Are you more secure than a malicious alien race?

June 22, 2005
Written by James West

Anyone with a decent knowledge of IT laughs at the portrayal of computer security in the movies and on TV.

If you believe what you watch, all you need to do to break into a sophisticated, secure system is simply find the “back door”, usually opened by keying the name of the lead programmer’s children into a field called “backdoor password”. Matthew Broderick almost blew up the world hacking into the military’s computers in the film War Games using this very approach. It is not just humans who are woeful at providing adequate IT protection – in the film Independence Day, who would have guessed that an alien race advanced enough to travel across the universe could be thwarted by a computer virus fired at it by a G3 PowerBook?

Fortunately, the insistence by the mass media that every PC is infected with a virus that will blow up if the hard drive spins at less that 55rpm is also an absurd exaggeration. Most companies have strong IT security and anyone trying to enter through a door, whether it be located at the front, the back or the side is likely to find said doors repeatedly slammed in their face. Unfortunately, the back door so often used as a fictional plot device does exist, but it is now potentially being opened from the inside. The use of removable storage media is rife now as a report of 300 IT professionals by IT security company Pointsec attests to. 84 per cent of those quizzed are aware of the use of removable media in their organisation and almost a third of employees use them in the office. In many cases, portable storage is being used without authorisation, according to a third of those polled.

Although it may seem obvious to highlight portable storage as a serious security issue, many IT professionals are overlooking it. Another survey, this time by asset management company LANDesk, revealed that 64 per cent of IT managers think that laptops pose a greater threat to security than portable storage devices.

The fact that laptops are physically impossible to sneak in and out of an organisation, and relatively easy to police as part of an overall asset network, has been missed by many according to this report.Let’s not get hysterical here. Most of the people using these portable storage devices are perfectly trustworthy, most of them are probably holding personal information: MP3s, holiday photos and the like. Don’t forget that this is not an entirely new phenomenon – the ability to remove data from a business has been possible for some time, with floppy discs and more recently zip discs and CDs readily available. The reason that the issue is pertinent now is that the amount of data that could be removed is so much greater, and the tiny nature of the devices make them virtually undetectable.

In short, in terms of pure capacity, it would be very easy for someone to rip off the sales database and walk out of the building never to return. To put this into perspective, Pointsec says someone armed with a USB drive which doubles as a pen would be able to swipe 160,000 documents.

Policing this kind of activity is difficult, but it is certainly crucial to the business. The problem is drawing the line between stopping people stealing company information (or bringing damaging software through the firewall), and stopping people working effectively. The rise in home working is complicating this issue – just as staff are looking for flexibility in their working practices, IT is having to lock everything down.

How to achieve the right balance will be revealed in part by experimentation, common sense and adapting current security policies. Vendors such as Pointsec say that encryption is the solution, as data can only be used on suitable machines. Doubtless there will be other solutions offered, but in the short term it would be wise for any IT or support manager to investigate this problem and start to look at the available options, before the whole security issue becomes an embarrassment worthy of a Hollywood script writer.