Almost 20 years ago, Apple Canada brought in selected employees and a few privileged outsiders to see a new corporate video called Knowledge Navigator.” It was an amazingly prescient vision of the future of networked computing. Closely held within the company for many years, and now, of course, widely available on the World Wide Web, Knowledge Navigator was an in-house concept video, designed to guide Apple’s collective efforts towards advanced computing and universal high-speed networks which would create exciting new kinds of instantaneous communication.
Inspired by the futuristic vision, a contractor working closely with the company approached a senior executive after the screening and asked for access to Apple Link, the company’s internal network. “No,” the executive said, blind to irony despite the radiant vision of a future world they had just watched together. “That’s just not possible. We like to keep the inside in and the outside out.”
Two decades later, where does the inside end and the outside start? “In” is now pretty far out. The Canadian government personnel with the greatest need for information security are soldiers in combat overseas. In years gone by, officers in forward zones could censor their soldiers’ mail and black out important operational information before ships and aircraft carried the physical, hand-written messages away to eager readers far away. Now, Canadian Forces security officers must issue guidelines for the blogs written by front-line soldiers in Afghanistan.
Recently, the first two items on a recent Google search for “youtube” and “Canadian” were ‘Canadian Forces dawn raid on a Taliban compound [sic] (July 13, 2006)’ and ‘Canadian Forces Ambushed in Afghanistan (July 15, 2006),’ raw and frightening videos of Canadian soldiers in action.
Apparently posted outside any official line of communication, they bore no censor’s stamp.
Security officers can lock down the Internet terminals that now spring up wherever soldiers go, but in fact there is little to prevent wily troopers from uploading a video, updating a blog or e-mailing anything they choose to anywhere in the world.
Even if security officers make Internet cafes in Kabul and Kandahar off limits, soldiers going on leave or heading home will still try to bring home their photographs and videos on any of a variety of devices and storage media: cellular telephones, PDAs, CDs, DVDs, laptops, external hard drives, microdrives, memory sticks and CompactFlash, SmartMedia or Secure Digital cards – to name just a few. (In fact, the clever trooper who wants to smuggle some video and pictures past a simple check will simply delete them, because even when nothing shows on these devices, the deleted information they carry can be restored almost as quickly as it was “erased.”)
Until recently, the main security danger posed to government networks by these portable storage devices was their ability to introduce malware deep inside the electronic fence. Now, with better IT security awareness and advanced technologies like deep Intrusion Prevention, many of those dangers are in the past.
Today’s threat is the ability those portable devices give anyone – employee, visitor or intruder – to carry away gigabytes of data on an iPod or a Secure Digital card smaller than a fingernail. Most dangerous of all is probably the now ubiquitous USB key or “geekstick.” Two-gigabyte devices now routinely hang from key chains, and devices up to 64 gigabytes are available. The USB 2.0 standard has a transfer rate of 480 megabytes a second. A lot of data can surge out of an unguarded USB port quickly.
Reports that some IT security managers are going from computer to computer putting glue in USB ports are hard to confirm, but their desire for a simple solution is easy to believe. In fact, as with most other useful new technologies, managers cannot enforce a ban and probably shouldn’t try. Too many peripherals like printers and keyboards use USB ports on the current generation of computers, and far too many employees now depend on their USB keys.
IT security managers probably have no alternative but to add one more technology to the list of things they need to support.
If USB keys are essential to employees’ or contractors’ performance, they should be issued by the organization or conform to a tight list of supported devices.
The network should accept only those devices it recognizes. Their use should be logged, including the names and types of files they send and receive.
Once attached to the network, the ownership of a device must be verified. The device should only attach to an approved laptop or home computer, appropriately configured to the same standard of security as the office computer. Data that is encrypted in one place should remain encrypted everywhere else it goes.
For really effective control, there is no alternative to educating employees about the threat and helping them comply with a sensible regime. If security doesn’t exist in employees’ minds, it may not exist at all. 064397
Richard Bray ([email protected]) is an Ottawa-based freelance journalist specializing in high technology and security issues.