Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


No Wires & No Policies

Despite the convenience of wireless and portable devices, most security policies still don't embrace them, according to a new Dark Reading survey

When all of your users and devices are attached to the network, you can do some pretty amazing things with security policy. But when users pick up those devices and walk out the door, all bets are off.

That's the frustrated attitude expressed by many security pros who answered Dark Reading's portable and mobile security survey. Despite the development of stringent policies and technologies for protecting the wired environment, they say, there still is no good way to ensure that users will follow those policies once they take their high-powered devices out into the world.

"If you tell users that they can use [portable] devices for certain uses but not for others, then you have two problems," says Greg Lyons, a security research analyst for a large consumer-packaged foods company. "One is making users truly understand what 'acceptable use' is. The other is trying to enforce or audit such a policy, which is practically impossible."

In our survey of 229 security professionals, many respondents expressed similar frustrations. In fact, nearly half of those surveyed said their organizations have no clearly-stated policy for the use of portable storage devices; more than a third said they don't have a clear policy for mobile and wireless device use.

"We don't have a policy because upper management says they can't justify the expense of creating one," says Daniel Cotelo, an MIS technician for Central Coast Community Health Care in Monterey, Calif. "They say we haven't had an incident yet."

Other respondents expressed similar woes. "Our organization doesn't understand the threat because management doesn't," says Phil Long, field support engineer at Goss International Americas Inc., an Illinois-based manufacturer of printing equipment. "I'll bet most companies without such policies are in the same situation."

Some companies say they have put policies in place, but they have no sure way to enforce them. Some 22 percent of respondents in the survey said they have developed unenforceable policies for the use of portable storage devices; about 14 percent of respondents said they have unenforceable policies for the use of mobile and wireless devices.

The problem, in a nutshell, is that IT has no way to prevent employees from misusing portable devices when they are out of the building and off the network. WiFi-equipped laptops can ride any network that's handy, leaving them vulnerable to eavesdroppers or the introduction of malware. Portable storage devices, such as USB drives or smartphones, can be infected with viruses or stolen outright.

Without an IT-driven means of controlling access, portable device security depends largely on the end user, administrators say. And end users generally are not security-savvy.

"These devices are very convenient, and there is not a great motivation to make a convenient tool more complicated for the purpose of making it more secure," notes Tom Hofstetter, a security analyst at Southwest Power Pool, an electric utility in Little Rock, Ark. If users have to type a password into a Treo or other handheld device every time they check their messages, then that convenience is lost, he says.

But while IT administrators agree that portable device security policies are difficult to enforce, they also agree that the absence of enforceable policies leaves their organizations at risk. More than 40 percent of security administrators said they aren't sure whether they've shut down all of the vulnerabilities in their mobile and wireless network environments, despite having policies in place. About 20 percent said the same thing about portable storage media.

With all the publicity surrounding the problems at the Department of Veterans Affairs and other large organizations, it's not surprising that the theft of laptops and portable storage devices is at the top of most IT managers' lists of fears. (See VA Data Loss Worse Than Expected.) Sixty-two percent of respondents ranked the loss or theft of a laptop as one of their top two concerns in mobile and portable device security. Thirty-seven percent put the loss or theft of a portable storage device among their top two concerns.

"Beyond the loss of data, a laptop generally contains phone and contact lists, APIs for access to corporate applications, templates for reports, and user interfaces," notes David Kubista, president of Helimeds, a Tucson, Ariz.-based manufacturer of air ambulances. "For a spy, thief, or individual wishing to do harm, all of this information reveals how your enterprise operates. From this knowledge, it is easy to convincingly duplicate your systems or shadow your activities."

Other security professionals agreed. "Loss of a laptop is more dangerous to our organization than other mobile threats because our users tend to put sensitive data on laptops for convenience," says Lyons. "Users like to fiddle with data in Excel or Access, and they often don't stop to think about the difference between a physically secured desktop PC versus a laptop."

More than 80 percent of respondents said they suspect their employees of using WiFi-enabled laptops outside company walls, whether their policies allow that usage or not.

Although most security administrators concede that their policies surrounding portable device security are difficult to enforce at best, most of them also feel that the potential dangers associated with these devices are even greater than the dangers associated with traditional wired systems. Fifty-three percent said that the threat of security violations coming from the portable device side is "more serious" than the threats to the wired environment.

Portable device security, even more than wired device security, depends largely on the user, administrators observe. "The most difficult and frustrating part is creating a sense in users that there really is a problem, for which they are part of the solution," says Hoffstetter. "And that the problem is not going to go away if it's ignored."

Next week: Security managers sound off on the effectiveness of currently-available technologies for securing mobile and portable devices.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.