Clearing my tabs: USB drives: threat or menace?

[mdlbear]

Portable Devices Pose Growing IT Security Threat

Jeff Moss, organizer of the DefCon hacking convention, said the lack of an industry standard for encrypting data on portable drives is hampering efforts to boost the security of such devices.

“Something definitely needs to be done because these devices definitely get lost or stolen or [are] given to friends,” said Moss.

Gotta watch out for those friends, all right. But "an industry standard for encrypting data on portable drives" isn't the solution. What are you going to do? Hand out a 256-bit key with every device? And what will you store the key on?

Joe Gabanksi, network administrator for the city of Lake Forest, Ill., said municipal IT personnel first noticed a problem with portable devices after distributing removable storage devices to employees about two years ago.

Officials hoped to help employees more easily transport data, but found after a scan of the IT environment that a host of unauthorized devices were also linked to the network. At that point, Gabanksi said, the city’s IT managers realized that the unofficial policy of connectivity-at-will needed to tightened.

“We found considerably more activity on the network than we had ever anticipated,” he said. “We had the iPod, digital music players [and] universal flash drives. We were shocked to see how much end users had already used them.”

Gabanksi said the discovery spurred concerns over how to monitor and manage data coming in and out of his environment. Thus, the city moved to require that users register any devices they wish to connect to the corporate network.

Well, you can lock down every machine on your network so that it won't boot from removable media, and encrypts everything that it writes to a USB drive or CD-ROM (using some form of obligatory key escrow so that when the machine crashes you don't lose everything it wrote), but that only works within a closed and very tightly-controlled organization where hardly anyone has to share data with anyone else. As soon as you want to hand somebody a batch of files on an encrypted drive, you have to deal with key management.

It's a tough problem, all right. I really admire that problem. Thoughts?

Comments

[technoshaman.livejournal.com]

At my old workplace, we had a quick and dirty but effective solution. We had two outbound links. One was for corporate equipment; the wi-fi for this was encrypted, and I was the guy who lit new ports and connected new equipment to the wired network. The other network was open wi-fi, and connected to the other outbound link, totally physically separating it. Anyone could connect, and since it was basically T-1, and the main building net was 10MBit fiber, nobody cared about stealing bandwidth. Give'em their own private backdoor, let'em suck whatever they want through a smallish straw, and then lock down the main net like Fort Knox.

This doesn't address the question of sharing data outside the company... I'm figuring others will do that. Just wanted to share how we did ours.