Today’s flash USB drives can hold 2GB of data, are often as small as a 50-cent piece and can cost less than $20. As they — along with other easily portable memory devices, such as iPods and MP3 players — have become more popular and smaller, concerns over their security risks have grown.
But how legitimate are those fears? After all, as John Pironti, an enterprise solutions architect and security consultant with Unisys Corp. points out, ”The amount of data [that fits on the devices] and the form factor have changed, but this scare is not really that different from the mid-1990s, when 3.5-inch floppies came out.”
Security worries over devices that can plug into USB ports have prompted a phalanx of vendors to launch port-blocking devices; IT organizations are reporting positive results after installing such tools, and we’ll look at some of the leaders. Nevertheless, it’s important to note Pirontis advice: ”If technology alone could solve this problem, it’d be solved already.” And he should know — Pironti says that in lab tests, his team has found ways to defeat virtually every port-blocker on the market.
Risks Are Real
First, a reality check. Flash drives, iPods, MP3 players and their ilk are often said to pose a two-way threat to businesses because they can be used not only to carry sensitive data out the door, but to upload malicious software code to the company network.
While the former risk is very real, the latter remains largely theoretical. That’s according to John Rostern, director of technology risk management at Jefferson Wells International Inc., a Milwaukee-based firm that handles forensic computer work and technology risk management for more than half the Fortune 500. ”We have two large clients that have had data removed via USB drives,” Rostern says. He declines to name the companies, but says one was in the financial services industry, while the other was in healthcare — two industries in which data security is massively important and heavily regulated.
”We haven’t seen viruses introduced to companies [via USB ports],” Rostern adds,”but it’s clearly possible, so you’ve got to treat that as a real threat.”
Fabi Gower, vice president of information security at Martin Fletcher, an Irving, Texas-based healthcare staffing firm, adds, ”Because most iPods, digital cameras and other hand-held devices spend most of their time connected to a far less secure home computer, the possibility of an employee inadvertently introducing a virus to our system was a very real threat.”
Block that Port
Experts say one of the first steps for IT groups is to take a fresh look at the very necessity of USB ports in end users’ computers. ”In each department, ask what’s the justification for ports,” Pironti says. In today’s corporate environment, in which IT frequently administers all software centrally, he believes a large swath of PCs may not need USB ports at all.
Not everyone agrees, however. ”I’ve worked with companies that made the decision to disable USBports,” says Michelle Lange, a staff attorney at security and forensics firm Kroll Ontrack. ”They say it hasn’t worked very well because there are so many legitimate business reasons to keep the ports open.”
For IT groups that want to control USB ports, there are a myriad of security offerings, including the following:
Keep in mind that while Unisys’ Pironti doesn’t name names, he says he’s managed to end-run every port-blocking device currently available. One technique that defeats many port blockers, he says, is to put a Linux boot disk in a Windows PC and fully load a functioning operating system. ”Once I install [Linux], I have access to the PC’s hard drive, all devices and the USB ports,” he says. ”I’ve had plenty of vendors tell me I couldn’t do this [to their products] — but I’ve done it.”
Both Pironti and Rostern say port blockers or other products can play a role in reducing USB risk — but other factors are at least important. Use the following framework to make sure youre fighting the battle against removable media on all fronts:
Policy As a company, decide how you want to manage removable media devices. Because an outright ban would prove nearly impossible to enforce across the board, add a section on removable media to your acceptable-use policy.
Education It’s important to continually discuss with employees their security responsibilities. Stress the harm that comes to the entire enterprise when individuals cause lapses, as well as warning signs that a co-worker may be stealing information.
Control This is where port blockers and other products come in. The key is to control what devices can be connected to a system, as well as what executable files can and cannot be run be given classes of users.
Audit Rostern stresses this measure because of a Jefferson Wells client that suffered significant data loss at the hands of an employee. ”They had some [USB] controls, but no after-the-fact monitoring,” he says. ”Ports were turned off, but because the employee in question was at the management level, they had the ability to disable” port blocking. Result: the thief ”was using a simple USB drive that you can buy at any Staples’ to steal credit-card and demographic data, Rostern says. ”You’ve got to put technology measures in place,” he adds, ”but you’ve also got to have a monitoring process that checks random people.”
In the end, the key for IT and security professionals is to remember that while USB ports may be today’s fashionable medium for data theft, it’s people — employees, for the most part — who actually do their stealing, and their motives and warning signs are as old as the hills.