Keychain storage drives
Data a-go-go. The threat posed by USB mini-drives has burgeoned during the past year. Plug one of these keychain-size storage devices into a USB port and any information you can access just became portable. Employees can download gigabytes of data off your network and simply walk out the front door. Just 1GB of data is roughly comparable to a pickup truck loaded with documents, notes Dan Geer, vice president and chief scientist at data security vendor Verdasys. Some of these devices can hold up to 60GB. But thumb drives aren't the only form of digital storage media giving CIOs and security executives heartburn. MP3 players and even iPods, the ubiquitous cool gadget of the moment, can be used to download and store any kind of file (not just music).
Marcus Rogers, an associate professor in the Department of Computer Technology at Purdue University, works with the Centre for Education and Research in Information Assurance and Security (CERIAS) to study iPod forensics. "You can have an entire bootable drive on your iPod and, depending on the operating system, you can carry your entire workstation around with you," he says. "Also a lot of times if you hook an iPod to your system it's not going to show up on the network. Because it's at the local machine level it doesn't get an IP address. Only if [security] is doing active probing 24/7 might they find that extra storage device." Rogers notes that the iPod comes with the Windows file system, so the problem isn't limited to Apple systems.
"USB has absolutely exploded in the last year," says Michele Lange, a staff attorney with Kroll Ontrack, which offers software and services for data forensics and electronic discovery. "I've been doing this about four or five years," says Lange, "and I would say that [USB storage devices] are now an issue in a large majority of our cases." Lange adds that most of those cases are employment-related situations where an employee has tried to harm a company by stealing trade secrets. Of course, intellectual property leakage can happen just as easily when one of these tiny drives is lost or stolen.
However, there are steps CIOs and security heads can take. The first is to practise rigorous file security; employees should have access only to the information that they need. But since many employees have access to valuable information, companies have taken steps to deal with the issue more emphatically. Some have chosen to disable all of the USB ports on every system at the BIOS level and have taken away administrative privileges so that savvy users can't re-enable the ports.
Cobb, the privacy book author, says he knows companies that have a locked-down configuration and don't allow the user to change anything. "This can be quite effective on two levels: on a practical level, and on a psychological level by making it clear computers can only be used for company business and won't work if you try to use them for anything else." Some companies have taken more drastic steps. Geer recounts a story of one company that tried to address the problem by filling each USB port with hot epoxy glue (before eventually realizing the impracticality of the strategy - most notably that it would take forever).
CIOs and CISOs have to ensure they're not preventing employees from conducting their regular business duties. USB ports are, after all, there for a reason. USB flash drives are not all bad news either. They can be incredibly useful tools and some are available with advanced encryption standard, or AES, data protection. For an executive who can't live without his USB drive, the best solution might be to provide him with one handpicked by the security team.
Policy also has a role to play here. Dev Bhatt, director of corporate security for Airlines Reporting Corporation (ARC) - a company owned by the airlines that handles aspects of ticketing as well as data and analytical services - has crafted his company's acceptable use and enterprise security policies to focus on the forbidden acts of removing corporate data or connecting an unapproved device, rather than on the device itself. The emergence of new, small, multifunction devices is happening so rapidly that companies must ensure that their policies are broad enough to include emerging technologies. If the policy is too device-specific, the CIO or CSO will end up having to rewrite the rules every few months.