This article can also be found in the Premium Editorial Download "Information Security magazine: Exposed: Why your AV software is failing to protect you."
Download it now to read this article plus other related content.
Every Computer 101 class starts with a description of the flow of inputs, processing and outputs. Simple, right?
Not when applied to computing environments, such as corporate networks populated with thousands of "smart" devices. In this environment, the inputs are every point of entry into the network (gateways, hosts, remote users, etc.); the processing is every connected system and application; and the outputs are, well, everywhere.
Outputs, or the "Big O's" as I call them, are where lots of unchecked security leaks occur. Compliance with regulations and policies is a hot topic these days, and outputs play a significant role in evaluating an organization's ability to exercise a reasonable level of data control. Enterprises are paying more attention to inappropriate outbound network activity and are using traffic monitors to identify Kazaa and other P2P apps. Some organizations are going a step further by deploying data protection systems for specific applications--for example, using solutions that identify and restrict outbound e-mail containing unauthorized data.
But, there's more to output than network and e-mail traffic. What about the other Big O's--CD/DVD drives, PCMCIA, USB and Firewire devices, even printers? Though some of these ports have been around forever, there's renewed interest in securing them because of their ubiquity and enhanced plug 'n play capabilities. Intellectual property is being stolen with near impunity; large files containing sensitive or proprietary data are being dumped onto flash memory cards or CD-ROMs.
The techniques used to restrict or prevent access to these output devices are the same as we've always used: authentication and user access control, encryption and system access control. On the "detect" side, it's monitoring, monitoring and, well, more monitoring, which is often a more palatable approach since it allows unimpeded data transfers by legitimate users.
But beyond these steps, what can you do? One way to protect against stolen data is to simply change the system configuration: Modifying the BIOS and deleting or moving drivers provides basic access control. For more granular control, a handful of companies are beginning to offer robust, manageable solutions:
- Smartline's DeviceLock provides basic on/off functionality for a number of devices, including USB and Firewire ports, WiFi and Bluetooth adapters, CD-ROMs and floppy drives.
- Verdasys' Digital Guardian uses five "shims" for network, file systems (including USB or other storage devices), printing, CD-ROM and clipboard functions.
- Its application-centric approach uses network and clipboard controls to add extra value. It also has auditing and response capabilities.
- SecureWave's Sanctuary Device Control (see review) provides granular access control and auditing for USB, parallel and serial ports, CD-ROM, infrared, PCMCIA, Bluetooth devices and more. It also can limit the amount of data transfers.
PCs, laptops and output devices remain fertile ground for security breaches. While everyone focuses on network-based risks, it's more than worthwhile to take a step back and evaluate other I/O security risks and the means to mitigate them.
PETE LINDSTROM, CISSP, is research director at Spire Security.
This was first published in June 2004