| Over the last few years, computers have started | | | | computer is as well protected as the corporate one? |
| shipping with more and more USB connections - it's | | | | Too many times have there been stories about |
| that little rectangular plug usually found on the back | | | | malware making their way into a corporate setting |
| (and now front and even sides) of your PC, used to | | | | because someone brought a USB drive from home |
| connect all sorts of devices to your computer - | | | | that was infected. Since Windows(R) configures |
| keyboards, mice, scanners, cameras, MP3 players, | | | | these drives on the fly, its possible that the anti-virus |
| and a myriad of others. In fact, it is now impossible | | | | program could be by-passed since they may be only |
| to get a computer without one. One of the most | | | | set to scan previously existing drives, allowing the |
| popular uses is to connect small thumb drives (also | | | | virus to gain access to your company network. |
| known as pen drives or USB drives) in order to back | | | | So what can you do? |
| up, store, and transport data. In such a fashion, | | | | Thankfully, there are quite a few strategies that can |
| these are quickly becoming the de facto replacement | | | | help mitigate the risk of USB drives in your |
| for both write-able CD-ROMS and floppy disks. | | | | environment. Naturally, the strength of your solution |
| Typically, these are either dedicated storage devices | | | | will need to be tailored to the sensitivity of your |
| or integrated as part of portable music players (such | | | | data, the potential for harm, and the potential for |
| as the ever popular iPod) and can hold anywhere | | | | attack. A bank will have much different exposure |
| from 128 megabytes to 80 gigabytes (enough for | | | | from this threat than would a cash-only craft's store, |
| most companies ENTIRE record set). | | | | although both should take care to protect their |
| What, exactly, is the problem with this? A standard, | | | | customer's data. |
| high-speed, easy to use connection for almost every | | | | Although it seems everyone jumps to the technical |
| device sounds like a great advantage for computer | | | | solutions first, one of the best ways to combat this |
| users. | | | | problem is through a strong, well enforced policy |
| Unfortunately, there are some very serious security | | | | regarding USB drives. If possible and applicable, USB |
| implications associated with USB and its ease of use. | | | | drives should be prohibited. This includes everyone |
| The worst of these deals with letting data get into | | | | (even the IT staff and system administrators who |
| the wrong hands. There are several ways that | | | | are some of the most likely to want to use them, |
| someone interested in your data might leverage USB | | | | but also the most likely to go to conferences that |
| to get your sensitive information and take over your | | | | offer them as free gifts!). This means anyone seeing |
| computer resources. Even worse, as these devices | | | | a USB drive will know instantly that it shouldn't be |
| grow in capacity, the danger they pose also | | | | there and can report the incident immediately. |
| increases. | | | | If this isn't possible, their use should be permitted on |
| The root of the problem stems from the way | | | | a use-by-use basis to employees that have been |
| Microsoft's Windows(R) operating system handles | | | | made aware of the risk. Any drives of unknown |
| plug and play devices (which is what USB devices | | | | origin (from vendors, gifts, etc) should be connected |
| are). As you may have noticed, whenever you plug | | | | to an isolated machine to be scanned for viruses and |
| anything into a USB port, nine times out of ten, | | | | wiped clean before use. |
| Windows(R) will automagically recognize and configure | | | | Once a good policy has been established, technical |
| that device for use. If it is a USB drive, it even gets | | | | measures can be put into place to enforce it. One of |
| a drive letter. If Windows(R) detects that the device | | | | the easiest and cheapest of these is to disable the |
| isn't classified as "removable", it will automatically run | | | | use of USB ports from the BIOS. The BIOS controls |
| certain files found on that drive. (This is known as | | | | many of the hardware settings of your computer |
| auto-run and is enabled by default in Windows(R).) | | | | and is typically accessed at the very onset of the |
| While many of the drives on the market today are | | | | boot up process - often a black screen with the |
| considered by Windows(R) as "removable", certain | | | | manufactures logo on it. |
| USB drive vendors actually configure their drives so | | | | Unfortunately, this means that ALL USB devices will |
| Windows(R) detects them as "permanent", thus | | | | be non-operational. With the spreading use of USB, |
| making them capable of "auto-running" these files. | | | | this solution is impractical on newer machines since |
| Someone trying to get your information could use | | | | they don't allow for traditionally connected keyboards |
| one of these devices with a specially crafted | | | | and mice, only USB connected. |
| auto-run program. When it is inserted into a | | | | That leaves a software solution. Growing awareness |
| computer, Windows(R) will happily launch this | | | | of this problem has seen the introduction of |
| program without even asking the user and very likely | | | | software that allows you to control what kind of |
| not even letting the user know something is | | | | devices Windows(R) will allow to be connected and |
| happening. | | | | used. For example, keyboards and mice could be o.k., |
| This approach can be used in several ways to | | | | but any type of storage would be denied. Ultimately, |
| compromise your data and computers. An attacker | | | | this is the most flexible technical solution. Even better, |
| could come to your location posing as a legitimate | | | | as these products mature, they are allowing for |
| customer and manufacture some excuse to be alone | | | | centralized management. This means if John in |
| with your computer for a few minutes (how many | | | | accounting gets a scanner to digitize receipts, you |
| times have you left your computer unattended even | | | | could authorize its use from anywhere on the |
| for a few minutes to check on something or get a | | | | network. |
| print out on a printer?) while they insert one of the | | | | Finally, if USB drives are an integral part of your |
| small devices into the computer. Within a few | | | | business, and the use outweighs the risk, then all |
| seconds or minutes, hundreds of files could be copied | | | | data should be encrypted on them. This keeps data |
| to the USB drive (the new term for this is called "pod | | | | from being readable should the drive get stolen or |
| slurping"). They then unplug the drive and walk out of | | | | lost. There are many products out there that make |
| your business with data they can sell or otherwise | | | | this process simple and mostly transparent, and offer |
| use. | | | | excellent levels of protection. |
| Another scenario involves an attacker at a trade | | | | Three other strategies can also help mitigate the risk |
| show offering "free" USB drives -a very popular item. | | | | of USB drives if their use is a must in your company. |
| They might easily distribute hundreds of these if the | | | | These three are not directly related to USB |
| convention is large enough. Anytime someone inserts | | | | concerns, but are good network security practices in |
| one of these drives, it quickly goes about its job of | | | | general. First, special care should be taken to ensure |
| finding sensitive data and emailing or uploading it | | | | that your users only have access to files and |
| someplace on the internet. Even worse, it could be | | | | information that is commensurate with their job titles |
| used to install a virus, worms, or other malware onto | | | | - don't let the new hire have access to the |
| the computer and allow the attacker to connect to | | | | president's files! Second, don't let your users run as |
| the computer whenever they are ready, potentially | | | | full administrators of their own workstations - many |
| by-passing any forms of firewalls, virus scanners, and | | | | viruses and Trojans rely on this for successful |
| other security measures. | | | | attacks. And finally, keep customers away from your |
| However, this type of threat isn't only limited to | | | | computers if possible. Keep them behind a counter or |
| outside attacks. With the size of these drives and | | | | out of sight. Using these three strategies help limit |
| the power of readily available software, a disgruntled | | | | the amount of data accessible by hackers or |
| employee could easily and very quickly copy | | | | disgruntled employees. |
| thousands of files and walk out the door without | | | | Many organizations have no need to allow these |
| raising any suspicions even from the most carefully | | | | devices on all computers and should take steps to |
| monitored network (Sound far fetched? There have | | | | ensure they are not used. Those that do feel a need |
| been several reported cases of this.). | | | | to use these devices should work on training their |
| Even worse, the danger might not even be directly | | | | users and taking the appropriate actions to protect |
| the cause of disgruntled employees or malicious | | | | their data, both on their computers and while on the |
| attackers. Many people use these devices to keep a | | | | USB drives. |
| copy of their files as they travel or take them home | | | | In fact, each company will likely need to investigate |
| to work on them after-hours. With the capacity and | | | | and adopt a blend of these strategies to meet their |
| small physical size, a lot of data is kept in a way that | | | | needs and still protect their data. |
| can be easily lost or stolen. It's easy to spot | | | | USB drives really do offer a vast improvement over |
| someone running away with your laptop bag, but if | | | | floppy disks and CD-ROMs. They are fast, portable, |
| they slip the USB drive into a pocket, they become | | | | and easily re-writeable, making them ideal for certain |
| impossible to find. More dangerous is the doubting of | | | | applications. Unfortunately, the things that make them |
| theft: was it stolen or did you just happen to lose it? | | | | so convenient can also make them very dangerous |
| This leads to delayed reporting of the loss and | | | | and their use must be tempered with knowledge of |
| potentially greater damage if it was indeed stolen. | | | | that danger and the risks weighed against the |
| Finally, if an employee does use these drives to take | | | | benefits. |
| work home, is there any guarantee that the home | | | | |