By Munir Kotadia
Flash memory storage devices and media cards could be a serious security risk, experts said this week.
Administrators have no control over the information that is transferred between one of these high-capacity devices and a corporate network, unlike e-mail and other network traffic. This creates a serious risk because the devices could be used to copy sensitive corporate data from an intranet or release dangerous or malicious files inside a company's firewall, experts said.
He gave the example of a real-estate agent in Crewe, England, who thought he was buying a new Sony Memory Stick, a removable flash memory card. When he plugged it into his PC, he discovered the device contained confidential medical records of cancer patients at a local hospital.
Portable flash memory storage devices have been growing in popularity during the past few years. They can store large amounts of data and can be used as removable hard drives for PCs, often simply by plugging them directly into a USB port.
Graham Titterington, a principal analyst at Ovum, warns that smaller companies are more at risk from these products than large enterprises. "It opens up the possibility, especially in a small or medium-size business, for somebody to steal the entire customer database, which they probably couldn't get onto a floppy," he said, and believes enterprises could solve the problem by strengthening their permissions policy.
"You can stop users gaining access to a file from the access control system, which has nothing to do with the USB port," he said. "Management is not effective when you get to the level where you say to a user, 'You can read and print this file but you can't copy it to your USB port.'"