Any external storage device connected to a desktop can be a security risk. This includes USB keys, flash drives, zip drives – you name it. If it can be attached to a USB port, it can hold and move data. iPods fit neatly into this category and in most cases should be prohibited in the enterprise.
iPods can hold up to 30 GB of photos, music, MP3s, videos and movies, as well as any other ordinary data or file type. While they can take -- or steal -- date from the network, they can also introduce spyware and malware into the network. Generally speaking, iPods have no business purpose and shouldn't be allowed to be connected to your employees' desktops.
But, there are some exceptions. An innovative business use for iPods was recently developed at a hospital in Geneva. A professor developed software that allows doctors to store and view medical images on their iPods. Using Apple iChat, several doctors in far flung departments on the same case can look at the images remotely from their iPods and compare notes simultaneously. The system has saved the hospital the cost of more expensive equipment for medical imaging and storage.
So, despite the security risks, a company may want to consider using podcasts for disseminating information to its employees. A project manager may want to use iPods to distribute diagrams too large to send as e-mail attachments to team members.
How do you balance the potential security risk with the potential convenience of iPods and podcasts? Here are some suggestions.
Restrict the use of iPods to specific projects. Their use should be approved in writing by the information security department for each employee requiring them. Exemptions should only be made on a per-project basis and not entitle the employee to unlimited use of their iPod or to connect to the network after the project is complete.
iPods must be scanned by antivirus and antispyware software before connecting to the network. This should be written into your information security policy.
Dedicated file servers should host podcasts or other data to be shared by iPods. Access should be logged and monitored for unauthorized or malicious use. Only employees working on the project with a specific need should be granted access. iPods should also be hardened with unneeded services turned off.
Only software pre-approved and reviewed by information security should be allowed for use on iPods. As they become more sophisticated, more software becomes available for them. Apple iTunes is an example of another repository for iPod enthusiasts. iTunes must be downloaded to the desktop that will be connecting to the iPod. Most sane information security policies prohibit employees from downloading software willy-nilly directly off the Web. For this reason alone, iTunes wouldn't be allowed on most corporate desktops. Apple this year also released a patch for a flaw in iTunes that allowed a hacker to remotely gain control of a user's desktop. By itself, iTunes is a harmless music store, but is it necessary in the office?
USB ports should be shut off for those users who do not need to connect to the network. This can be done at the BIOS level, or on Windows machines through the Device Manager, the Group Policy editor or through registry key settings locked down on the enterprise build of the desktop distributed to your employees.
About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He specializes in Web and application security and is the author of The Little Black Book of Computer Security available on Amazon.
