Open to personal download abuse

It’s nasty and rather distasteful... and that’s just the nickname! ‘Podslurping’ is the latest buzz word in the technology industry being used to describe the theft of company data via an Apple iPod music player. Apparently, unscrupulous members of staff have been taking advantage of these devices’ storage capacity to plug into office PCs and illegally download sensitive company files.

It must be said that it’s not just covert music lovers looking to breach office security, either. A whole raft of portable memory devices – including data pens and memory sticks – have entered the commercial world of late, all equally as able and dangerous in their own ability to capture corporate information.

While PCs have long been equipped with the capability to download data, first through floppy disks and of late via DVD burners, it is the plethora of new, somewhat more subtle devices – together with a growing market for fraudulent personal and corporate data – that is beginning to tax the minds of corporate security directors. Those same professionals can no longer look solely at external means (including firewalls) to protect their systems.

The enemy within is most certainly emerging as a potent threat to be taken every bit as seriously as any external risks. Indeed, one recent major survey reported that 85% of corporate fraud in the UK is perpetrated by company employees. It’s not just limited to the mainland, either. Late last year, an Indian Call Centre worker was reportedly selling confidential financial details of UK consumers to any takers for just £4.25 each.

USB: the gateway to fraud

Unfortunately, this kind of internal fraud could not be more simple. Using the ubiquitous USB port that pervades today’s office IT equipment, the process of stealing files and other information entails but one click of the mouse.

There are even free Podslurping applications available that can be downloaded from the Internet to make the deed even easier. Small wonder, then, that 12 months ago the Ministry of Defence limited the areas where iPods could be taken on its premises. IT consultant The Gartner Group urged that they should be banned from all businesses forthwith. However, banning – or otherwise limiting – these bright white gadgets is one thing. Taking the same measure against easily-concealed data cards, pens and sticks presents quite a different challenge.

Likewise, delivering an internal security strategy that differentiates between, say, casual and permanent staff of different seniority, between different files and data and between the differing levels of a particular network offers its own set of issues to be addressed by the security manager and/or the director of IT.

In spite of this, merely recognising the potential threat to office security is a first step. Obviously, the thought that some of your company’s employees might consider removing files from the system is far from palatable. That said, it is an important fact of modern life today and must therefore be afforded the same attention as those threats emanating from without.

While PCs have long been equipped with the capability to download data, first through floppy disks and of late via DVD burners, it is the plethora of new, somewhat more subtle devices – together with a growing market for fraudulent personal and corporate data – that is beginning to tax the minds of corporate security directors

Thankfully, the software industry and network suppliers have begun their response and, as a result, there are a number of steps security managers can take to combat these internal security problem.

For those professionals groaning under the weight of yet another technology expense, it’s important they weigh up the potential risks in accordance with vulnerability. The business that employs, say, a large number of contract workers (or freelancers) would need to have a far more robust internal security system in place than would a company employing full-time staff to operate its computers.

In a similar vein, an organisation that holds large amounts of third party data on customers – for example a financial services house – would want to consider a much stronger internal defence mechanism than, say, the firm holding files relating solely to its own dealings.

Be subtle, be secure

The complexity and potential cost of the internal threat has inevitably led to a wide range of responses. Some companies have resorted to simply sealing their PC USB connections, or are removing them altogether, while others will pre-order machines ‘neutered’ of USBs, floppy drives, CD and DVD drives.

The problem with such Draconian measures is that it prevents any viable requirement by honest members of staff to download data during the course of their everyday work.

There are more subtle – and every bit as effective – methods of imposing security on a network. Certain software programs allow security managers to set limits on USB usage for individual machines such that a given USB may be allowed to play music but not to download data. Other software products have been developed that can ‘lock down’ the data on a company’s network. Typically, this software will sit on the network and manage all types of access to both levels of that network, as well as individual files. The latter can be protected by running digital rights management software which encrypts the data files and establishes rules for what individual users may do with them.

More sophisticated versions allow for the monitoring of individual files on a company’s network, and can prevent them from being moved, copied, printed or e-mailed without the appropriate and necessary authorisation. The software also audits file movements by individual users. For their part, network managers are then able to create different profiles for different users, restricting access to various levels of the network and chosen files.

Certain software programs allow security managers to set limits on USB usage for individual machines such that a given USB may be allowed to play music but not download data. Other software products have been developed that can ‘lock down’ the data on a company’s network

Instil a ‘security culture’ at work

The ‘security culture’ inherent within an organisation is vital. You can have all the technology in the world sitting on your network but if the company’s employees are not sufficiently ‘security aware’, then a breach of internal security is pretty much inevitable.

Passwords are a good example of this. If an organisation doesn’t care about security and the issues surrounding it, you’ll often find that employee passwords are predictable – “Ihatethisbl**dyjob” occurs surprisingly often! – and, by default, are ‘breakable’. However, within those organisations that take their internal security responsibilities seriously, passwords will operate on several levels of the network, tend to be complex in their composition and are thus far harder to crack.

Every organisation with a substantial number of PCs on the premises needs to formulate a stringent internal security policy. This must be led by a senior executive. Preferably one that reports directly to the Board or at least management at the uppermost level. That policy ought to be readily available for consultation by employees, while training should be given to explain its purpose (and to spell out the responsibilities of all employees).

This initial instruction must then be followed up by additional training and information as required (such as an e-mail security newsletter or regular e-mail ‘flashes’ to PC users).

Consideration should be given to the organisation’s policy towards iPods and other data-capturing devices on the premises. For example, bringing them under the company’s disciplinary procedures might act as a suitable disincentive to their casual carrying around by employees, whether temporary or permanent.

Essential steps to take

All PC-equipped organisations need to recognise the clear and present danger of the threat posed to internal security by their own employees (or people otherwise engaged on their premises). Security managers and/or IT directors must look to:

• formulate a comprehensive internal security strategy;
• implement such a policy by way of a dedicated senior manager;
• implement software and network solutions determined following a risk assessment of the vulnerability of the business;
• introduce a robust security culture that encompasses all staff – technical and non-technical, permanent and temporary;
• prohibit (or otherwise limit) the use of all data-capturing devices;
• initiate regular training and awareness courses that promote Best Practice throughout the organisation.

Once all of these measures are in place, the Podslurper will be consigned to ‘Geek speak’ history. More importantly, the security manager and members of staff can then go about their work safe in the knowledge that they operate within a secure environment. You will no longer have to worry about the chap from the agency, iPod plugged into his PC...