| |
Theft is another threat incurred by UFDs lacking any type of security. The 2005 Computer Security Institute FBI Computer Crime & Security Survey showed laptop and portable device theft to be the most commonly reported attack of the year, thus managing to surpass other attacks, such as denial of service, viruses or insider thefts. In other words, three quarters of responding companies reported such an incident in 2005.
What Can Really Happen?
Besides casting a doubtful image on a certain organization, losses of confidential data can lead to fines and other more severe consequences. In January 2006, the Federal Trade Commission charged US based commercial data broker ChoicePoint Inc. a settlement fee of 15 million dollars to compensate for the leak of consumer data and the violation of consumer privacy rights.
A well known incident involving private data loss occurred when sensitive payment details belonging to Perth and Kinross Council employees where found practically laying on the street, on a misplaced UFD. The USB key containing 59 documents, most of them belonging to the council's Environmental Services Department, was recovered near a bike shelter close to the council building. More extreme cases involve national security. Such an incident took place in 2006 when flash drives containing classified US military information were sold as used hardware in a marketplace from Bagram, Afghanistan.
How to Secure a UFD
While in the digital environment, a user employs a digital identity to prove they are who they say they are, also providing some form of authentication. Such identities are, however, hard to keep a secret. Authentication, thorough as it may be, is subject to leaks, especially when knowledge or possession is used.
Knowledge-based authenticating is mostly limited to passwords. Users set a password according to corporate security policies and then they are required to remember it. Policies might require complex combinations of letters, numbers and special characters. But such a password will never prevent the user from writing it down on a piece of paper that he/she will later loose. On the other hand, ways to break passwords are improved every day.
Possession implies a token used by the employee. A good example would be an identity badge granting access to enter a certain office or building area. In this case, theft and loss are also huge threats and if security relies on such tokens only, additional measures of verifying if the person using it is authorized to do so might lack.
|
|
