No matter the device, the first step is to have a written security policy prohibiting employees from installing and using nonstandard equipment. Nonstandard means anything not purchased, approved, scanned, built or reviewed by your IT department. This includes devices such as the latest WAP or mobile gizmo that an employee buys on his own.
For devices that provide direct physical access, such as USB keys and tokens, or iPods, which are overgrown USB devices, there are equally effective physical controls for blocking access. Some of these controls are already baked into Windows and can be easily turned on by any system administrator.
- Restrict access to USB ports to only those employees who may have a specific business need to download and take data off the premises. Even then, only limited bits of data should be allowed, like information needed for a single project. Physical access to USB devices can be restricted in the Group Policy Objects (GPO), the Device Manager or the registry on Windows machines, or through BIOS settings on other machines.
- Turn off AutoRun on Windows machines to block bootable USB devices from automatically connecting to your network.
- Allow only USB devices that have been approved and scanned prior to use by your IT department. If possible, have them use encryption.
- Turn on Event Logging in the Auditing section of the GPO on your Windows machines to monitor traffic. If malware is downloaded from a USB device, this will enable you to trace back the offending desktop and, hopefully, who put the contaminated USB key there.
- Cleanse any USB devices after use by purging any data on them after completion of a project.
The time is long gone when an SMB's computer network was confined to the office. Now, it's wired -- and unwired -- to the world, for good or bad.
- Employees should only be allowed to use laptops purchased, reviewed and scanned by your IT department. Personal laptops, or other laptops brought in from the outside, shouldn't be allowed on the network.
- Use encryption tools, such as SafeBoot, to protect malicious access to stolen or misplaced laptops.
- Laptops should be set up with a standard build for employees that can't be modified, or allow the downloading of software. They should be hardened with antiviral and firewall software.
- Use Network Access Control (NAC) software to scan laptops and remote desktops connected to your network, to make sure they meet your IT security standards and are sufficiently hardened.
Wireless devices can be particularly insidious, since they can sit unnoticed under a desk for a long time, spewing data out to the world and doing all kinds of damage. USB devices, on the other hand, are usually put in and taken out quickly.
- Generally, WAPs should be barred altogether from your network. But, as with other portable devices, if there is a business purpose, only those devices approved, reviewed and installed by your IT staff should be allowed.
- Make sure all WAPs have encryption, such as Wired Equivalent Privacy or Wi-Fi Protected Access, always turned on. Better yet, set up your WAP as part of a virtual private network (VPN). This ensures all traffic between the WAP and the device move in an encrypted tunnel.
- Scan your network regularly for unauthorized wireless devices. There are several good tools, including free ones, like NetStumbler and Kismet. Any unapproved WAP should be taken down as soon as it's found.
Confidential data walking out the door is scary for any organization. For SMBs without a dedicated information security staff, data loss can be fatal. Large organizations may take a hit in the press, lose prestige and business, or even be sued, but they have the corporate bulk to eventually survive. SMBs can lose their entire business -- and livelihood. Follow the simple steps above and you'll be much less vulnerable.
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and the author of The Little Black Book of Computer Security, available from Amazon.
This was first published in July 2006