Monday, June 30, 2008

Flash as a threat

In the United States to order the company SanDisk has been a special study on the risks posed by unprotected USB-drives. Its results are daunting: it turns out most companies to at least half underestimate the risks of unprotected workers use fleshek. At the same time, is now the order of 77% of employees of international corporations are using personal USB-drives for storage of corporate data. As is typical, these figures are quite adequate for the post-Soviet space.

Compact, easy to use and mobility - these are the main advantages USB-drives. But they pose very high risk of data loss. Results of anonymous surveys conducted by the order SanDisk, have shown that most users to copy flash confidential personal data about customers (25%), financial information (17%), business plans (15%), information on the staff of the company ( 13%), marketing plans (13%), intellectual property (6%), as well as source code software (6%). In doing so, I T-heads of units and internal security services in most cases do not even know about the real extent of unprotected flash drives in their organizations. Statistical information that 77% of staff use personal flash drives for storage and transfer of official data, has become a real shock to most specialists on informbezopasnosti. Prior to this most ambitious of the interviewees I T-specialists estimated the proportion of employees using personal flash for official purposes, no more than 35%. C Senior Director of Marketing at SanDisk unit on corporate decisions Jill Mayldvors both commented on the figures: "Most directors IT understands that leaking information might lead to identity theft, kidnapping intellectual property or disclosure of trade secrets, as well as lead to significant damage in terms of image , And from a financial point of view. The results of our survey indicate that, despite some awareness about the possible risks associated with the use of unprotected USB-drives, I T-heads of departments have not yet begun to formulate effective policies, technological solutions and explanatory work among officials in order to reduce these risks.

A significant reduction of risks such as increased mobility and productivity of employees, are possible only in case the administrative decision (on the level of leadership) for the deployment of intellectual systems management devices, monitoring systems and application of appropriate corporate-wide security policies ". But most of these corporate-wide security policy simply misfortune. All the same poll found that about 23% of users or were not familiar with corporate policies against flash drives, or only knew about the existence of such a politician, but had no idea about their essence. In turn, 44% of respondents stated that their company does not prohibit copying of corporate data on personal USB-flash drives. Another 16% of those surveyed responded that know nothing about this kind of ban. And only 17% of corporate users exactly know that their company there is a prohibition on copying corporate data on personal flash drives. I T-specialists, according to the poll, far gone from ordinary users. Approximately 21% I-T specialists are confident that their company's employees is only slightly familiar with the corporate policies aytishnikov 33% of respondents felt that staff directly familiar with security policy, 28% believed that employees are familiar with corporate rules, and only 19% believe that the staff is fully aware of actions taken in company rules and policies on information security.

If you compare the situation in the U.S. with the situation in Russia and other post-Soviet countries, it turns out that while approximately the same level of competence users "post" specialists and staff informbezopasnosti I-T units in the organizations are very well aware of the dangers of uncontrolled use of removable media and external devices. By studying the problem of insiders, analysts Perimetrix company conducted a study "Insayderskie threat in Russia 2008", during which interviewed more than 450 large organizations. The result is: staffing specialists in information security managers and IT-Services acknowledged that it is mobile drives in recent times have become the most dangerous channel leakage of confidential data. Flash received 74% of the votes Who Was Well Ahead of electronic mail (58%), web (26%) and printers (18%). Alexei Share, Director of Business Development Company Perimetrix, so the results of the study commented: "The highest executive face large and medium-sized organisations which do not relate to the subject of IT or information security, is also well aware that their staff not to store confidential information on the flash because this may lead to accidental or malicious leaks. Thus, the Russian business and government organizations are well aware of the danger of flash drives and never underestimate this channel diversion ". But in the well-known Russian company InfoWatch have a different opinion. Chief InfoWatch analyst Nikolai Fedotov told journalists: "The problem of leakage of corporate information through fleshek underestimated. But exactly to the same extent to which underestimated the risk of leaks at any other mobile carriers. Our monitoring shows that a very large share of leaking information (39% of the cases published in 2007) relates to losses and laptop theft. A flash of losing even easier. And it may also steal. Nevertheless, such drives are widely used for confidential data. All of the relates to nezlonamerennym leaks (such in 2007, was approximately 71%). With respect to intentional theft of data, the role of flash drives is evaluated on merit - as informbezopasnosti services, and hackers ".

The problem is clear. Naturally raises the question: how to deal with leaks of confidential data through flash drives? Practice shows: one bans and explanatory work with the staff of the problem of leakage of information can not be resolved. Direct prohibitions in the form of USB-closing ports simply impede the normal work: all the same flash - too handy tool for business data exchange, in most organizations flash drive has long been replaced "starorezhimnye" diskettes. From outreach too little wing: the human factor in the form of eternal hope in the air nepobedim. Chief analyst Nikolai Fedotov InfoWatch formulates so: "Frequent leakage associated with the loss of laptops, have not resulted in the West to ban their use. The leadership of enterprises beginning to impose mandatory data encryption. A notebook manufacturers have begun to build strong cryptography directly into the hard disk controller. Manufacturers of flash drives inevitably must go the same way. Unfortunately, the Russian trend that we are seeing quite pulls us in another direction. Instead of data protection imposed bans stupid. Including ban on the use of flash drives. While basic encryption - better ". Many experts, however, note that there are other ways to make use of flash drives more secure. For example, can be monitored and even real-time analysis of all data on recordable devices through ports USB, or, for example, CD/DVD- discs. After that the information collected is placed in storage, where a certain period of time, and becomes available for fast full-text search.

A classic example for these purposes - The program SearchInform DeviceSniffer - one of the components of the contour information security company "SoftInform". Through this program, among other things, it is easy to determine who among employees too often use work time for personal writing of data that have nothing to do with the responsibilities entrusted to him, on removable media. And, of course, if such a program-Comptroller of any insider poosterezhetsya run leg in the secrets of the company. However, techniques protect sensitive computer data from insiders - is a separate topic, which we still have to go back.

1) "Get Money for Clicks" - Fastest Growing Domain Parking Company in the World.
2) Search your domain name wishing to have! FREE DOMAINS -

No comments:

Post a Comment