IPods and MP3 players threaten network security

Most companies are failing to address the serious security risks created by the proliferation of USB flash drives, MP3 players and similar portable storage devices, industry experts have warned.

Ruggero Contu, client research consultant at analyst Gartner, warned that the use of unauthorised portable storage devices poses several dangers, not least for the malicious code that they can introduce to corporate networks.

High data capacity and transfer rates mean that USB or FireWire devices have the capacity to download valuable corporate information which can be leaked to the outside world, according to the analyst.

"This underlying vulnerability has existed since the release of Windows 2000, the first widely deployed operating system able to mount a USB storage device automatically," said Contu.

Gartner warned that the danger comes from back doors being opened by portable devices including any kind of pocket-sized FireWire hard drive, like those from LaCie or Toshiba, or USB hard drive or keychain drives.

They also include disk-based MP3 players, such as Apple's iPod, and digital cameras with smart media cards and other memory media.

"Companies are at risk of losing intellectual property and other critical corporate data. Portable storage devices are ideal for anyone intending to steal sensitive and valuable data," said Contu.

"Employees may also be responsible for losing data if they inadvertently mislay these devices."

Gartner advised companies to forbid the use of uncontrolled, privately owned devices with corporate PCs. The prohibition should also extend to external contractors with direct access to corporate networks.

Companies should adopt a controlled approach with security measures that incorporate overall organisational security policy and specific technology tools.

"Managers should advise on the main procedures to be followed for the eventual use of such devices, for instance to confirm the need for password and security protection [encryption] of stored corporate data. This will also help mitigate risks from loss or theft," said Contu.

Gartner advised that general security best practice should include the implementation of a desktop lockdown policy.

Managers should also consider disabling universal plug and play after pre-installing any desired drivers to permit the use of authorised devices only.