Gadgets that don’t play by the rules

It’s hardly all work and no play at the office. Smart phones, instant messaging and portable music players are a few of the digital diversions available to employees.Some of those gadgets and communication tools can be legitimate work tools.However, they often disrupt productivity and the best-laid security plans.It’s a sign of the times that government agencies are staffed by people of all ages emboldened by their mastery of consumer electronics. Those employees seldom bother notifying the information technology department that they are using their consumer applications and devices at work.The problems those technology can-doers create are not contained inside agency walls. Many employees see no problem sending office files to their personal Web e-mail accounts so they can retrieve them at home and catch up on work using their PCs. Or they think nothing of dropping their work files onto a music player or pocket USB thumb drive and transporting the files home. Faced with consumer technologies that infiltrate government offices — a trend some refer to as consumerization — agency officials recognize that something must be done to manage the situation. It is no longer practical to simply dictate policies or impose outright bans of consumer devices, experts say. Instead, IT departments must devise use and security strategies that allow and encourage employee initiative while minimizing unnecessary risk. “In a large enterprise, it is hard to summarily block the use of all USB devices,” said Robert Maley, Pennsylvania’s chief information security officer. “There is a business case for some of these, so using [the network directory] to simply get rid of all of these applications just won’t work.” However, the state has issued policy directives, and it requires that all employees complete a security-training course, Maley said.Lake Forest, Ill., officials make banishment decisions on a case-by-case basis, said Joe Gabanski, the city’s network administrator. “As opposed to telling workers to stop using everything that could be bad for the agency, we have said, ‘Yes, if you need to use USB tools for work, go ahead and use them.’ But we have made it clear that everything must be approved by IT,” Gabanski said.IT departments that take that approach are on the right track, said Alex Cullen, research director for IT leadership at Forrester Research. “What an IT organization can do is provide help and guidance for users, while at the same time try to minimize risk,” Cullen said. “However, it is important that IT not alienate the business areas they support,” he added. Employees may be able to ignore the risks associated with consumer gadgets in the workplace, but IT officials do not have that luxury. Below are some of the most common workplace invaders and the risks specific to each.Move over personal digital assistants. Smart phones are quickly outstripping PDAs as employees turn to multifunctional cell phones to stay organized, connected and entertained at home and at work. Gartner Research said smart phone sales in 2006 grew 57 percent from the previous year.Typical smart phones can support Web browsing, e-mail and a few office applications, such as Microsoft Word and Excel. Some devices have memory capacities of as much as 64M for storing music, videos and other files. The versatility of those devices suggests they could have a role in enhancing agency productivity. Nevertheless, people should remember that the phones were not designed for that purpose, said Benjamin Jun, vice president of technology at security vendor Cryptography Research.“Mobile devices are lifestyle devices,” Jun said. “People are accustomed to using [office-issued devices] on personal time, where the line betwe n professional and personal use is blurred. For an IT manager, this blurring of work and personal lif e has implications for everything from the business appropriateness of certain text messages to the viability of asking employees to avoid installing unauthorized software.”Connectivity is another risk related to smart phones. “Mobile devices can access and cache sensitive data in a less controlled environment,” Jun said. “This gives another avenue in which sensitive data can walk out the door. Many mobile devices are also configured to directly access Internet resources. Malicious code on these devices can bridge connections between an outside attacker and sensitive internal resources.”Finally, smart phones, like other portable computing devices, are beyond the reach of agency firewalls and other security measures. “Many of these [devices] go unsupported or unmonitored in established agency environments,” said Jim Russell, vice president of Symantec’s public-sector business. Security experts say people must expend considerable effort to keep smart phones and other mobile devices secure. “These demand rigorous self-discipline to isolate personal and work-related content they store,” said Ivan Arce, chief technology officer at Core Security Technologies. Walling off personal data from professional content means classifying and managing the content of a personal device. Those precautionary activities often take more time and effort than the average person is willing to spend, Arce said.Just as with smart phones, people are likely to underestimate the threats associated with another category of popular gadgets: digital music devices. “I love these things personally, but if you plug an iPod into a laptop that contains agency data, that laptop is essentially wide open,” Maley said. A digital music player is basically a portable storage device. People can easily use them to transport agency documents off-site and beyond the bounds of protected networks.The tiny devices can also create problems on government networks. “Employees can use iPods or MP3 players to listen to music while they work, but they could also inadvertently install malware onto a corporate machine,” said Mike Wittig, president and chief technology officer at PatchLink, a security patch management provider.IT departments might say it doesn’t make sense to install necessary software or synch digital music players on agency computers, but it’s a more difficult to dismiss the use of portable storage devices, such as USB thumb drives. They are convenient for moving files from one office computer to another, but they pose all the same threats as digital music players.Music players and thumb drives are not the only handy methods for shuttling data. Many employees send e-mail messages with attached work files to their personal e-mail accounts from Yahoo, Google and other Web-based providers. They later log in to those accounts from their home computers and retrieve the files to do work after-hours.“The employee who sends an unencrypted file to their personal e-mail account is putting this file at risk of falling into the wrong hands,” said Tom Corn, vice president of product management in the data security group of RSA Security, a division of EMC.Clumsy e-mail transfers are especially risky when coupled with the use of personally owned portable computing devices. “An employee might lose their PDA or laptop where unencrypted data, such as a file attached to an e-mail, can be poached,” Corn said. Social-networking programs such as instant messaging (IM) and peer-to-peer (P2P) software for sharing entertainment media can pose an array of problems for government IT managers. Many people get hooked on the immediacy of instant messaging, but few agencies have deployed the enterprise-class IM systems with security, audit and archive features that make the technology suitable for off ce use. Some government employees resort to using consumer IM services, such as AOL Instant Me senger or Yahoo Messenger at work, even though those services lack the controls that enterprise-class products have. The risks associated with P2P software typically stem from unwitting actions rather than deliberate misuse, experts say. A P2P network or service is one in which all nodes have equal access to collective resources. Popular P2P channels such as LimeWire, eDonkey and eTransfer rely mostly on directory servers that dish out the network addresses of participating peers. The most popular P2P applications are for sharing digital music files. Experts say legitimate workplace uses of P2P file-sharing networks are rare or nonexistent. However, some government offices use programs that rely on a P2P architecture, such as the Internet telephony service Skype. But managers have legitimate concerns about employees who load P2P file-sharing programs on their office or home computers they use for after-hours work. P2P file-sharing poses many risks. For example, the software can snake into a PC and index the entire hard drive, thus opening its contents to a vast array of users. P2P file-sharing also provides an easy avenue for viruses to enter a network, said Bob Boback, chief executive officer of Tiversa, a risk assessment and monitoring services company.“Users may think they are downloading a song,” Boback said. “When it doesn’t work, they assume that the file didn’t open properly, when in reality a virus has entered the hard drive and is systematically taking files from the individual. You can see where this can become a huge problem across government, especially when it comes to information stored on citizens.”Combine P2P with IM, and you have the potential for disaster, said Bruce Brody, vice president of information assurance at CACI International. “IM and P2P generally move text and files from client to client and avoid the server in many cases,” Brody said. “The server is where stronger security controls can be put in place and enforced. With IM and P2P, the perimeter is gone,” he said, and every person’s computer or computing device becomes a security vulnerability.Most employees using the latest gadgets mean no harm, Maley said. “They simply get these new devices for birthdays or Christmas or from their latest trip to Circuit City. Because the devices are so cool, they want to use them at work.” But their naiveté is reason enough for IT departments to develop an appropriate response to the risks those gadgets pose, security experts say. That includes having a sensible policy about which devices are allowed in the workplace. “Anything in which we can see an absolute business case, such as flash drives and other storage devices, we have allowed,” Gabanski said. “Not on our list are smart phones and devices with [Short Messaging Service] capability. Mostly, these are not on the list because they are not always vital business tools, and we feel we haven’t done all of our research on them,” he said. “We need to figure out the threats and put safety first,” Gabanski said. Many people who have mastered consumer devices may feel empowered. “It’s therefore up to agency IT staffs to manage users gingerly but effectively, Cullen said. “An agency help desk needs to be responsive and not just respond with the knee-jerk message that these devices are not allowed,” he said. “Instead, IT must provide genuine help in order to promote safe practices for all.”