September 28, 2004 4:00 AM PDT
Perspective: USB--short for 'ultimate security breakdown'?
See all Perspectives
But for security administrators and corporate executives, USB--short for Universal Serial Bus--is taking on an entirely new meaning: ultimate security breakdown.
Most organizations don?t realize that USB and Firewire ports offer an unbelievably easy and accessible way to take sensitive information outside of the enterprise--and this naivete could cost them dearly.
If you look at the new corporate desktop releases from top makers Dell, Hewlett-Packard and Gateway, a single system can easily have up to eight USB ports. But it's not the sheer number of ports--it's the default plug-and-play configurations of operating systems like Microsoft Windows XP that are the real problem. Current operating systems provide seamless support for USB devices, and for good reason--their users want to be able to load photos, sync their PDAs and transfer music to and from their music players with no hassle. But the resulting security problems are significant.
In industries such as financial services, government and health care, where sensitive information not only exists but is heavily regulated by privacy laws, there is monumental risk. And that's not to mention the finance and legal departments within every publicly traded company, where violations of material event-disclosure laws could result in serious penalties and fines, in addition to public- and investor-relations disasters.
So while organizations scramble to turn off the data spigot with no guarantee that software or PC manufacturers will do anything to stop default USB access, things are only going to get worse. Several trends will feed this security dilemma over the next 12 months, including:
Pop culture
Music players such as Apple Computer's iPods, digital cameras, PDAs and other gadgets will continue to see rapid adoption among consumers and business users. With no configuration at all, an employee can plug a USB keychain with a gigabyte of storage into the back of a corporate PC. Employees already bring digital cameras to work to download photos to serve as desktop wallpaper or screensavers. These devices are normally plugged into home computers with a fraction of the security of today?s enterprises, making it incredibly easy for someone, even unintentionally, to download a nasty virus or destructive code.
Malicious code meets device
Wireless LANs and laptop computers are the current hot vectors for malicious code infections, but the recent appearance of malicious code in portable and personal devices does not bode well for security administrators. Infected PDAs syncing to a corporate computer could result in a scenario where malicious code is passed from device to machine to corporate network. It's also conceivable that future malware will seek out portable media solely for the purpose of proliferation.
Storage device meets mouse
The convergence of different computer components and technology could present the ultimate dilemma for security personnel. Mice, keyboards and other components that are intrinsic to everyday computing, combined with storage capabilities, are a potential Swiss Army knife for data thieves and insiders or yet another threat vector for malicious code exploits.
Unfortunately, most security organizations are still drowning in their battle against malicious code and vulnerability patching, keeping the focus on perimeter security technologies, such as corporate firewalls, server antivirus strategies and content filtering at the gateway. While these measures are important and administrators must continue to lock things down at the network hub, the number of spokes is growing exponentially. Many organizations have hundreds or thousands of machines hooked up to the network at any given time. When you factor in the possibility that very soon there could be multiple devices per PC with unlimited access, it presents a very sobering reality for security personnel.
There are immediate steps that companies can take that will go a long way toward solving this problem, including a "white list" approach to block unsanctioned devices, applications and executable files from all corporate machines. Until these types of measures are implemented, USB devices will continue to be the weakness in perimeter security?s Maginot Line, allowing a relatively easy and tempting way for wayward insiders and malicious code writers to hurt government agencies and organizations.
A major step toward solving this problem will be turning their ultimate security breach into an unbreakable security barrier.
Biography
Dennis Szerszen, formerly an industry analyst, is vice president of business development at SecureWave, a maker of end-point security software.
While I don't entirely disagree that USB devices can be security vulnerabilities, whenever you start hearing the same message coming from one representative after another then you'd better check your wallet.
Public Relations firms are interfering with the public's ability to make informed decisions on a huge range of issues. We need the freedom to think for ourselves.
- Load of garbage.
- by powerclam September 28, 2004 8:04 AM PDT
- So long as the average PC has a floppy-disk which the user can read/write, the "problem" is about the same.
- Like this Reply to this comment
-
-
- Not really.
- by September 29, 2004 8:24 PM PDT
- A flash drive can hold up to 2 GB of data, significantly more than
- Like this
-
- not so much garbage....
- by October 18, 2004 3:38 PM PDT
- The old problem of "Floppy Drive Insecurity" purported here has become mostly out-of-date, as most data files in a corporate environment are now too bloated (primarily by Microsoft's bloatware applications) to FIT on a floppy disk - who wants to steal files ONE AT A TIME?? This is why the USB attachement market has proliferated as a replacement for the floppy disc drive. I, as a once Corporate Systems Administrator, can see the security issues involved - the ease in adding these devices to standard desktops etc takes us back to the days of having to TRUST our empoyees either NOT to steal data/apps (which they WILL do if we allow them), or not to have the technical knowhow (which is minimal), or not think of using such a device in the first place. All of these hopes/pipedreams are poor security indeed. USB drivers may need to be disabled on corporate machines unless required - and then the end-user needs to be made aware of the implications of their use. I myself have an external USB 80Gb drive.....who wants to be the first to realise that 80Gb of corporate data/licenced apps etc could be walking out their door EVERY DAY by ONE employee???
- Like this
-
(4 Comments)I suspect someone wants to sell a SOLUTION to a problem that doesn't axctually exist.
Theyve got hammers for sale and are trying desperately to convince us all that we have nails sticking up. Feh!
On the other hand... at my workplace one COULD use a USB-drive to boot into a different OS, completely bypass XP's piddling security, and get any file on the machine.
a floppy disc, and can also move the data much more quickly.
The faster one can move larger amounts of data the greater the
risk to security.