[ISN] Employee gadgets pose security risk to companies

[InfoSec News]

http://news.zdnet.com/2100-1009_22-5954642.html

By Joris Evers
CNET News.com 
Published on ZDNet News
November 15, 2005

WASHINGTON -- The many gadgets carried around by workers today pose a
real security risk to organizations and require action, session
attendees at a security conference agreed Tuesday.

Smart phones, handheld computers, thumb drives, digital cameras, iPods
and other MP3 players can all connect to computers. That's fine when
used at home, but when connected to a work PC, the devices can pose a
serious risk, said Norm Laudermilch, chief security officer at Trust
Digital, a McLean, Va., mobile security vendor.

Connecting the gadgets to work PCs could lead to a number of unwanted
scenarios, Laudermilch said. For example, malicious code that crept
onto the device at home could enter the corporate network unseen by
the firewall or intrusion detection software, he said.

Also, a disgruntled employee could copy confidential information to
the device and walk out with it. Classified information on a mobile
device could be a business risk even when used by loyal workers, when
their gadget is lost or stolen, for example.

Laudermilch spoke at the annual Computer Security Institute conference
here. When he asked the room filled with security professionals if
they thought mobile devices were an issue, the vast majority raised
their hands.

The advent of mobile devices has changed the way security
professionals should think about securing their networks, Laudermilch
said. That's because networks change all the time, with different
types of devices being added and removed, he said.

"Things change very quickly when devices are so small and just walk
onto your network," Laudermilch said. "Your network perimeter is where
your data is. I don't care if it is somebody walking in Paris, or
somebody sitting at home. The security perimeter has drastically
changed."

He also highlighted challenges in securing the portable gear. For one,
they all run different operating systems. "We have all been training
about the right things and wrong things to do with the Windows
operating system," Laudermilch said. For smart phones alone there are
at least four common systems: Palm, Windows, BlackBerry and Symbian.

Also complicating security is that new devices come out constantly,
with different features. When it comes to phones, operators install
their own software image on the hardware, Laudermilch said.

An upcoming class of software can help organizations manage devices on
their network, or block the gadgets from connecting altogether. Many
of the applications also encrypt data on devices, for security in case
of loss or theft. Trust Digital sells such products, as do a host of
other companies.

Gartner says mobile data security is a tiny market, but such products
are needed to protect user privacy and fulfill audits, according to
the analysts. Small incumbent vendors dominate the space, Gartner said
in a July report.

"Mobile security today is a buzzword. Tomorrow, six months or a year
from now, it is going to be just security. Everything is going
mobile," Laudermilch said