Research firm Gartner (NYSE: IT) 
released a paper last week delineating the threats Apple (Nasdaq: AAPL) iPods and other portable storage 
devices pose for enterprise networks. The note, entitled, "How To Tackle the Threat from Portable Storage Devices," warns that businesses increasingly are putting themselves at risk by failing to monitor what portable storage devices their employees bring to work.
Ruggero Contu, Gartner analyst and author of this industry report, writes that this vulnerability has existed since Microsoft (Nasdaq: MSFT) released Windows 2000. According to him, this version of Windows was the first that enabled systems to mount USB peripherals automatically.
Contu cites two kinds of threats that devices like the iPod, digital cameras, key chain flash drives and external hard drives can pose. Users can install so-called "malware," bypassing perimeter defenses like firewalls and antivirus programs. Perhaps more significantly, companies risk losing intellectual property (IP) and other sensitive data through these devices acting as portable data transports.
Awareness of Problem Increasing
Jupiter Research Microsoft senior analyst Joe Wilcox said that the security problem posed by the iPod and other portable devices is nothing new. Rather, awareness of the problem has increased.
"Windows offers no real security mechanism for USB devices," Wilcox said in a MacNewsWorld interview. "Anyone with the proper access rights could grab gobs of data from a network server, transfer it to the music player and take it out of the company."
According to Wilcox, banning these devices, one of the recommendations suggested by the Gartner analysis, is at best a stopgap measure. "The problem needs to be solved in the operating system, either directly or through third-party tools," he said.
For her part, Laura Koetzle, a principal analyst at Forrester, said that a groundswell of concern about the security threats posed by these devices has occurred because these products have become so ubiquitous and, in the case of USB key chain devices, so inexpensive.
"Everyone is always giving away these USB devices at conferences. It's become the new gizmo of choice," Koetzle said.
The Risks Involved
During her interview with MacNewsWorld, Koetzle related an anecdote about one of her clients, an Australian bank, that was ticked off at Microsoft's decision to stop supporting Windows NT 4.0.
According to her, NT 4.0 was the last version of Windows to "utterly exclude" USB devices. If the bank moves up to a Windows Server 2003 install and Windows XP client, its IT people would be required to create a new base install, which would be a hassle -- and not uniformly prevent users of the system from compromising it through the use of USB peripherals.
Koetzle said that while installing malicious code is one of the risks posed by these devices, the threat of an employee walking off with confidential information, such as a company's unreleased financial statements. If such documents were released or circulated early, the company in question could find itself in serious violation of SEC regulations.
A Question of Intelligence
For his part, ECT News director of IT Daniel Bohling differentiated between what he described as nonintelligent devices, such as USB key chain drives, and intelligent devices, such as iPods and PDAs , all of which contain some sort of operating system.
Bohling said that both families of devices can store files brought directly into a network, circumventing its first line of defense -- firewalls, e-mail scanners and whitelists, among other things. Moreover, many of these devices -- intelligent and nonintelligent -- have large storage capacities, enough to grab a ton of sensitive data from the network.
But intelligent devices typically have some sort of OS that could be what Bohling termed "network aware."
Such a device "could be trojaned, infected with viruses, or act as a modified espionage device," Bohling said. "You have to look at it like someone just walked in to your office with a PC, monitor, speaker, keyboard and mouse on a cart."
What's Your Risk Level?
Bohling said that companies need to determine the risk level they are willing to take. "If it's important enough for your company to run a firewall that blocks outbound FTP, or to scan outgoing e-mail for content, then I'd say that these devices have no place on the premises," Bohling said.
"Remove all applicable device drivers from user's computers, lock down the machines so that drivers and software can't be installed, and initiate a company policy stating that they aren't allowed. If you have wireless access points, lock them down by MAC address, and use encryption on them," Bohling went on to say.
Forrester analyst Koetzle said that companies also need to weigh the potential of prohibiting these devices with the possible downside of limiting employee productivity. If an employee uses a special USB pointing device to relieve carpal-tunnel symptoms, for example, blocking USB access could prove problematic.
At the same time, if a business relies on its intellecual property for its livelihood, it is imperative to implement a strict security plan.
Said Koetzle: "If you're Dreamworks or Applied Materials (Nasdaq: AMAT) , the last thing you want is for someone to waltz out with your IP on a key chain."
Talkback: 
