Risking Everything: The Perils of USB Drives

I often tell this story to my students. Several years ago, a new client approached me, and she was concerned about the recent loss of her company’s financial data. When she provided further details, I learned that she was backing up her Quickbooks files to a thumb drive, and she recently lost her keys; the thumb drive was attached to her keys. As all thumb drives are immediately accessible and unencrypted, her data was unsecured and in the wild. She asked about the password on her QuickBooks file. Unfortunately, I had to explain, that the password that remained on her QuickBooks file could be compromised with dozens of utilities.

But this stuff isn’t purely small business problem. In April 2006, the LA Times reported a story on how US military flash drives – some containing top-secret military information – were being resold in Afghanistan bazaars; one reportedly included the names, address, and social security numbers of over 700 service members. And in 2005, MSNBC reported a data loss of 120,000 patient records from Wilcox Memorial Hospital Kauai, Hawaii. Why? Somebody lost a thumb drive. And by extension, anything that can be used as a portable media drive (like iPods and cell phones) can also put intellectual property and confidentiality at risk.

The whole problem, of course, is convenience. Users love the immediate accessibility to their data anywhere and on nearly any computer. Critically, though, we can see the inherent risk: we are voluntarily taking data out from behind our firewall, stripping it of the user-access permissions used to safeguard its confidentiality, placing the data on an unencrypted volume, and exposing it to other computers outside of our control. So realistically, what you’re looking at is a total bypass of every security measure and safeguard that organizations have built to protect their information assets: firewalls, filters, user access restrictions, auditing controls, anti-virus, computer access restrictions, and data encryption. We risk everything at the sake of convenience. And instantly, the problem of securing the network becomes controlling user behavior and expectations – a problem bigger than programming the most complicated of firewalls.

So how can the small business address this issue? Here’s a couple of ideas to help shape expectations, control for user behavior, and better secure these assets.

1.  Create Portable Media Provisions in Your Acceptable Use Policy (AUP).

Administrative Controls are policies, procedures, and work instructions that dictate management’s intention in the work place. A common expression of management’s intention to control technology assets is through an Acceptable Use Policy. Management should write in their expectations governing portable media and have employees acknowledge their rights and obligations in this area. First and foremost, management needs to say “securing portable media is important and a risk to this company”, and that’s what the AUP is for, but the AUP also sets the expectation for taking procedural countermeasures and for taking employee disciplinary action. The AUP conveys management’s intent. Clearly, management must effectively communicate their intent to control the problem. If the intent is to completely disallow these things on the network

2. Restrict USB Access by Group Policy.

Future network management tools offer some technical controls. The newest release of Microsoft’s Windows Server 2008 has provisions within Group Policies to secure access to removable devices. Unfortunately, this only works with GPO’s within 2008 and it only works with Windows Vista client computers; the settings associated with those GPO’s aren’t translated into Windows XP.

3. Control the USB Port.

Sometimes, though, the best control is a draconian Technical Control that just prohibits the use of the USB port on the computer.  Here’s a good, free tool: USB Blocker for Windows. It’s free and works on any Windows station. A great place to install a utility like this would be on uncontrolled computers (like kiosks, or, temporary workstations). Warning: blocking USB ports like this can incur the wrath of your CEO who simply must be able to sync his Blackberry; not to worry – this software gives you a central administration tool to set variable controls over different workstations on your network, so you can be selectively draconian.

4. Encrypt the USB Drive.

The best offense is a good defense and if you simply must take data away from the safeguards of the centralized system then at least encrypt the drive. A great free tool that I’ve written about before is TrueCrypt. This puts some strong encryption over the thumb drive that is accessible by password; it can be used on any Windows platform.

5. Choose and Offer an Alternative Strategy.

Without a doubt, if management begins taking a stand on these issues and implements sweeping Technical Controls that prevent users from “working”, well, there’s going to be a legitimate complaint from the masses. So the question might become how do you allow for secure access to confidential information while users are mobile? What’s the alternative? The analytical answer to this problem is to perform a study and classify what data should be allowed on portable media and what data can’t be; this could be a form of informed compromise. Another alternative would be to allow secure intranet access whereas the information can still be centrally controlled but not widely distributed.  Finally, another form of control could be from serializing these devices and “checking them out/in” so at least the company is aware when a data loss happens.

In conclusion, it’s really all about controlling risk. If you were to look at this problem in a larger context, it also applies to devices like laptops and minicomputers, cell phones and digital cameras. It’s difficult to fight progress: the digital world is mobile and end-users will expect to be able to work in a mobile condition and have immediate access to personal and private information. That’s a given. However, a few reasonable precautions you can take today can set behavioral expectations and control that risk so it can’t balloon out of proportion. And when you think about how interconnected your business strategy might be to the confidentiality of intellectual property,  paying attention to these problems are more important than ever before.

R

Name (required)

Mail (will not be published) (required)

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.