It seems that nearly every new electronic device on the market today comes equipped with data storage and transfer capabilities. From USB sticks to smart phones, MP3 players to hand-held PCs and iPods, the portability of data has reached new levels of simplicity as the prices of these devices continue to fall while storage capacities continue to rise.
There is no question that USB Flash Drives and their electronic counterparts are a valuable addition to the road warrior’s toolbox. The ability to easily transport data between client and company sites, not to mention taking work home for the weekend, make these devices almost irresistible.
Portable storage devices are also handy for making quick backups of important documents and even system registry files. Unlike CD/ROM disks, the stored data can be edited and saved over and over again.
Yes, today’s portable personal storage devices have revolutionized the concept of “sneaker net”, but are the rewards worth the risks?
These electronic conveniences have created a nightmare for data security managers and have spawned an entire sub industry that is aimed squarely at portable data storage security.
Old Risks and New
Portable data storage devices provide the same functionality as floppy disks, hard drives and CD/ROM and, therefore, are subject to the same virus and spyware risks as their more traditional counterparts. This is a particularly onerous threat for organizations that allow their employees to transfer data between company and home or remote computers.
While most threat-savvy IT departments have complete virus and spyware protection enabled within the enterprise, most organizations have little control over the protection of employees’ home computers or computers that employees use at client and vendor sites. With new virus and spyware threats appearing every day, it is entirely possible that the organization’s anti-virus and spyware systems may be unaware of the latest threat which has just been introduced by an employee.
Portable storage devices are also subject to your standard day-to-day perils such as mechanical or electronic failure, damage from being dropped or being exposed to harsh environmental conditions or just plain getting lost or stolen. The latter two circumstance create a whole new threat level if sensitive data happens to be stored on the missing device.
The term “Business Intelligence” takes on a new and dark meaning when the stealth capabilities of portable storage devices are factored into the equation.
Corporate spies are more common that you may think they are and it’s a relatively simple task for a dishonest employee or visitor to transfer company phone books, customer lists, product and pricing lists or other sensitive and potentially damaging data to their electronic device before leaving for the day. The profit potential for these wayward employees is huge. You don’t have to look any further than the recent case of the AOL employee who sold 93 million AOL members’ email addresses to spammers for $52,000 and later sold another list for $100,000, to get an idea of what people are willing to pay for the valuable data that your employees have access to every day.
Short of actually conducting body cavity searches at the employee exit, there is no secure way to ensure that illegally obtained valuable data isn’t sharing an employee’s commute home. Even with body cavity searches, security personnel could never have the time to thoroughly examine every portable electronic device that employees and visitors carry with them onto the premises every day.
Public corporations that are subject to Sarbanes-Oxley (SOX), as well as those who face the data security and storage requirements of HIPAA and the USA Patriot Act, have even more at risk from spies who have access to easily stolen data. These laws provide for heavy fines, possible prison sentences and even the potential loss of the right to continue operating the business in some instances. How can so much trouble come from such small devices?
Multiple threats require multiple solutions
The easiest way to protect against 99% of the unauthorized use of portable storage devices is to disable or otherwise control the USB port since most devices communicate through USB. However, some devices are capable of using FireWire and infrared technology, so security of those ports must be considered as well.
Methods for securing against USB access range from simply removing or disconnecting the port, to installing special software that is designed to control who has access to USB devices and what these devices are able to do when connected.
Disabling USB access on an Enterprise-wide basis might not be a reasonable approach for some organizations, but at least publicly accessible machines such as those in conference rooms, lobbies and other common areas should be protected.
There are security products available which will alert the network administrator when portable devices are connected and removed from any PC in the network. While the average network administrator cannot possibly monitor these alerts 24/7, especially in organizations where there is widespread usage of these storage devices, logged alerts do provide a good starting point for after-the-fact investigations.
If a USB-disabling or monitoring program is going to be used, then IT managers need to ensure that accommodations are made for USB-connected pointing devices, printers and keyboards. This can be done either by using software which specifically recognizes and allows those devices, or by moving these devices to legacy ports.
Some IT managers have taken a “cast a wide net” approach by completely disabling the Windows “Plug and Play” setup options on deployed machines after their initial configuration. This creates additional work for the PC support group when authorized hardware needs to be installed later, but it is effective in controlling what users can and cannot add to their machines.
At the very minimum an organization needs to implement an automatic PC “lock down” policy which ensures that unattended PCs drop into “password required” mode after some defined period of activity. That “defined” period is open to interpretation, but the shorter the period of time, the better.
Beyond the physical “Lock and Key” approach
If organizations that are subject to SOX or other federal requirements must issue portable storage devices to key personnel in order for them to fulfil their job responsibilities, then there are devices which come equipped with internal security protection available such as biometrics identification, secure password schemes and encryption methodologies.
Get it in writing
While a written data security policy won’t do much for stopping willful illegal activity, and it won’t make any of your users smarter when it comes to installing protection on their home computers, it does give you a leg to stand on when it comes to taking either disciplinary or legal action against violators when warranted.
At a minimum, your portable storage security policy should address these issues:
- Define who is permitted to use portable data storage devices and what types of data are permitted to be stored on these devices.
- Establish rules for vendors and visitors who want to attach devices during presentations or visits to the organization.
- Establish virus and spyware protection standards for employees who use home or off-premise computers.
- Establish password and data encryption standards for portable storage devices.
- Establish a reporting procedure for notifying a responsible party in the event that a portable data storage device is lost or stolen.