Bugwatch: Sticky security problems

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Jackie Groves, managing director of Utimaco Safeware, warns of the potential harm the latest must-have memory devices can cause to corporate data and networks.

We're all using simpler and faster methods of transferring large amounts of data from one device to another these days, especially with the increase in mobility. Memory sticks appear to provide the ideal solution.

This year the majority of executive Christmas lists are expected to include these 'must have' mobile memory accessories, which offer up to 2GB in a unit the size of a cigarette lighter.

But are they really wondrous gifts or could they potentially open up a can of worms for IT security professionals?

Memory sticks have a large capacity for storing different types of information on one medium. These replacements for the floppy disk of old are simple to use and can be carried in a pocket or on a keyring.

The user simply plugs the device directly into the USB port of their computer, laptop or PDA. They are then free to upload or download data to and from the stick; an innocent enough action.

But this exposes the soft underbelly of most corporate networks, making them vulnerable to infection from viruses, potentially illegal material or even unlicensed software.

One threat that companies might not like to admit to is the intentional theft of data by employees. As the destination or end use of the information transferred to these sticks can remain invisible, thefts go undetected and companies have no evidence that the misuse was intentional.

There are few digital footprints, as would be the case were the information sent via more traditional methods.

And with the sticks being so small and portable they can easily be lost or even stolen, creating another potential security risk.

Companies must evaluate the serious threat posed by these devices and take the necessary action to protect themselves against potential harm.

For any security policy to work it needs to be implemented across the board. If you decide to ban memory sticks, this ban must apply to everyone. But telling people that they shouldn't use them is not as effective as making sure that they can't.

If you do decide to allow the use of memory sticks, it doesn't necessarily mean that you close your eyes and hope for the best. There are various products available that allow protection for the network and the information it contains.

The best option is one that allows flexibility. It must give companies control over who can use memory sticks.

Additional protection should force encryption of data saved to the device. This can be taken further with intelligent software that dictates whether the data is decrypted internally or whether it can be passed on, in encrypted form, to external people such as customers.

Whatever option companies decide to adopt, waiting to see what happens and hoping everything will be all right isn't one of them.

There's no point ensuring the front door and windows are firmly closed only to leave the back door wide open.