For quick transport of files outside the office, Universal Serial Bus flash drives are convenient. They’re smaller than a CD/DVD or pocket hard drive, and often easier than using the Internet. And with prices starting at around $20 to $25 per gigabyte for 1GB to 4GB drives, businesses can afford them for everyone.
But USB flash drives also pose a major security risk, as do the USB ports on notebook PCs and computers. Unfortunately, what you’ve seen in spy movies is all too real. Anyone can stick in a USB drive (or iPod or Wi-Fi adapter) and discreetly “slurp” down documents, spreadsheets or other files in an instant.
Setting company policies and driving employee awareness represent a first step in safeguarding corporate data, but more steps are needed. So says Ben Rothke, CISSP, senior security consultant with INS and author of Computer Security: 20 Things Every Employee Should Know. “Very few companies have taken steps to monitor the usage of these USB storage devices on their networks,” Rothke explains.
“The vast majority of companies have no policies or technology in place to stop end users from using removable media of any type.”
While simply banning flash drives may sound like a solution, don’t count on it doing the trick. It only takes one employee or visitor who doesn’t know about the policy and wants to sync a personal digital assistant or grab a few MP3s, to create a big problem.
“You can apply epoxy to the ports on your computers to make them unusable — or you can get software that locks the USB ports,” Rothke quips.
Miriam Neal, vice president of information systems at South Western Federal Credit Union, uses SecureWave Sanctuary to address USB security by locking down computer end-points at the credit union. The La Habra, Calif.-based credit union employs about 50 people, and its IT environment includes 70 workstations and 11 servers.
“We wanted to lock down our workstations to prevent people from downloading information they shouldn’t to USB drives, so we could track what our IS staff did with USB drives when working on our servers,” says Neal. “We locked down USB ports on our computers, so any USB storage devices that get plugged in can’t be read from or written to, while still allowing USB devices like mice and printers to work.”
South Western now controls the type of devices and the computers that those devices can access. Neal also assigns permission based on the needs of end users and the types of computers they use.
The technology options for securing USB ports and drives is growing, and includes vendors such as GFI EndPoint Security, Pointsec Device Protector and Media Encryption.
In addition to controlling access to USB ports, port management tools may also control a combination of FireWire, serial, printer and infrared ports, floppy/CD/DVD drives, and USB-connected Wi-Fi or Bluetooth adapters. Some of the tools also let you restrict access for MP3/media players, handhelds, and CompactFlash and SmartMedia, as well as USB flash drives.
With port-blocking software, you don’t need to physically remove, change or block any of your computer hardware. Instead, simply install the software — which may install small “agent” programs on each computer to be controlled — and assign appropriate privileges to each end user. You shouldn’t need any new hardware to run the administrative software, as one of your current Windows computers should do. The cost is likely to be in the $30 to $100 range per computer — far less than the impact of any security breach.
Once installed, port-management tools should also offer reporting tools to let you see what has been allowed and to whom, and who has tried and been blocked from doing what.
“We get reports on attempts and legitimate allowed activities,” says South Western’s Neal. “Based on the reports, it’s working, and because we’ve locked down most of our workstations, there’s very little to look at.”
In addition to locking down USB ports, it’s important to secure the USB flash drives that your employees use before someone loses one containing sensitive information. Small and compact, USB flash drives are far easier to lose than a CD or a notebook PC.
“The problem with USB flash drives is you usually don’t know when they’ve been lost,” comments Rob Enderle, principal analyst with the Enderle Group. “If someone loses one, they may not report it and buy another. So, you could lose a lot of customer records or other data and not know it until everybody’s been compromised.
“If you know your people will use USB drives and carry confidential data, it makes sense to use those that have built-in encryption, so if one’s lost, it doesn’t create a risk exposure,” Enderle advises. “Get ahead of the problem.”
You can find password and encryption security applications that work on most USB drives, and some USB drives include security applications already installed.
Of course, these tools don’t eliminate the need for good company policy and end-user awareness. “Make sure your employees understand they shouldn’t plug ‘foreign’ — noncompany, nonauthorized — devices into company computers,” suggests Eric Ogren, security analyst with Enterprise Strategy Group.
At South Western, the credit union prohibits employees from using USB ports and CD-ROMs without permission. Employees are also restricted from tampering with software.
USB drives can get infected with a virus, spyware or other malware while used outside the office, at a hotel business center or copy shop kiosk. When an infected drive gets plugged into a computer at your office, the infection can spread to the computer and bypass the security at your network gateway.