Latest news
Security Risks Associated With Portable Storage Devices
by Lisa Dozois - Originally published in issue 1 of (IN)SECURE Magazine - Monday, 20 June 2005.
Corporate spies are more common that you may think they are and it's a relatively simple task for a dishonest employee or visitor to transfer company phone books, customer lists, product and pricing lists or other sensitive and potentially damaging data to their electronic device before leaving for the day. The profit potential for these wayward employees is huge. You don't have to look any further than the recent case of the AOL employee who sold 93 million AOL members' email addresses to spammers for $52,000 and later sold another list for $100,000, to get an idea of what people are willing to pay for the valuable data that your employees have access to every day.
Short of actually conducting body cavity searches at the employee exit, there is no secure way to ensure that illegally obtained valuable data isn't sharing an employee's commute home. Even with body cavity searches, security personnel could never have the time to thoroughly examine every portable electronic device that employees and visitors carry with them onto the premises every day.
Public corporations that are subject to Sarbanes-Oxley (SOX), as well as those who face the data security and storage requirements of HIPAA and the USA Patriot Act, have even more at risk from spies who have access to easily stolen data. These laws provide for heavy fines, possible prison sentences and even the potential loss of the right to continue operating the business in some instances. How can so much trouble come from such small devices?
Multiple threats require multiple solutions
The easiest way to protect against 99% of the unauthorized use of portable storage devices is to disable or otherwise control the USB port since most devices communicate through USB. However, some devices are capable of using FireWire and infrared technology, so security of those ports must be considered as well.
Methods for securing against USB access range from simply removing or disconnecting the port, to installing special software that is designed to control who has access to USB devices and what these devices are able to do when connected.
Disabling USB access on an Enterprise-wide basis might not be a reasonable approach for some organizations, but at least publicly accessible machines such as those in conference rooms, lobbies and other common areas should be protected.
There are security products available which will alert the network administrator when portable devices are connected and removed from any PC in the network. While the average network administrator cannot possibly monitor these alerts 24/7, especially in organizations where there is widespread usage of these storage devices, logged alerts do provide a good starting point for after-the-fact investigations.
If a USB-disabling or monitoring program is going to be used, then IT managers need to ensure that accommodations are made for USB-connected pointing devices, printers and keyboards. This can be done either by using software which specifically recognizes and allows those devices, or by moving these devices to legacy ports.
Short of actually conducting body cavity searches at the employee exit, there is no secure way to ensure that illegally obtained valuable data isn't sharing an employee's commute home. Even with body cavity searches, security personnel could never have the time to thoroughly examine every portable electronic device that employees and visitors carry with them onto the premises every day.
Public corporations that are subject to Sarbanes-Oxley (SOX), as well as those who face the data security and storage requirements of HIPAA and the USA Patriot Act, have even more at risk from spies who have access to easily stolen data. These laws provide for heavy fines, possible prison sentences and even the potential loss of the right to continue operating the business in some instances. How can so much trouble come from such small devices?
Multiple threats require multiple solutions
The easiest way to protect against 99% of the unauthorized use of portable storage devices is to disable or otherwise control the USB port since most devices communicate through USB. However, some devices are capable of using FireWire and infrared technology, so security of those ports must be considered as well.
Methods for securing against USB access range from simply removing or disconnecting the port, to installing special software that is designed to control who has access to USB devices and what these devices are able to do when connected.
Disabling USB access on an Enterprise-wide basis might not be a reasonable approach for some organizations, but at least publicly accessible machines such as those in conference rooms, lobbies and other common areas should be protected.
There are security products available which will alert the network administrator when portable devices are connected and removed from any PC in the network. While the average network administrator cannot possibly monitor these alerts 24/7, especially in organizations where there is widespread usage of these storage devices, logged alerts do provide a good starting point for after-the-fact investigations.
If a USB-disabling or monitoring program is going to be used, then IT managers need to ensure that accommodations are made for USB-connected pointing devices, printers and keyboards. This can be done either by using software which specifically recognizes and allows those devices, or by moving these devices to legacy ports.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
