"Hey IT Guy, check out my cool phone! I can use it as a modem for my laptop!" Ever heard that from one of those end users? I'm sure you have. Sounds much better than "Check out my cool wireless bridge I've been using to exfil sensitive data out of our company!" No matter if you've got the latest sexy new phone or not....they should be considered dangerous. Let's look at some of the risks that cell phones present.
Of course, as security folks, we need to think about these things. You could just mandate a "no cell phone on premises" policy....which would go over really well with your Sales team. However, that's exactly what a lot of government facilities do. Takes us back to one of the earliest questions: Does Risk = Reward? If the answer is No, then ban cell phones on site. You do still have landlines for dialing out, correct? If you think there is some value in having them (mobile workers, no phones in the server room, etc.) then modify the cell phone policy. Maybe only certain areas are to be dubbed as "No Cell Phone" areas. Think about your R&D Dept. Probably a good place to limit what and who goes in. Just a word to the wise: YOU CAN'T BAN CAMERAS AND STILL ALLOW CAMERA PHONES!! Makes sense, right? Remember also that many of the newer laptops are building cellular modems directly into the hardware. I know my Dell D820 has one. Might want to look at restricting those devices as well.
The Case of Mr. Bond's and Acme Inc.
I read a great story the other day about someone using a cell phone in a very confidential business negotiation. Mr. Bond (not his real name) was in the market to purchase and takeover a failing Acme Inc. Acme's Board of Directors realized that this was probably a good solution to their declining revenues. They decided to sell. They brought Mr. Bond into the Acme conference room to discuss the details of the merger. Things like what percentage would be sold, price per share, etc. After several long hours, they couldn't come up with a price. Mr. Bond asked if he could call his wife to cancel his dinner plans, since it appeared the discussion was going to take awhile: "Hi honey...talks are good, but running long. I'll be home late again. Love you....goodbye." He hangs up and sets his phone down on the conference table. He then asks that the Acme Board of Directors decide on an acceptable sale price, while he excuses himself to use the restroom. He gets up and leaves.
The directors argue amongst themselves and decide that they absolute LEAST price they can accept is $3.5 million, but they'll be asking for about $8.4 million. They agree and Mr. Bond comes back in and he immediately offers $3.58 million. HOW IN THE HECK DID HE KNOW?!? Did he have Acme bugged?! The short answer is: Yes. He did.
You see, Mr. Bond is a shrewd man. While he pretended to call his wife, he actually called his co-worker and he never shut off his phone, leaving the connection open instead. (Of course, he first ensured that call waiting and sounds were disabled! You learn this things at Secret Squirrel School). He left his cell phone, with the open connection to his co-worker, Mr. Q, sitting quietly on the table transmitting every word. But how does Mr. Bond get the info? Simple, he carries a second cell phone...and he calls his co-worker on Mr. Q's office phone , and Mr. Q simply relays the entire conversation to him over the second cell phone!!! (Do not try this at home!)
That Slurping Sound You Don't Hear is Your Career Going Down the Toilet
"Pod Slurping". You've heard the term and can probably guess what it means. Portable Media Players (PMP). Zune. iPod. We all have one (or sadly......multiple ones). iPod launched in 2001. By 2006, over 60 million units have sold. IDC forecasts that by 2009, over 124 million portable players will be sold. They are great for keeping every CD I've ever owned available to listen to. With the advent of podcasts, like on TechNet Radio, we can also get audio tracks that specifically interest us. But is there a threat with these devices? Inherently, all PMPs are nothing more than a storage device.....and I'm talking a BIG storage device. The newest Zunes and iPod have a capacity of 80GB. Some of you don't even have that much room on the PC in your home. 80GB is a lot of data, as you can guess, but how much data is that in real terms?
The Filing Cabinet Analogy
Do you remember the old, gray 4-drawer filing cabinets? I came from the U.S. Army and they had them everywhere. File after file, drawer after drawer. (Contrary to what Napoleon said, the Army runs on it's filing system....). A A single gigabyte is equal to ten, 4-drawer filing cabinets. That’s 40 drawers!! Time for some math....
Assume: A filing cabinet has four drawers, each 2 ½ feet long. A single file drawer holds 70 lbs, or about 7,000 docs/drawer. That’s 1,000 feet of filing drawers per Gigabyte (GB).......or 280,000 documents.
Let's look at transfer rates...how long will it take to move that data in a perfect world? More and more data moving in shorter and shorter times.
So if my math is correct (and it might not be....), then assuming perfect network conditions, and the LAN operating with minimal traffic, high spindle speeds for my hard disks, etc. Let's see how long it will take to fill my 160GB USB 2.0 iPod with your classified data:
Mitigating the Risk of Windows Portable Devices (WPD)
So how do we shut this nuisance down? We use the aforementioned GPOs that exist today. Have you seen the new GPO in Windows Vista which allows you to shutdown the connection of various devices, including the WPD devices? Now the GPO explanation doesn't really tell you that WPD stands for Windows Portable Devices....but I'm telling you now. PMP = WPD. Simply turn it on and shut them down. Nice! Unfortunately, I've not heard or seen any easy mechanisms to shutdown a cellular network card that lives on a machine, short of disabling the hardware or using an illegal cell jammer. I'd love to hear some suggestions if anyone has any experience in this area.
NEXT TIME: Insider Threat continues with: "Oldies but Goodies..."