Flash memory devices raise security flags

Experts say administrators can't control the information transferred between these devices and a corporate network, unlike e-mail and other network traffic.

Munir Kotadia Special to CNET News
2 min read
Flash memory storage devices and media cards could be a serious security risk, experts said this week.

Administrators have no control over the information that is transferred between one of these high-capacity devices and a corporate network, unlike e-mail and other network traffic. This creates a serious risk because the devices could be used to copy sensitive corporate data from an intranet or release dangerous or malicious files inside a company's firewall, experts said.

Louis Oley, managing director of SecureWave, a company that specializes in intrusion prevention software, said Thursday that he blames Microsoft for failing to provide tools within Windows 2000 and XP to effectively manage and control this type of product. He gave the example of a real-estate agent in Crewe, England, who thought he was buying a new Sony Memory Stick, a removable flash memory card. When he plugged it into his PC, he discovered the device contained confidential medical records of cancer patients at a local hospital.

Portable flash memory storage devices have been growing in popularity during the past few years. They can store large amounts of data and can be used as removable hard drives for PCs, often simply by plugging them directly into a USB port.

Graham Titterington, a principal analyst at Ovum, warns that smaller companies are more at risk from these products than large enterprises. "It opens up the possibility, especially in a small or medium-size business, for somebody to steal the entire customer database, which they probably couldn't get onto a floppy," he said.

SecureWave will next week launch an updated version of its SecureEXE software, which is designed to restrict people from copying prohibited files to and from removable storage devices.

Titterington, though, believes enterprises could solve the problem by strengthening their permissions policy.

"You can stop users gaining access to a file from the access control system, which has nothing to do with the USB port," he said. "Management is not effective when you get to the level where you say to a user, 'You can read and print this file but you can't copy it to your USB port.'" ZDNet UK's Munir Kotadia reported from London.