Moving data
In the dim past, before networks, we recommended to a company that it fire anyone discovered to have a modem connected to their terminal, because it would allow them to transfer data to the outside world too easily. Now, of course, most computers are connected to networks, which are in turn connected to the outside world. However, companies can get software which will track the movement of all files, so that they can, retrospectively, see from whence and to where their information has been moved.
This still leaves the problem of data being carried or sent out in other ways. While diskettes were always an issue, they at least had the virtue of being limited in the amount of data they could hold. You can now get memory sticks and cards, as well as USB flash memory devices that hold up to four gigabytes of data, with many laptop computers having built-in memory readers, or PCMCIA slots that will take a reader. And camera phone are now able to record – and transmit – images of increasing density (the Samsung SPH-V8200 is an 8-megapixel camera phone. A 10-megapixil device is in the works).
We have long held that backup devices, recorders, and camera phones should be prohibited in most workplaces. Recognition of the potential risk inherent in these devices has now made it to the public sector. Michelle Van Cleave, head of the National Counterintelligence Executive, noted in her 15 September 2005 statement for the record for the House Judiciary Subcommittee Hearing on Sources and Methods of Foreign Nationals Engaged in Economic and Military Espionage that “Breathtaking advances in IT have vastly simplified the illegal retrieval, storage, and transportation of massive amounts of information, including trade secrets and proprietary data. Compact storage devices the size of a finger and cell phones with digital photographic capability are some of the latest weapons in technology transfer as are the tools of cyberspace.”
Lest you think that this limits the risk, think again. The good folks at Sharp Ideas came up with an iPod program, slurp.exe, that will allow you to connect your iPod to a computer and suck out all the data files and store them on it iPod. You can see this and other cute things at http://www.sharp- ideas.net/downloads.php. Besides restricting iPods and other removable media in the workplace, they also recommend that companies:
• Disable USB connections in system BIOS.
• Use third party software to protect against unauthorized data disclosure.
• Use encryption to maintain data confidentiality.
• Keep corporate data on protected network shares, not individual desktops.