Clearing my tabs: USB drives: threat or menace?

[mdlbear]

Portable Devices Pose Growing IT Security Threat

Jeff Moss, organizer of the DefCon hacking convention, said the lack of an industry standard for encrypting data on portable drives is hampering efforts to boost the security of such devices.

“Something definitely needs to be done because these devices definitely get lost or stolen or [are] given to friends,” said Moss.

Gotta watch out for those friends, all right. But "an industry standard for encrypting data on portable drives" isn't the solution. What are you going to do? Hand out a 256-bit key with every device? And what will you store the key on?

Joe Gabanksi, network administrator for the city of Lake Forest, Ill., said municipal IT personnel first noticed a problem with portable devices after distributing removable storage devices to employees about two years ago.

Officials hoped to help employees more easily transport data, but found after a scan of the IT environment that a host of unauthorized devices were also linked to the network. At that point, Gabanksi said, the city’s IT managers realized that the unofficial policy of connectivity-at-will needed to tightened.

“We found considerably more activity on the network than we had ever anticipated,” he said. “We had the iPod, digital music players [and] universal flash drives. We were shocked to see how much end users had already used them.”

Gabanksi said the discovery spurred concerns over how to monitor and manage data coming in and out of his environment. Thus, the city moved to require that users register any devices they wish to connect to the corporate network.

Well, you can lock down every machine on your network so that it won't boot from removable media, and encrypts everything that it writes to a USB drive or CD-ROM (using some form of obligatory key escrow so that when the machine crashes you don't lose everything it wrote), but that only works within a closed and very tightly-controlled organization where hardly anyone has to share data with anyone else. As soon as you want to hand somebody a batch of files on an encrypted drive, you have to deal with key management.

It's a tough problem, all right. I really admire that problem. Thoughts?

Comments

[technoshaman.livejournal.com]

At my old workplace, we had a quick and dirty but effective solution. We had two outbound links. One was for corporate equipment; the wi-fi for this was encrypted, and I was the guy who lit new ports and connected new equipment to the wired network. The other network was open wi-fi, and connected to the other outbound link, totally physically separating it. Anyone could connect, and since it was basically T-1, and the main building net was 10MBit fiber, nobody cared about stealing bandwidth. Give'em their own private backdoor, let'em suck whatever they want through a smallish straw, and then lock down the main net like Fort Knox.

This doesn't address the question of sharing data outside the company... I'm figuring others will do that. Just wanted to share how we did ours.

[johno.livejournal.com]

My $employeer is just starting to realize the ramifications of this.

But they have a major issue with stopping it.

Virtually all the IT folks have usb dongles hanging off thier lanyards already. And as reported, there are many music devices that look like USB devices and other larger portable drives and such.

Worse, as I've been having many appointments lately, I've seen many medical personal with them as well.

[mdlbear]

That's why I "admire" the problem -- there are already a huge number of devices out there that look like USB drives: music players, cameras, voice recorders, phones, you name it. About the only thing you can do is disable USB storage at the driver level, and tell all your angry users it's for their own good.

And while you're at it, turn off OS support for WebDAV because that lets users mount random web servers as web folders. And have your developers complain because they can't use Subversion. And block flikr because they can use steganography to embed secret files in pictures of their cat. And...

[eleccham.livejournal.com]

Well... there's really three separate problems there.

First is the issue of users bringing in "tainted" data - viruses, trojans, pirated software, whatever. That's in theory manageable with scanners and "desktop management" (aka clever snooping) software... but difficult.

Second is the issue of people accidentally carrying out proprietary data and then losing the media. That's a tougher one.

Third is someone intentionally removing proprietary data. That one is really, really hard... because as you note, if it talks to the outside world, you can send whatever you want through it.

I think IT departments have a tendency to try to tackle these as a single problem, and that's part of it. The third, really, you can't stop, certainly not without "military" levels of policy... and for anyone else, it's not an IT problem, it's an HR problem. That leaves the second - and forget about external drives; I can download whatever I want from my company via the VPN and store it wherever.

I'm interested in whatever brainstorms people come up with, of course, given where I work.

[mdlbear]

I continue to be absolutely baffled about why people think VPNs are a good idea. Unless the systems you connect to it are used exclusively for work (right) it's just an open invitation for malware.