users to actually utilize
encryption may be more easier said than done.
Keeping data on network shares only works if there's a way to prevent the
user from copying the data to the local PC or sending it off-site via the
network. Third party apps like DeviceLock are only useful while a PC is
running -- so a user who reboots the PC and uses a live CD of some kind is
going to be able to bypass DeviceLock rather easily.
The possible abuses of portable storage devices like the iPod should be
taken seriously. The ability to copy tens of gigabytes of data onto a
pocket-sized device is certainly a threat to organizations with sensitive
data to protect. However, it wouldn't pay to focus on portable storage
devices alone. There are many, many ways that someone with physical access
would be able to compromise an organization's security. Banning iPods and
other storage devices, without a comprehensive security policy that covers
other possible attacks, is likely to do nothing more than annoy employees.
Comments (21 posted)
