Security Risks Associated With Portable Storage Devices
by Lisa Dozois - Originally published in issue 1 of (IN)SECURE Magazine - Monday, 20 June 2005.
Public corporations that are subject to Sarbanes-Oxley (SOX), as well as those who face the data security and storage requirements of HIPAA and the USA Patriot Act, have even more at risk from spies who have access to easily stolen data. These laws provide for heavy fines, possible prison sentences and even the potential loss of the right to continue operating the business in some instances. How can so much trouble come from such small devices?

Multiple threats require multiple solutions

The easiest way to protect against 99% of the unauthorized use of portable storage devices is to disable or otherwise control the USB port since most devices communicate through USB. However, some devices are capable of using FireWire and infrared technology, so security of those ports must be considered as well.

Methods for securing against USB access range from simply removing or disconnecting the port, to installing special software that is designed to control who has access to USB devices and what these devices are able to do when connected.

Disabling USB access on an Enterprise-wide basis might not be a reasonable approach for some organizations, but at least publicly accessible machines such as those in conference rooms, lobbies and other common areas should be protected.

There are security products available which will alert the network administrator when portable devices are connected and removed from any PC in the network. While the average network administrator cannot possibly monitor these alerts 24/7, especially in organizations where there is widespread usage of these storage devices, logged alerts do provide a good starting point for after-the-fact investigations.

If a USB-disabling or monitoring program is going to be used, then IT managers need to ensure that accommodations are made for USB-connected pointing devices, printers and keyboards. This can be done either by using software which specifically recognizes and allows those devices, or by moving these devices to legacy ports.

Some IT managers have taken a "cast a wide net" approach by completely disabling the Windows "Plug and Play" setup options on deployed machines after their initial configuration. This creates additional work for the PC support group when authorized hardware needs to be installed later, but it is effective in controlling what users can and cannot add to their machines.

At the very minimum an organization needs to implement an automatic PC "lock down" policy which ensures that unattended PCs drop into "password required" mode after some defined period of activity. That "defined" period is open to interpretation, but the shorter the period of time, the better.

Beyond the physical "Lock and Key" approach

If organizations that are subject to SOX or other federal requirements must issue portable storage devices to key personnel in order for them to fulfil their job responsibilities, then there are devices which come equipped with internal security protection available such as biometrics identification, secure password schemes and encryption methodologies.

Get it in writing

While a written data security policy won't do much for stopping willful illegal activity, and it won't make any of your users smarter when it comes to installing protection on their home computers, it does give you a leg to stand on when it comes to taking either disciplinary or legal action against violators when warranted.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th