Top menu

Set clear boundaries for USB storage

More security advice from an industry analyst doesn't usually rouse much interest. Then why such a stir after the recent Gartner Group report on threats from portable storage media?

The analyst, Ruggero Contu, simply pointed out that most Windows networks are wide open to unauthorized uploading and downloading activity through the USB port using consumer devices such as cameras and MP3 players with built-in or removable memory. Perhaps it was mention of banning Ipods from the workplace that grabbed the headlines. Or, perhaps it was that the report and some of the media coverage that followed presented solutions that seemed drastic, mixed-up, complicated and expensive.

In any case, it unleashed a storm of sentiment. Many pointed out that open USB ports are not unlike open device drives-and few corporations, if any, ever banned the use of floppies, CDs and zip drives. A surprising number of the published rebuttals claimed that corporate security measures were becoming too meddling and were ultimately ineffective, and that really nothing could or should be done aside from educating and trusting PC users to do the right thing. Regarding the first point, I'd agree. Even Los Alamos National Laboratory didn't ban zip drives in the past. It took multiple incidents of removable drives purportedly loaded with classified information walking out the door before the DOE put new policy in place. But, what IT organization would like to be in the defensive position that the U of C is now in with its client, the DOE, over this chain of events? This case also illustrates that the problem does not have to be one of information thieves; well-meaning employees going around with sensitive data on removable storage devices are the source of equal or greater risk.

In the category of poorly chosen measures, there are many 'cartoon caper customization' stories: tearing out floppy and CD drives; cutting the wires; squirting glue into USB port openings; even placing system blocks in locked wooden boxes. 'Blunt instrument' measures, to be sure. Yet, when you consider both the potential severity and the likelihood of a security breach occurring through an unsecured device port at a local end-point, at least the companies involved recognized there was a problem.

There are more evolved, easier-to-implement technology solutions that allow system administrators to centrally control the who's and when's of uploading and downloading through device ports, such as DeviceLock from DeviceLock, Inc. I wouldn't consider them any more "meddling or impractical" than personal firewalls. By the way, a personal firewall will not protect your network from a threat that walks up to your computer and attacks locally, only when it attacks across the Internet.

Finally, security policy is not meant to signal to users that they are untrustworthy. It does bring into focus the sensitivity of information and a business's vulnerabilitiesand therefore requires enforcement. Someone intent on violating security policy may succeed at thwarting the means of enforcement. But this doesn't mean enforcement is a useless exercise. Like a cone fence around a sidewalk under repair or a turnstile in the subway, it is not so much that the barrier be unbeatable as that it is there. Just in taking the step to manage access to external memory devices with technology, an IT department is giving weight/substance to its policy. Regarding this threat, the sooner boundaries are set, the better.