Perspective: Who's afraid of portable storage media?

More security advice from an industry analyst doesn't usually rouse much interest. Then why such a stir after the recent Gartner report on threats from portable storage media?

The analyst, Ruggero Contu, simply pointed out that most Windows networks are wide open to unauthorized uploading and downloading activity through the USB port using consumer devices such as cameras and MP3 players with built-in or removable memory. Perhaps it was the mention of banning iPods from the workplace that grabbed the headlines. Or perhaps it was that the report and some of the media coverage that followed presented solutions that seemed drastic, mixed-up, complicated and expensive.

In any case, it unleashed a storm.

Many pointed out that open USB ports are not unlike open device drives--and few corporations, if any, ever banned the use of floppies, CDs or zip drives. A surprising number of the published rebuttals claimed that corporate security measures were becoming too meddling and were ultimately ineffective, and that really nothing could or should be done aside from educating and trusting PC users to do the right thing.

Regarding the first point, I'd agree.

Even Los Alamos National Laboratory didn't ban zip drives in the past. It took multiple incidents of removable drives purportedly loaded with classified information walking out the door before the Department of Energy put new policy in place. But what IT organization would like to be in the defensive position that the University of California is now in with its client, the Department of Energy, over this chain of events? This case also illustrates that the problem does not have to be one of information thieves; well-meaning employees going around with sensitive data on removable storage devices are the source of equal or greater risk.

Security policy is not meant to signal to users that they are untrustworthy.

In the category of poorly chosen measures, there are many "cartoon caper customization" stories: tearing out floppy and CD drives; cutting the wires; squirting glue into USB port openings; even placing system blocks in locked wooden boxes. "Blunt instrument" measures, to be sure. Yet, when you consider both the potential severity and the likelihood of a security breach occurring through an unsecured device port at a local end-point, at least the companies involved recognized there was a problem.

There are more-evolved, easier-to-implement technology solutions that allow system administrators to centrally control the users and times of uploading and downloading through device ports. I wouldn't consider them any more "meddling or impractical" than personal firewalls. By the way, a personal firewall will not protect your network from a threat that walks up to your computer and attacks locally--only when it attacks across the Internet.

Finally, security policy is not meant as a signal to users that they are untrustworthy. It does bring into focus the sensitivity of information and the vulnerabilities of a business and therefore requires enforcement. Someone intent on violating security policy may succeed at thwarting the means of enforcement, but this doesn't mean enforcement is a useless exercise. Like a cone fence around a sidewalk under repair or a turnstile in the subway, it is not so much that the barrier be unbeatable as that it is there.

Just in taking the step to manage access to external memory devices with technology, an IT department is giving weight and substance to its policy. Regarding this threat, the sooner boundaries are set, the better.

Biography
Chernavsky is chief executive officer of AdvancedForce, a distributor of network security, forensics and data integrity control technologies and software.

More Perspectives

[rclay]

USB Drives are a BIG Security Concern.

I have a Mandrakesoft GlobeTrotter (see http://www.mandrakesoft.com/products/globetrotter). This 40 GB USB drive comes with bootable Mandrake Linux. With such a drive I can walk up to any system, insert a cd, plug in the drive and boot the computer into Linux. It then is a simple matter to copy information off of the computers internal drives, shut down and leave with no trace of my activity. Controlling physical access seems to be the only way to protect against this.

[cbiltcliffe]

Easy to prevent....

Set the BIOS to boot from the hard drive only. If it can't boot from the HD, it doesn't boot.
Password protect the BIOS, and, using the case lock available on all modern cases, lock the case closed to prevent battery removal.
In the Windows administrator account, use the device manager to disable the USB controller device, preventing any USB stick from being used. Of course, this also affects things like USB printers, but most of the larger small businesses, just about all medium, and every enterprise, will have network printers anyway.
There's probably something I haven't thought of, but try me, and I'll figure out a way to stop it.

[PlaceHolder]

DRM is probably a better solution

Don't forget about Bluetooth... some laptop could send file to a Bluetooth enabled storage device... And don't forget wireless... New designs from Intel come with access points built in! Enable one of those, and stand outside the building and download data to your hearts content!

As much as it pains me to say it, DRM is *THE* solution here. If the file has sensitive content, it needs to be protected by the companies systems. DRM, when properly implemented, is designed to do exactly this. Any other solution put you permanently in reactionary mode where you have to deal with the "potential data leak of the day"...

[dila813]

Wrong Wrong Wrong - Problem is Architecture

Again, the problem that keeps coming up is the fact that many in the IT profession do not want to deal with the limitations of an single layer security scheme.
It doesn't work, it won't work, and will never work. Layered security is the only way to go.
The desperation of trying to block a port on an local computer shows the failure of this strategy of one size fits all.
Leave the users alone, fix the network, give it up. Companies must invest in their security even if it means that they will need to have some minimum amount of duplicate infrastructure.

[dila813]

And what about productivity?

One track minds, forget it.

So the rest of the business takes an 25% productivity hit while IT maintains its one track mind on security.

Real swell, how long will it be before you are fired?