USB storage devices and products like Sony's Memory Stick could be a serious security risk, experts said this week.
Administrators have no control over the information that is transferred between one of these high-capacity devices and a corporate network, unlike email and other network traffic. This creates a serious risk because the devices could be used to copy sensitive corporate data from an intranet or release dangerous or malicious files inside a company's firewall.
Louis Oley, managing director of SecureWave, a company specialising in intrusion prevention software, told ZDNet UK on Thursday that Microsoft fails to provide tools within Windows 2000 and XP to effectively manage and control this type of product. He gave the example of an estate agent in Crewe who bought a "new" Sony Memory Stick, but when he plugged it into his PC, he discovered the device contained confidential medical records of cancer patients at a local hospital.
USB drives and Memory Sticks have been growing in popularity during the past few years and are commonly used in products such as digital cameras and PDAs. They can store anything from around 32MB to over 1GB, and are recognised as a removable hard drive by PCs.
Graham Titterington, a principal analyst at Ovum, warns that smaller companies are more at risk from these products than large enterprises. "It opens up the possibility, especially in a small or medium-sized business, for somebody to steal the entire customer database, which they probably couldn't get on to a floppy," he said.
SecureWave will next week launch an updated version of its SecureEXE software, which is designed to restrict users from copying prohibited files to and from removable storage devices.
Titterington, though, believes enterprises could solve the problem by beefing up their permissions policy: "You can stop users gaining access to a file from the access control system, which has nothing to do with the USB port. Management is not effective when you get to the level where you say to a user, 'you can read and print this file but you can't copy it to your USB port'."
Sony's Memory Stick holds the No. 2 market share position, behind Panasonic's Secure Digital range. Last year, Gartner estimated the worldwide market was worth around $2bn (£1.26bn), but it is expected to grow to almost $5bn by 2007.
Talkback
Actually you can vey effectivly control this type of access if you need to. If the device is built it go to the managment console and disable the device in disk managment. Also set the policy so the user cannot install new hardware, this will prevent them from installing a drive that they brought in them selves. By the way, what about CD-rom burners? Many PC's have them installed why not complaine about these, they can take about 650 MB of data after being formated and are vey easy to transport. Don't get me wrong I am not a windows fan but this type of article just spreads disinformation about a very usful tool. A tool that can be effectivly controlled if the networks administrator has the will to learn how to run the OS they have been entrusted with.
What a load of rubbish! While the ability to copy larger files may represent a security issue, in reallity it is not really any more serious than anyone printing off or emailing sensitive data -both of which are easily achieved. Probably more easily achieved than installing a flash memory device on a corporate network. If someone inside wants to steal the data then they will! As for your comments from Securewave, please lets have some serious journalism rather than obvious plugs for a company making a drama out of a crisis.