Threat Network
The Rising Threat of USB Drives

The Rising Threat of USB Drives

By Marc Saltzman

You can find them in pockets, purses and on key chains. They're on lanyards and in pens, built into some jewelry and even found alongside scissors and nail files in Swiss army knives. Teeny USB thumb drives are ubiquitous: In fact, Gartner estimates more than 222 million were sold in 2009 alone. Could such a tiny gadget bring big risks to your organization?

Your Data at Risk
Thanks to their small size, low cost, and capability of instant backup and file transportation between multiple computers, USB drives actually pose significant security threats for businesses.

For example, disgruntled employees can easily make off with sensitive company information on a USB drive. "The threat is not new, but the problem is exacerbated by tiny and cheap USB drives," says Leslie Fiering, research vice president at Gartner in San Jose, Calif. "The moment we had removable storage media -- going back to floppy disk drives -- there have been stories of janitors going onto computers after hours and downloading major amounts of information." Employees who plan on quitting a company -- or perhaps those expecting a pink slip -- can also easily copy over customer or client databases, emails, calendar appointments and contact lists in a matter of seconds, and then take this digital info with them to a competitor.

Increasingly, USB drives can also carry harmful malware, say security experts. USB keys can be used to install viruses or to serve as boot drives to erase data -- even unintentionally. An employee who uses a USB drive on a personal computer at home could carry malware back to a work computer without his or her knowledge.

USB Security: What You Can Do
You should take several precautions to minimize the risk of data theft or malware attacks via USB drives. Consider the following:

  • Implement strong security software. All company computers should have the right security software to detect and remove potential threats. "Without question, you need serious protection today that not only protects from online threats but also is capable of scanning external devices too, such as USB drives," warns Fiering.
  • Limit USB access. In extreme cases, organizations have cut off access to USB ports. Others have limited USB access to specific employees. Using encrypted USB drives is another option, as is disabling AutoRun on computers so that programs on a USB drive don’t immediately run when a drive is inserted.
  • Monitor use. Keeping track of USB access will help you note who is using the drive, on which computer and at what time of day." IT departments need to make sure their machines are secure and sensitive information protected," adds Michael Gartenberg, research director at Gartner in Stamford, Conn.
  • Focus on education. “Banning can result in users trying to bypass the ban,” cautions Santorelli. A usage policy augmented by an awareness campaign to educate end users will help mitigate the risks.

Fiering and Santorelli note that these risks are not limited to USB drives. Santorelli calls it an “erosion of the traditional network perimeter” because of the prevalence of mobile devices and the convergence of personal and work technology. “This is a problem that's not going away any time soon," says Fiering. With the right security measures, however, companies can ensure the security of their data, despite today’s increased risks.

Like this article? Connect with us @ITinsiderOnline

From Our Sponsor: Webroot’s cloud-based security protects your company from the ever-changing threat landscape.

Marc Saltzman is a Toronto-based technology journalist whose articles on IT, consumer electronics and tech trends appear in many print and online publications, including USA Today, AARP and Yahoo. His on-air segments on technology can be seen on CNN.

Leave a Comment

Windows into your pockets . . . . .

Posted on July 7, 2011

Microsoft Windows has all of us being vulnerable . . . . . . we live in digital glass houses . 'Proprietary' now means 'help yourself' .

Its not rocket science

Posted on July 1, 2011

Most if not all IT security solutions can be implemented in multiple ways. It becomes a rather demanding yet entertaining game to figure out the puzzle. The trick to rising above the horde is figuring out which solution covers the most vectors with the least amount of cost or pain. I wont spam here, but my company happens to be deeply involved in solutions production. The mode of operation is to be -down in it- and spend a lions share of our time hashing out the ways exploits are performed...to the point we actually discover clever new ways to do some pretty bad things if we were indeed malicious evil gremlins...but we fight the good fight, and will never release any offensive techniques or holes we discover. The second staqe to the solution process is to change roles from offensive to defense, and spend more time grinding out defense postures that negate what was produced in the 1st stage, testing the techniques to see where it works or doesnt. I direct the whole team on role reversal, cycling between the two roles as a whole instead of having one group sitting in offense and another working defensive solutions...it covers more potential positions on both sides this way, at the expense of slightly more time required. So, when the job at hand is cashed, we can be assured we did a more thorough coverage of all aspects, producing more paths to solutions, which in turn allow us to offer different grades of product depending on what our clients can afford...cost and effort wise. We wont hesitate to tell a client 1st and foremost what the best and most complete solution is...but subsequently lay out the alternatives in order of effectiveness. We also dont take liability for people who choose the cheapest or easiest path...you get what you pay for in the end. In the case of this little USB inconveinience, The strongest solution path is to physically eliminate the ports electricly, and spend the clients money on all the network vectors. A much more painless method I found was to write a little peice of software that keys USB access to a smartcard or QR hash linked to each operator, and then maintains log files on every action thru the bus. Offering the client remote analysis of these activities then frees them almost completely from any burden regarding this threat, and also provides them strong data for prosecuting offenders who trigger alarms by requesting data from disallowed directories like //root or //system , etc. You see, you dont need to go balistic with top-heavy solutions that become an iron boat-anchor tied around everyones neck just because your solution provider is dumb, lazy, unimaginative, or indifferent. Return on investment is the target when you go into solving a problem, so you must expect (as a solution provider) to spend considerable time just simply working all possible vectors out as I described earlier...and if you get tired and distracted and stop your research prematurely because you just want to invoice the customer...you leave gaping holes everywhere that WILL be found and exploited by unsuspected creatures...like ...the cat ...you get my drift? This is an arena we chose to win in. and it boils down to that famous-best problem solving attribute of all-time ... Determination. bang on it and scratch it until you cant break it...then take a break and come back and hit it with a hammer. Trust me, Norton or Microsoft wont play the game for anything other than profit...you arent going to find security from huge entities operating with their culture.

Its not rocket science

Posted on July 1, 2011

Most if not all IT security solutions can be implemented in multiple ways. It becomes a rather demanding yet entertaining game to figure out the puzzle. The trick to rising above the horde is figuring out which solution covers the most vectors with the least amount of cost or pain. I wont spam here, but my company happens to be deeply involved in solutions production. The mode of operation is to be -down in it- and spend a lions share of our time hashing out the ways exploits are performed...to the point we actually discover clever new ways to do some pretty bad things if we were indeed malicious evil gremlins...but we fight the good fight, and will never release any offensive techniques or holes we discover. The second staqe to the solution process is to change roles from offensive to defense, and spend more time grinding out defense postures that negate what was produced in the 1st stage, testing the techniques to see where it works or doesnt. I direct the whole team on role reversal, cycling between the two roles as a whole instead of having one group sitting in offense and another working defensive solutions...it covers more potential positions on both sides this way, at the expense of slightly more time required. So, when the job at hand is cashed, we can be assured we did a more thorough coverage of all aspects, producing more paths to solutions, which in turn allow us to offer different grades of product depending on what our clients can afford...cost and effort wise. We wont hesitate to tell a client 1st and foremost what the best and most complete solution is...but subsequently lay out the alternatives in order of effectiveness. We also dont take liability for people who choose the cheapest or easiest path...you get what you pay for in the end. In the case of this little USB inconveinience, The strongest solution path is to physically eliminate the ports electricly, and spend the clients money on all the network vectors. A much more painless method I found was to write a little peice of software that keys USB access to a smartcard or QR hash linked to each operator, and then maintains log files on every action thru the bus. Offering the client remote analysis of these activities then frees them almost completely from any burden regarding this threat, and also provides them strong data for prosecuting offenders who trigger alarms by requesting data from disallowed directories like //root or //system , etc. You see, you dont need to go balistic with top-heavy solutions that become an iron boat-anchor tied around everyones neck just because your solution provider is dumb, lazy, unimaginative, or indifferent. Return on investment is the target when you go into solving a problem, so you must expect (as a solution provider) to spend considerable time just simply working all possible vectors out as I described earlier...and if you get tired and distracted and stop your research prematurely because you just want to invoice the customer...you leave gaping holes everywhere that WILL be found and exploited by unsuspected creatures...like ...the cat ...you get my drift? This is an arena we chose to win in. and it boils down to that famous-best problem solving attribute of all-time ... Determination. bang on it and scratch it until you cant break it...then take a break and come back and hit it with a hammer. Trust me, Norton or Microsoft wont play the game for anything other than profit...you arent going to find security from huge entities operating with their culture.

completely impossilbe

Posted on June 9, 2011

With USB mouse/keyboards it's impossible to limit access. All a person has to do is unplug the keyboard and use the mouse to move data to the USB drive. If you use only 1 USB port and some how get the mouse and keyboard through that one port then the person only has a bring in a two port USB hub, which can fit in your pocket. It's a tough problem to resolve.

Fifth USB protection option

Posted on June 10, 2011

To protect against disgruntled employees stealing data, how about treating your employees better so they don't have a reason to sabotage your company?

Zip disk as Firewall

Posted on August 11, 2011

One can't set up a good firewall to stop the problem of viruses and malware? As for the human dimension, I agree with the Fifth protection comment, Of June 10, as the article seems a bit discriminatory towards "pink slip" personel. Adding a password to access, with permissions set, would seem to be enough, and proper buy-in of the appropriate staff, then is not a technical question, but, rather, a management point. Some companies and institutions solve the problem of the un-watched access cleaning staff have at night--staff who are usually either outsourced or at least not hired with the same rigor applied to direct producers--by doubling their function with that of security guards, who are, potentially, rigorously checked as to background. That brings us to one more point, that computers are so highly technical, and for that matter, non-transparent, that for businesses whose core area is not computers, computer maintenance is likely to be out-sourced. But data isn't like your truck maintenance, it is so much more sensitive! And I guess that brings me back to techology. There ought to be a hard-ware version of silicon valley, as companies must largely just choose the same off-the shelf devices that are offered, with no significant options. What has been this off-the shelf technology is the computer, a non-transparent, highly technical technology, with incidentally built-in that there is no hardware firewall, an infinitely configurable device, although requiring non-transparent technical expertise to do so, that companies are asked to use for often very specific tasks. In this sense, the zip disk is part of the beginningnof the end of the computer, in a good way, that is. Not denying the whole thrust of this article, which is in part that zips can house spyware, viruses, and malware, I also want to point out that essentially a zip disk, or for that matter, a floppy, is at first glance a data storage device, for holding your documents, word, excel, pictures, music, rather than a device housing the operating system. It would seem to be a much simpler, much more transparent paradigm: here is your personal working data storage, in total; here is what's on it, your files, your documents, presentions, spreadsheets, pictures and music. If ninety percent of personel were using simply zip disks connectedmto a key-board, with no computer, no os, just a google notepad like interface with just the applications available that you need, only their interface open to access, and vice-versa, your data staying on your own disk--wether portable or screwed into your desk--at least as a foundation, that would also be a step forward of sorts, security-wise, it would seem. Of course you would want to be able to write "macros" and excel formulas, but starting from that perspective would be a whole lot different from the totally open environment that is what a computer is. If there is a fundamental problem with what i have presented, besides that it is tangential to the article's points, than i think it would be informative to all to start with what i say here and point out what's wrong with it, why we still do things the way we do. I should point out, also, that one store takes the opposite approach, using off the shelf pc servers, as cash registers, and taking all the microsoft tech to the hilt, fully configuring them with everything they come with, a product that more and more is ready to be user-friendly to businesses that are fully prrepared to fully embrace them with lots of energy and viv.

From Our Sponsor

http://www.itinsideronline.com/itworld/program/tools/aug_10_2011.html

Copyright © 2012 Studio One Networks. All rights reserved.
Terms of Use - Privacy Policy - About Us