Watching the USB Watch
Intelligent property theft is a major concern of many enterprise chief security officers. There are numerous methods of competitors and countries to steal intelligent property. Some are traditional such as talking with employees to gain information. Some are emerging and based on technology advantages.
Take, for example, the universal serial bus (USB) standard being embedded in numerous appliances and devices.
The USB watch, for instance, can be a useful device for the busy professional. It allows one to carry PowerPoint presentations, documents and even recorded lectures in a small case. Since it is worn as a wrist watch, it is not easily forgotten as with the case of flash drives. The USB watch has varying capacities between 64MB and 1GB.
The newer ones also have a built in microphone, which allows the wearer to record up to 12 hours of audio. This is useful for recording meetings and brainstorming sessions for creative design sessions. If used properly, this device makes document sharing and creative designing much easier and transparent.
SECURITY RISKSuch a device can also be a security risk if misused by the wearer. It has been our experience that many people do not know such devices exist. That means an intellectual property thief could walk in a corporation, copy some documents from a computer, and leave without being detected. Many managers and scientists receive guests who may add to the design process of a product or be a potential customer. It would be so easy for a guest to spill something or ask for a coffee and then be left with an unattended computer by a helpful employee.
It becomes important for security professionals and managers to read the latest popular magazines and mail order catalogs so as to be aware of such devices. Security professionals should also discuss such devices with human resources, managers, and the general counsel of a company so that proactive policies can be instituted. The time to learn about such devices should not be after a security breach when policies were not in place and prosecuting may become difficult. Without proper policies in place, seizing such a device from a person and searching it may not be possible or if done incorrectly, could cost the company in legal fees and settlements.
Managers and security professionals need to be proactive about learning about technology even if they are technophobes. It takes leadership to form a group to proactively assess such risks.
The inherent risks associated with this device transcend those of just the theft of intellectual property. Virtually all organizations, whether corporate, private or governmental have a legal as well as an ethical responsibility to protect proprietary information. Therefore, matters related to industrial espionage especially those within the pharmaceutical industry are but a small percentage of the organizational risks being compounded by the evolution of surreptitious technology. This technology is a concern to the simplest of organizations as well as to the most complex global organizations.
Proprietary information as well as confidential information about employees, clients, patients, students and others is placed at increased risk of theft. While such a theft may not directly impact the targeted organization it would increase the exposure of these individuals to identity theft. Numerous instances of the loss and theft of personal information from various federal agencies, financial institutions and others have been reported through the last decade. While relevant safeguards have been developed to enhance target hardening this device enables the “lone wolf” as well as those acting as part of an organized intrusion to attack from a pedestrian level. As such, a visiting salesperson, a maintenance worker, a low level security officer, a delivery person or any other such person who is simply a part of the office background noise may in a matter of seconds compromise the very core of a targeted organization.
CLOSER TO HOMEPerhaps even more insidious is the inevitable compromise of sensitive governmental operations. In a post September 11th environment we naturally focus upon concerns related to homeland security. While such concerns are clearly justifiable, organizational leadership must also be concerned with protecting matters related to their primary mission. By their very nature law enforcement organizations acquire and maintain inherently sensitive information and intelligence. The exclusive nature of this information makes it of interest to the media, to defendants, to organized criminal enterprises and to investigative entities employed by law firms. It is therefore vital that such organizations protect information relevant to the performance of their mandated statutory responsibility. The theft of sensitive information may serve to endanger law enforcement officers, compromise public safety, compromise victims/ witnesses and as such impede the organizations performance. Additionally, the protection of the identities of victims of various criminal acts, especially victims of sex crimes is vital. Maintaining the confidentiality of cases related to official corruption is critical to the integrity of these investigations as well as to protecting those who have been falsely accused.
The USB watch is but another vector capable of compromising the traditional security constructs. It is yet another evolution of technology that must be identified and constrained through protective intelligence, access control and technological countermeasures. It is likely that government organizations are well behind their corporate counterparts in identifying and constraining this risk.
Once the policies are in place, the technical security controls can be implemented. The policy editor in Windows XP for example allows USB ports to be disabled on certain machines or to be enabled by a person with an administrator password. Visitors who are left with such unattended machines will not be able to download documents on such USB watch devices. Security cameras and computer logs also can be combed with automated tools for suspicious activities. Good security involves good policy, psychical security, technical security, and awareness training for employees. If we are not aware of the new devices on the market, we will become a victim of them from unethical employees or visitors.
SIDEBAR: What Is a USB?Universal serial bus (USB) is a standard to interface computer devices. It allows peripherals to be connected using a single standardized interface socket and to improve plug-and-play capabilities by allowing devices to be connected and disconnected without rebooting the computer. Other convenient features include providing power to low-consumption devices without the need for an external power supply and allowing many devices to be used without requiring manufacturer specific, individual device drivers to be installed.
Intended to help retire all legacy varieties of serial and parallel ports, USB can connect computer peripherals such as mouse devices, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal media players, flash drives and even watches.