|
The rise of portable storage devices
In the last ten years data storage technology has broken all the barriers that used to bind it to large devices that stored limited amounts of data. These technological breakthroughs have:
- Increased data storage and data transfer speeds exponentially
- Increased device portability through a substantial reduction in physical device size - Increased device availability by the development of mass-appeal low-cost products - Simplified the connectivity method to computer systems.
A typical example is the Apple iPod released in October 2005. This device can store up to 60 GB of data - as much as the typical corporate workstation's hard drive. In practice, this translates to millions of proprietary, financial, consumer and otherwise sensitive corporate records!
Transferring data from one computer system to another is nowadays a non-technical, highly efficient, inconspicuous task. This effectively puts corporations in harm's way, since the misuse of portable storage devices can expose corporate networks to a number of dangerous issues which might have an impact on corporations in a variety of ways.
The evolution of portable storage media
Why do corporations require protection?
Statistics demonstrate that 98% of all crimes committed against companies in the U.K. had an insider connection (Computer Crime Research Center, 2005). Data theft, legal liabilities, productivity losses and corporate network security breaches are all dangers that corporations have to face if malicious insiders or careless employees misuse portable storage devices at their workplace.
Scotland Yard
"98% of all crimes against companies in the U.K. had an insider connection."
Data theft
The actual act of stealing corporate data by insiders is quite simple in itself and today software that is easily available for download automates the whole process. Insiders only need to plug in the portable storage device on a corporate workstation and all data, including sensitive data is automatically copied, without any additional user intervention. This automated process, commonly known as 'pod slurping', is able to copy whole databases and other confidential records to a portable storage device in a matter of a few minutes.
Serious Organized Crime Agency (SOCA) - U.K.
"...one of the big threats still comes from trusted insiders. That is, people inside the company who are attacking the systems."
Data theft does not limit itself to corporate insiders. Outsiders can use social engineering techniques to manipulate unsuspecting employees into using media or portable storage devices on the corporate network workstation. Seeded with malware, these devices open backdoors in the corporate perimeter defense, allowing hackers easy access to corporate data. A well publicized example was an experiment conducted in 2006 by the Training Camp, a UK-based training institution (Sturgeon, 2006). This involved the distribution of promotional CDs to office workers. However, apart from the advertised material, these CDs contained a script that tracked and advised The Training Camp when the CD was used. Notwithstanding the fact that the CD contained an advisory note to check their company's security policy before running it, 75 out of the 100 CDs distributed were used on the corporate network. This experiment underscores the fact that employees, acting in good faith, can bypass the best perimeter security, exposing corporations to serious repercussions.
Corporations typically accumulate a wide array of data that can be stolen. This includes: - Blueprints and engineering plans - Tenders, budgets, client lists, emails and pricelists - Credit card and other financial information - Software source code and database schemas - Medical or other confidential personally identifiable records - Classified, restricted or personal information - Scripts, storyboards, print material, photographic, video or animated film - Score sheets, lyrics, sound files and other forms of phonographic material.
U.S. Secret Service & CERT Coordination Centre
"Respondents identified current or former employees and contractors as the second greatest cyber security threat, preceded only by hackers."
The data stolen can be sold to competitors or used by the insiders, their criminal associates or hackers to commit a wide range of crimes ranging from identity theft to extortion and blackmail. Employees leaving the company to work with a competitor may also use the data acquired to gain an edge over their previous employer or directly discredit the image of that company.
|
