The uncontrolled use of storage devices coupled with data theft techniques can lead to major security breaches such as corporate espionage and identity theft with the Middle East being particularly vulnerable
Dubai, UAE, 15 November 2006 - According to a white paper recently issued by GFI, a leading provider of network security, content security and messaging software, businesses in the Middle East and around the world could suffer security breaches as a result of MP3 players and flash memory devices, which can now store many gigabytes of information, giving malicious insiders the ability to steal proprietary data and sensitive and confidential corporate records with ease.
The GFI white paper cites a 2004 report by Gartner Group analysts warning of the security risks associated with uncontrolled use of portable storage devices within corporations. The report states that, contrary to prevailing belief that most threats to corporate information are external, "70% of unauthorized access to information systems is committed by employees." Data leakage, data ciphering, and data disclosure have reached epidemic proportions. 'pod slurping', a term coined in 2005 by American security expert Abe Usher, is only the latest technique to be used by information and identity thieves.
'Pod slurping' refers to the use of MP3 players such as iPods and other USB storage devices to steal sensitive corporate data. Usher demonstrated the vulnerability of corporate security by developing a 'proof of concept' software application that can automatically search corporate networks and copy (or 'slurp') business critical data on to an iPod. According to the white paper, "this software applications runs directly from an iPod and when connected to a computer it can slurp (copy) large volumes of corporate data on to an iPod within minutes." And, according to the GFI white paper, slurping is not limited to iPods and MP3 players. All portable storage devices can be used to slurp information, including digital cameras, PDAs, thumb drives, mobile phones and other plug-and-play devices which have storage capabilities.
"Data slurping is a very simple automated process and does not require any technical expertise," the white paper explains. "A user may plug in the portable storage device to a corporate workstation and by the time it takes to listen to an MP3 all the sensitive corporate data on that workstation is copied to a portable storage device. In two minutes, it's possible to extract about 100 MB of Word, Excel, PDF files - basically anything which might contain business data."
Today, seemingly innocent entertainment and personal use devices can easily be used to breach perimeter security systems from inside a corporation. These devices pose a clear and present danger to regional businesses.
According to Simon Azzopardi, GFI EMEA Managing Director "Middle East businesses are especially vulnerable to 'pod slurping' because of the popularity and wide-spread use of digital storage devices and because there is a generally lower awareness of security issues within regional corporations. We have already seen cases of data theft from inside a corporation as a result of lax internal security that have resulted in serious damage to the organization's reputation, corporate blackmail and industrial espionage. Without taking appropriate measures, this kind of criminal activity will only increase."
The white paper cites a 2006 CSI/FBI survey indicating that intellectual property theft has the fourth highest impact on organizations. Insiders can easily turn into paid informers and engage in industrial espionage, data warfare or other extensive fraudulent activities such as identity theft, which, according to a 2006 Identity Fraud Survey resulted in USD 56.6 billion in costs and damages in 2005. "An employee might appear to be listening to music on his iPod, but actually he or she might be uploading malicious files or slurping gigabytes of valuable and confidential corporate data."
While some security experts advocate draconian measures such as a total ban on iPods and other storage devices in the workplace, the white paper recommends a less drastic approach. "Portable storage devices can be beneficial tools for the corporate workforce and a blank ban would be counter-productive," the white paper concludes. Instead, the white paper recommends the use of technological barriers allowing total control over data transfers, to and from portable storage devices on a user by user basis throughout the network. GFI EndPointSecurity is one such software solution.
-Ends-
About GFI EndPointSecurity
GFI EndPointSecurity allows you control entry and exit of data via portable storage devices, allowing you to prevent users from taking confidential data or introducing viruses and trojans to your network. GFI EndPointSecurity allows you to actively manage user access to media players, including iPod and Creative Zen, USB sticks, CompactFlash, memory cards, PDAs, Blackberries, mobile phones, CDs, floppies and more.
About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. Founded in 1992, GFI has offices in Malta, London, Raleigh, Hong Kong, Adelaide, Hamburg and Cyprus which support more than 160,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners throughout the world. GFI is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
All product and company names herein may be trademarks of their respective owners.
© Press Release 2006