Tips for securing iPods in the enterprise

Any external storage device connected to a desktop can be a security risk. This includes USB keys, flash drives, zip drives – you name it. If it can be attached to a USB port, it can hold and move data. iPods fit neatly into

    Requires Free Membership to View

    Login

this category and in most cases should be prohibited in the enterprise.

iPods can hold up to 30 GB of photos, music, MP3s, videos and movies, as well as any other ordinary data or file type. While they can take -- or steal -- date from the network, they can also introduce spyware and malware into the network. Generally speaking, iPods have no business purpose and shouldn't be allowed to be connected to your employees' desktops.

But, there are some exceptions. An innovative business use for iPods was recently developed at a hospital in Geneva. A professor developed software that allows doctors to store and view medical images on their iPods. Using Apple iChat, several doctors in far flung departments on the same case can look at the images remotely from their iPods and compare notes simultaneously. The system has saved the hospital the cost of more expensive equipment for medical imaging and storage.

So, despite the security risks, a company may want to consider using podcasts for disseminating information to its employees. A project manager may want to use iPods to distribute diagrams too large to send as e-mail attachments to team members.

More information

Learn best practices for securing handhelds from mobile malware

Visit our resource center for more tips and expert advice for

How do you balance the potential security risk with the potential convenience of iPods and podcasts? Here are some suggestions.

  • Restrict the use of iPods to specific projects. Their use should be approved in writing by the information security department for each employee requiring them. Exemptions should only be made on a per-project basis and not entitle the employee to unlimited use of their iPod or to connect to the network after the project is complete.

  • iPods must be scanned by antivirus and antispyware software before connecting to the network. This should be written into your information security policy.

  • Dedicated file servers should host podcasts or other data to be shared by iPods. Access should be logged and monitored for unauthorized or malicious use. Only employees working on the project with a specific need should be granted access. iPods should also be hardened with unneeded services turned off.

  • Only software pre-approved and reviewed by information security should be allowed for use on iPods. As they become more sophisticated, more software becomes available for them. Apple iTunes is an example of another repository for iPod enthusiasts. iTunes must be downloaded to the desktop that will be connecting to the iPod. Most sane information security policies prohibit employees from downloading software willy-nilly directly off the Web. For this reason alone, iTunes wouldn't be allowed on most corporate desktops. Apple this year also released a patch for a flaw in iTunes that allowed a hacker to remotely gain control of a user's desktop. By itself, iTunes is a harmless music store, but is it necessary in the office?

  • USB ports should be shut off for those users who do not need to connect to the network. This can be done at the BIOS level, or on Windows machines through the Device Manager, the Group Policy editor or through registry key settings locked down on the enterprise build of the desktop distributed to your employees.

    About the author
    Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He specializes in Web and application security and is the author of     The Little Black Book of Computer Security available on Amazon.


    This was first published in December 2005

    • Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.

      Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

      Back to top