2.01.2008

Keep an eye on those flash drives – and USB ports

USB ports, as any IT security expert can tell you, are trouble just waiting to happen. Sure, they’re fine for keyboards and mice. However, think about the other things that can be plugged into them, like portable storage devices ready to hoover your data.

I was fascinated by Andrew Binstock’s recent post regarding the internal USB ports on enterprise workstations. Those ports are designed for applications that use dongles. The problem with dongles is that they easily fit into a pocket. But if you lock the dongle inside the computer, it’s less likely to fall into the wrong hands, or the wrong pocket.

USB-based flash drives are potentially even more dangerous than stolen dongles, as shown by a new study from the Ponemon Institute. This study was commissioned by and paid for by RedCannon Security, whose PR agency sent me the results. RedCannon sells stuff to secure USB flash drives. They paid for this study in order to drum up business.

With that said..

According to the study, 87% of their study’s respondents say that their company’s policies forbid them copying unprotected sensitive information onto a USB flash drive. However, 51% say that they have copied confidential info onto a flash drive — and 57% believe that other employees routinely use flash drives to store and move confidential info.

What’s so bad about that? Even assuming that all the employees are behaving totally above-board… 28% of respondents say that a flash drive has been either lost or stolen. The study doesn’t ask, unfortunately, how many respondents have lost a flash drive that contains confidential, proprietary or sensitive info.

Even so, a challenge is that flash drives frequently are used to backup information, to bring information home (to work on it), and to share information with other people. That came up last week, in fact, when I was in my New York office… the fastest way for one of our staff to give me some files was to copy them onto a flash drive.

Those files are still on the flash drive, which is in my briefcase. But what if it fell out? What if someone stole my briefcase?

Now, had those files been confidential (they weren’t), and I were to lose the flash drive, that would be a bad thing. Or what if I then reused that flash drive to give different data to someone else… and that person also copied those “confidential” files? The potential for inadvertent data loss is obvious. And that’s assuming no malicious intent.

With malicious intent, every USB port (and Firewire port) is a potential hole that an attacker can exploit to steal data, corrupt files, or plant malware.

Do you have polities and measures in place to prevent the copying of confidential data onto portable storage devices, and for securing USB ports? If not, you should.

1 comment:

Marko Broz said...

This is a very interesting write-up. But I think I get the point. Some files are not meant for the public to see so protecting them is a must, especially when they are in flash drives. It can be stolen and copied without the owner's permission so be sure to keep a close watch on those devices. - Marko

About Me

My Photo
Co-founder and editorial director of BZ Media, which publishes SD Times, the leading magazine for the software development industry. Founder of SPTechCon: The SharePoint Technology Conference, AnDevCon: The Android Developer Conference, and Big Data TechCon. Also president and principal analyst of Camden Associates, an IT consulting and analyst firm.