Dangerous device diversification
Introduction
Most organizations have been experiencing an explosion in the number and types of devices that are in use in their networks. Gone are the days when traditional desktop computers, servers and printers, hard-wired together, were the available hardware in the network.
Devices in use
In addition to the traditional devices mentioned above, all kinds of portable tools are in use, either by the organizations themselves or by their employees. These devices may be connected to the network through a physical connection, to employee computers, and/or through wireless access.
Third-party consultants and visiting customers may also bring devices that can be connected to the organizations' infrastructure.
Common for most of these newer devices are that they are small, portable, and in many cases used for pleasure and thus not related to the working place.
To mention some examples of portable tools that potentially may be connected to an organization's network:
- Portable computers (obviously)
- Digital cameras
- USB sticks
- Extrernal hard drives
- MP3 players and other music devices
- Mobile phones
- Reading devices (like Kindle and iPad)
Common for these are for example that they can be used to store information from the organization and to transfer data/files to the organization.
In other words: Such portable devices can be used to industrial espionage (by accident or by intent) from competitors and disgruntled employees, and they can be used to infect the organization (by accident or by intent) with viruses, worms, trojans and other types of malware.
Please refer to the links at the end of this article for more details about some of the techniques used etc.
Organizational policy
Security-aware organizations will have organizational policies in place regarding use of portable devices as those mentioned above. Elements in such policies are often requirements for securing third-party hardware brought into the organization (e.g. scanning for malware, connection to parts of the network only), and rules regarding which personal devices the employees are allowed to connect to the network.
The problem with policy and rules, however, are that they can easily be broken either by accident or by intent. [The fact that penalties may be invoced is beside the point here.] Some organizations have therefore realized that although a policy is useful in most cases, it is not sufficient to secure the organization adequately.
Enforcing policy
The most efficient way to ensure that the policy is followed, is to make it impossible not to.
One system for this is to use software for white- and/or blacklisting the devices allowed to use within an organization. There are several available products which offer this and similar functionality, for example Norman's security program Norman Device Control. The products vary in their ability for customization - some may for example assign different rights for the same type of device if the model differs, and restrict the amount of data transferred to a device during a certain period of time.
Setting up a comprehensive environment for device control in an organization requires considerable planning and implementation, but it may be the necessary tool to provide the desired level of security.
Other relevant security articles
