|
 |
USB
Flash Drives: Useful Device or Security Threat?
|
|
USB Flash drives are pocket sized ultra portable storage
devices (about the size of a highlighter pen) that hold
8Mb - 1GB of data that can be
instantly accessed from any PC with a USB port.
The introduction of these devices into corporate networks offers
users a convenient alternative to floppy disks and ZIP drives,
but also they present a security challenge to network administrators.
You don't have to be an administrator to use one of these
devices in Windows 2000/XP, and you can't manage USB devices via
Group Policy. Are USB Flash Drives a useful tool
for sharing data, or a way for malicious users to bypass network
security policies and put your data at risk? |
| Home
> Security |
| |
|
|
An
introduction to Flash Drives
If
you're fed up with floppy drives, ZIP disks, and
CD-R's as a removable storage medium for
transporting your files, you'll love USB Flash
drives. Think of it as a floppy disk on steroids -
except it's not a disk. Flash drives are small
solid state memory sticks that are about the size
of a highlighter pen and can hold anywhere from
1Mb to 1GB of data. They're incredibly light
weight, very portable (some models function as
keychains) and they are compatible with any PC equipped
with a USB port and running
Windows 2000/XP, Mac OS 9-10X or Linux 2.4.17.
(Windows 9x PC's require a one time driver
installation). USB Flash Drives have fast transfer rates
(1Mb/sec), no moving parts, and they don't require
a separate power source or batteries. Just stick the flash
drive into the USB port of your PC and Windows
plug and play will immediately see it as an
additional drive. Then copy the files you need to
take with you, unplug the device from the PC and
you're ready to go. Flash drives hold more data
than a floppy, are more portable than ZIP drives
and other remote storage devices, and more convenient
(and less fragile) than CD-RW disks. In
short, USB Flash Drives may just be the perfect
removable storage medium. And they're affordable.
(Current prices range from $30 for a 16Mb module to
$159.00 for 256Mb) |
Sony's
MicroVault
|
|
The
Upside
For users and
administrators, USB Flash Drives have a thousand uses.
You can transport large files with you to a colleague's
or client's remote office and access the data without
worrying about compatibility. Employees can take work
home with them, or travel with just their data instead
of lugging a laptop around. And unlike a CD-R disk, you
can edit the document or data stored on the Flash Drive
as many times as you like. Administrators and help desk
personnel can use Flash Drives as a portable toolkit
that includes recovery tools, drivers, system updates,
and diagnostic utilities. You can also backup files (or
a user's registry) to the Flash Drive before editing the
live version. Because these devices have no moving
parts, they're more durable than other forms of removable
media in environments that produce a lot of dust or
humidity. Our demo even survived a cycle in the laundry
with the data intact!
The Dark
Side
As Alfred Nobel found out, whatever can be used for good
can also be used for evil. And in this case, the USB
Flash Drives small size and large storage capacity can
make it a dangerous tool in the wrong hands. You don't have to
be an administrator to install one of these devices in
Windows 2000/XP, and you can't manage USB devices via
Group Policy. These
devices present two primary threats to your network: the
introduction of malicious software and data theft/loss.
And short
of disabling all of the USB ports in your environment,
they are impossible to defend against.
- Viruses
In the 1980's, floppy disks where the
primary vector for spreading computer viruses
because that is how most people shared data. In
the late 80's and early 90's, Bulletin Board
Systems (BBS) became the primary source for
infections. After 1995, almost all new viruses
where being spread via e-mail, or by sharing files
over the web. Network administrators have been able
to respond to this threat by installing antivirus
software on their e-mail servers and restricting
internet sites on their firewalls, but the use of
USB Flash Drives can bypass these safeguards
entirely. Users can either bring in infected
documents from home, or take home a business
document to an infected PC, update it, and return
it to a corporate file server. Unless your
antivirus policies are very aggressive, and you
actively scan all files stored on your network,
Flash Drives can present a new vector for computer
viruses that is nearly impossible to defend
against. Most AntiVirus software operates
"reactively" to threats and can only
identify viruses that have been previously
identified. A virus writer could theoretically
"seed" a corporate environment with a
few of these devices preloaded with a new virus in
the hopes that a curious user will pick it up, and
look at (open) the files on it making your company
company ground zero for the next worldwide
outbreak.
- Malicious
software
In addition to viruses, users could bring in
unauthorized software or data files from home that
didn't previously fit on a floppy disk. This
includes shareware programs, software pranks, MP3
files, video clips, pornography, and other
inappropriate files that affect productivity and
violate corporate policies. Even worse is the
prospect of spyware or keystroke loggers that
could enable users (or worse hackers) to capture passwords
or other sensitive information.
- Data Theft
Corporate espionage is a largely underreported
problem in the United States and Europe, and your
company doesn't have to be a defense contractor to
be a target. Hackers, corporate spies, and
disgruntled employees steal data everyday, and in
many cases these are crimes of opportunity. With a
Flash Drive, an opportunity becomes any unattended
and unlocked PC with a USB port. A little social
engineering can give a hacker physical access
to a corporate PC long enough to steal data, or
plant spyware. Disgruntled employees can take
home client lists, sales forecasts, or
research data in a few minutes. (At 1/Mb per
second, a user can copy a 120Mb file to a flash
drive in 2 minutes.)
|
- Data
Loss
The portability of these USB Flash Drives
also opens another door - the potential for
lost data that could fall into the wrong
hands. Most of these devices have little
or no security features and if you happen to
lose your Flash Drive during your morning
commute, anyone you picks up the device may
be able to access data on it. These devices
can also be quickly stolen off a desk, or
"borrowed" and later returned to
the office once
the data has been copied. Vendors have
begun responding to this problem by
manufacturing Flash Drives with built in security
features. Sony's
MicroVault comes with free software that
allows you to create a password protected
security zone that can protect up to 80% of
the available space on the device. (We use
the extra unsecured space to include a text
file with our contact information in case
the device is lost.) Trek's
Thumbrive Touch model integrates
biometric security by including a
fingerprint reader sensor that performs
enrollment and verification of the user. DiskonKey's
Flash Drive features an ARM7 32bit
processor that acts like a mini-PC and
offers data encryption. All this security
comes at a price - some of these devices are 2 to 10
times the price of a standard unsecured
flash drive.
|
Treks
Thumbdrive Touch Model with Biometric fingerprint
scanner |
|
|
Protecting
your Network
Restricting these
devices in your environment will be next to impossible.
USB Flash Drives are getting cheaper every day and will
probably be in the $5 -$20 range in the next few years.
Their small size allows for easy concealment anywhere on
the body or in a bag. When held in the palm of our hand, we even
managed to get our Sony MicroVault through a metal
detector without incident. So what can you do about USB flash drive security?
- Educate your
users
Flash Drives are already the "must
have" toy for the gadget junkies, and as
prices continue to fall, they'll probably become
the premium corporate promotional giveaway of
choice. You can't stop the tide, but you can
educate your users early on as to the risks these
devices can present, and establish a policy for
taking data out of the office, or bringing files
in from home.
- Educate your
security personnel
If your security guards caught an
unauthorized person walking through your corporate
offices, would they know what to look for? Flash
Drives are so small and unobtrusive, they are
easily concealed and could even slip by unnoticed
in plain sight. The people in charge of physical
security for your environment need to know what
these devices look like, how they work, and what
risks they present. You may also wish to consult
your legal department as to the legalities of
searching and seizing these devices if found.
- Enforce the
lock desktop policy
Many companies already configure their
desktops to automatically lock when unattended for
a few minutes, but often this interval is set
anywhere from 10 - 20 minutes. In higher risk
environments this should be 5 minutes or less. Yes,
it's annoying and your users will hate it for the
first few months, but it's essential for any
workstation where a user account has access to
sensitive data.
- Update the
antivirus policy
You should configure antivirus software to
scan all attached drives and removable media,
and get your users into the habit of scanning
files before opening them.
- Use only
secure devices
If your company issues these devices to employees
or approved them for purchase, make sure you
include devices with security features for users
that have access to potentially sensitive data.
(accounting, payroll, legal, sales, R&D, etc.) Make sure to use encrypted usb drives for crucial data.
Be sure to enforce the use of the security
features in these devices and train your users if necessary.
- Include return
information
In the event your flash drive is lost or
misplaced, including a small readable text file
that includes return information could help you
get it back. You may want to consider NOT
including your company name in the file, and
simply refer to a phone number or P.O. Box. You
may also want to include a legal disclaimer that
clearly identifies the information on the drive as
confidential and protected by law.
- Restrict the
USB ports on desktops
You can't manage USB devices using Group Policy in
Windows 2000/XP, but you can disable the USB ports
or use a 3rd party tool called SecureNT.
When disabling USB ports, you'll need to make sure any peripherals in
use (such as keyboards, mice, PDAs, and scanners)
use legacy ports instead of USB ports. In most corporate
networks, printers are assigned to specialized
network print servers and may not be an issue. A
more feasible compromise would be to only lock out desktops that have
access to sensitive data, or are in areas
accessible to the public.
(i.e. a bank's branch office PCs should
have USB ports disabled, but the secured corporate
office is less of a risk.) SecureWave's
SecureNT software allows
businesses to control end-user access to I/O
devices such as the floppy drive, Memory-sticks,
PDAs, USB external storage, CD-ROM, serial and
parallel ports, as well as many other Plug and
Play devices.
|
|
|
|
|
 |
Send
us your feedback!
If
you have any questions, comments, or suggestions
that would help us improve this page, please drop
us a line and let us know! |
|
|
|
