Many organizations have recognized that their most valuable assets are stored in electronic format on their computer systems. Because of this, businesses have dedicated vast resources to purchase, install, configure and maintain a wide range of security mechanisms to protect their data. Firewalls, intrusion detection systems, anti-virus software, multi-factor authentication products and encryption solutions are just a handful of the products that are implemented to protect intellectual assets. In addition to products, premium salaries are provided to IT professionals that have security training, experience and certifications. Despite the amount of time, effort and resources that are dedicated to protecting propriety data, there is nothing that can completely stop the flow of data out of an organization.
Flash Drives and Other Portable Media
Much has been written about USB flash drives and the threat they pose to corporate data (see “Portable Data Storage Devices: Security Nightmare,” July 2005, Security Technology & Design). Despite these warnings, trade secrets are leaving organizations on these devices. The reason is simple, the devices look innocuous, they serve the same purpose as the ubiquitous floppy disks of the past, and all computers have USB ports on them. It requires no technical expertise to copy data to one of these devices. The issue is that these devices can store thousands of files on them and provide the ability to copy the files to nearly any computer currently in use today.
While it becomes easy to recognize that USB flash drives can pose a threat, many businesses overlook portable “lifestyle” devices that appear innocuous on the surface but have the ability to store large amounts of data. MP3 Music players and Digital Cameras both have the ability to store data other than just music and images — they can store any type of digital data. It is difficult to comprehend that a device that can store the entire works of the Grateful Dead can also store databases, spreadsheets and presentations.
Businesses that allow employees to download iTunes and connect personal iPods to their computers are also providing an opportunity for the employee to download proprietary information to those same iPods. In a recent case, we were able to identify that a former employee had copied 45,000 files to an iPod prior to her departure.
Online Data Storage
Because people want to have access to their data from anywhere in the belief that it will improve their efficiency, online data storage sites have become extremely popular. These sites provide the ability to store data on an Internet-accessible server, so a person can access data from anywhere. While not designed to be nefarious, employees can just as easily copy proprietary information to these sites as they can to a flash drive. Keep in mind that many of these sites provide several gigabytes of storage for free.
While not everyone realizes this, the space allocated by Google for GMail e-mail accounts can also be used for file storage. The Windows shell extension GMail Drive (www.viksoe.dk/code/gmail.htm) places a drive letter in Windows Explorer enabling users to drag and drop files into their GMail storage space just like they would on a local drive.
While not free, Mac users with a MobileMe account have access to a similar feature called iDisk. Some security professionals will erroneously believe that iDisk is not a threat because they use Microsoft Windows in their organizations. Unfortunately, files stored using iDisk are accessible on any operating system using a browser. But more importantly, files can be uploaded to iDisk from any operating system using a browser.
There are numerous online storage options including, ElephantDrive (www.elephantdrive.com), Box.net (www.box.net), and DropBox, (www.getdropbox.com). While the ability to store files online is frightening, many of these sites provide the ability to share files with anyone.
IMs, E-mails and Blogs