Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


No Wires & No Policies

Despite the convenience of wireless and portable devices, most security policies still don't embrace them, according to a new Dark Reading survey

When all of your users and devices are attached to the network, you can do some pretty amazing things with security policy. But when users pick up those devices and walk out the door, all bets are off.

That's the frustrated attitude expressed by many security pros who answered Dark Reading's portable and mobile security survey. Despite the development of stringent policies and technologies for protecting the wired environment, they say, there still is no good way to ensure that users will follow those policies once they take their high-powered devices out into the world.

"If you tell users that they can use [portable] devices for certain uses but not for others, then you have two problems," says Greg Lyons, a security research analyst for a large consumer-packaged foods company. "One is making users truly understand what 'acceptable use' is. The other is trying to enforce or audit such a policy, which is practically impossible."

In our survey of 229 security professionals, many respondents expressed similar frustrations. In fact, nearly half of those surveyed said their organizations have no clearly-stated policy for the use of portable storage devices; more than a third said they don't have a clear policy for mobile and wireless device use.

"We don't have a policy because upper management says they can't justify the expense of creating one," says Daniel Cotelo, an MIS technician for Central Coast Community Health Care in Monterey, Calif. "They say we haven't had an incident yet."

Other respondents expressed similar woes. "Our organization doesn't understand the threat because management doesn't," says Phil Long, field support engineer at Goss International Americas Inc., an Illinois-based manufacturer of printing equipment. "I'll bet most companies without such policies are in the same situation."

Some companies say they have put policies in place, but they have no sure way to enforce them. Some 22 percent of respondents in the survey said they have developed unenforceable policies for the use of portable storage devices; about 14 percent of respondents said they have unenforceable policies for the use of mobile and wireless devices.

The problem, in a nutshell, is that IT has no way to prevent employees from misusing portable devices when they are out of the building and off the network. WiFi-equipped laptops can ride any network that's handy, leaving them vulnerable to eavesdroppers or the introduction of malware. Portable storage devices, such as USB drives or smartphones, can be infected with viruses or stolen outright.

Without an IT-driven means of controlling access, portable device security depends largely on the end user, administrators say. And end users generally are not security-savvy.

"These devices are very convenient, and there is not a great motivation to make a convenient tool more complicated for the purpose of making it more secure," notes Tom Hofstetter, a security analyst at Southwest Power Pool, an electric utility in Little Rock, Ark. If users have to type a password into a Treo or other handheld device every time they check their messages, then that convenience is lost, he says.

But while IT administrators agree that portable device security policies are difficult to enforce, they also agree that the absence of enforceable policies leaves their organizations at risk. More than 40 percent of security administrators said they aren't sure whether they've shut down all of the vulnerabilities in their mobile and wireless network environments, despite having policies in place. About 20 percent said the same thing about portable storage media.

With all the publicity surrounding the problems at the Department of Veterans Affairs and other large organizations, it's not surprising that the theft of laptops and portable storage devices is at the top of most IT managers' lists of fears. (See VA Data Loss Worse Than Expected.) Sixty-two percent of respondents ranked the loss or theft of a laptop as one of their top two concerns in mobile and portable device security. Thirty-seven percent put the loss or theft of a portable storage device among their top two concerns.

"Beyond the loss of data, a laptop generally contains phone and contact lists, APIs for access to corporate applications, templates for reports, and user interfaces," notes David Kubista, president of Helimeds, a Tucson, Ariz.-based manufacturer of air ambulances. "For a spy, thief, or individual wishing to do harm, all of this information reveals how your enterprise operates. From this knowledge, it is easy to convincingly duplicate your systems or shadow your activities."

Other security professionals agreed. "Loss of a laptop is more dangerous to our organization than other mobile threats because our users tend to put sensitive data on laptops for convenience," says Lyons. "Users like to fiddle with data in Excel or Access, and they often don't stop to think about the difference between a physically secured desktop PC versus a laptop."

More than 80 percent of respondents said they suspect their employees of using WiFi-enabled laptops outside company walls, whether their policies allow that usage or not.

Although most security administrators concede that their policies surrounding portable device security are difficult to enforce at best, most of them also feel that the potential dangers associated with these devices are even greater than the dangers associated with traditional wired systems. Fifty-three percent said that the threat of security violations coming from the portable device side is "more serious" than the threats to the wired environment.

Portable device security, even more than wired device security, depends largely on the user, administrators observe. "The most difficult and frustrating part is creating a sense in users that there really is a problem, for which they are part of the solution," says Hoffstetter. "And that the problem is not going to go away if it's ignored."

Next week: Security managers sound off on the effectiveness of currently-available technologies for securing mobile and portable devices.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
PUBLISHED: 2020-02-17
Symmetricom SyncServer S100, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).