Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Towards a Comprehensive USB Flash Drive Policy?

Cliff posted more than 9 years ago | from the time-for-a-usb-device-blacklist dept.

Security 121

sconeu asks: "The company I work for is going through some growing pains. This is a -good- thing, but due to the growth, some changes are necessary. I'm the guy who does IT and IT policy, however I'm actually a developer by job description -- I was doing IT on the side. Anyways, we're going through growth, and one of the things we are trying to address is security. Currently, our policy is wide-open (for internal machines). The owner has expressed some reservations about the increasing use of flash drives, in an overall security setting. Everyone involved here realizes that there's not much we can do against a malicious employee, but we're looking to avoid accidental data loss from USB sticks, and other solid-state storage media. Has anyone on Slashdot dealt with this issue? What policies and protections did you end up putting in place, if any?"

cancel ×

121 comments

Sorry! There are no comments related to the filter you selected.

Floppies? (1)

quadong (52475) | more than 9 years ago | (#13223886)

I don't understand why this is a new challenge. Why can't existing policies regarding floppy disks simply be applied to this?

Re:Floppies? (1)

fastduke (694682) | more than 9 years ago | (#13223903)

or CDR and DVDR

Re:Floppies? (1)

ReidMaynard (161608) | more than 9 years ago | (#13223908)

Damnit Dong, I like the cut of your jib.

Meeting over. Happy hour!

Re:Floppies? (1)

AmigaBen (629594) | more than 9 years ago | (#13224366)

Everyone commenting on this subject seems to be whining about this being nothing new. It's just like floppies!

How many floppies have you seen that can act as a wireless network adapter?

Re:Floppies? (1)

takeya (825259) | more than 9 years ago | (#13224435)

How many wireless network adapters have you seen that you can transfer 128MB of secret files to?

Granted,it's probably more than the number of floppies that can be wireless nics, as I counted zero.

Re:Floppies? (1)

AmigaBen (629594) | more than 9 years ago | (#13224543)

Huh? I think you missed the point somewhat, but I'll reply anyway.

A wireless network adapter cannot store 128M of "secret files", no. But it can transfer them elsewhere in a minute or so.. And possibly give more network access than you ever intended in the meantime, as well.

Re:Floppies? (1)

erlenic (95003) | more than 9 years ago | (#13224900)

The original submitter is looking for a policy on USB flash drives. That has nothing to do with network adapters. I would hope the users don't have permissions to setup a new network adapter.

Re:Floppies? (1)

pyrrhonist (701154) | more than 9 years ago | (#13224993)

How many wireless network adapters have you seen that you can transfer 128MB of secret files to?

Dood! [sandisk.com]

Re:Floppies? (2, Insightful)

UncleBex (176073) | more than 9 years ago | (#13224670)

I'm not sure why it should matter at all. If you are already resigned to the fact that a malicious person would still be able to do something or steal data, then why punish other individuals who use USB storage devices for the hypothetical Forces of Good. In my organization, we have several users who use USB sticks so that they can take their work home with them and we're supposed to encourage/enable them to do it (as the Admins).

But for what it's worth, we are not a bank or the military, so our policies reflect the laid back nature of our organization.

Re:Floppies? (1)

kcb93x (562075) | more than 9 years ago | (#13227881)

No, what he's saying is that they realize they can't do much to stop malicious intent, but they're trying to make sure that since they will be using the Solid State Drives, they want a policy that will make sure that the critical data isn't on the USB devices, that tend to have a relatively high failure rate (and/or don't normally get backed up)

In the Government (1)

PhilippeT (697931) | more than 9 years ago | (#13223904)

Well at least my department anything that could be used as a mass storage device is forbidden. It would have been much easier for them to disable the USB ports as out keyboards and mice still all have PS/2 connectors or USB to PS/2 converters.

Re:In the Government (1)

metamatic (202216) | more than 9 years ago | (#13224699)

Well, not everyone can afford to ban laptops and mobile phones, CD-Rs and CD-RWs, and cripple the USB ports on their machines. Some organizations like to, you know, get work done.

Re:In the Government (1)

UncleBex (176073) | more than 9 years ago | (#13224704)

This is a bit misleading, as not all parts of the "Government" have a policy such as this. All of the work that we do in my "Goverment" organization is availiable via FoIA requests, so in general we don't limit our users with stupid policies regarding USB sticks.

Re:In the Government (1)

Datoyminaytah (550912) | more than 9 years ago | (#13225255)

> Well at least my department anything > that could be used as a mass storage > device is forbidden. Check your brain at the door... :)

Re:In the Government (1)

Datoyminaytah (550912) | more than 9 years ago | (#13225297)

Oopsies.

> Well at least my department anything
> that could be used as a mass storage
> device is forbidden.

Check your brain at the door... :)

Re:In the Government (1)

Mooga (789849) | more than 9 years ago | (#13225535)

USB cards aren't only used to "store" data. I have several and I rarely use them simply to "store" data. I use it for moving information. Whether that's a paper for school or a huge power point or several programs for a friend's computer. In business, USB cards can be very helpful. I know that my dad uses email to transfer information back and forth. However, if you have a huge presentation with lots of media in it, e-mail doesn't cut it. E-mailing a 500mb file is not an easy task. So what do they do? They put it on a USB drive and give them the card or if it's long distance, over-night it. My dad also gets a ton of these cards as free give-a-ways from companies so it's not like they are rare. But with the prices of these cards dropping lower and lower, they can be used as very useful tools. At school I often lent it to people who simply wanted to copy a jpg from one computer to another. USB cards can often be faster then copying over a network, especially if you have to log in especially for it. At school, there wasn't even an easy way to share files, most people resulted to email.

Some Advice (1)

hahiss (696716) | more than 9 years ago | (#13223906)

Two bits of advice:

1) Watch out for hot women with stainless steel thermal mugs; they'll have a USB drive in the false bottom of the mug.

2) Don't trust anything Al Pacino tells you about your father's service in the CIA or your mission.

Re:Some Advice (0)

Anonymous Coward | more than 9 years ago | (#13224441)

That had me laughing down the street.

policy proxification (1)

Gherald (682277) | more than 9 years ago | (#13223907)

> "Currently, our policy is wide-PrivoxyWindowOpen(for internal machines)"

Does this cut down on the ads and spyware for you, too? ;)

Re:policy proxification (0)

Anonymous Coward | more than 9 years ago | (#13224192)

Hey, I think your privoxy failed it. The blurb doesn't say that.

Re:policy proxification (0)

Anonymous Coward | more than 9 years ago | (#13224538)

It is just a mildly humorous side effect. Go back to whatever stoic land you came from..

Rather draconian, but ... (0)

Anonymous Coward | more than 9 years ago | (#13223937)

In my company (I'm a second-level helpdesk tech for a large multinational tech company), USB flash / disc devices are outright banned. It doesn't prevent people from bringing them in and using them though. *sigh*

Re:Rather draconian, but ... (1)

metamatic (202216) | more than 9 years ago | (#13224729)

So do you also ban mobile phones, laptops, CD-Rs and CD-RWs, and so on?

If not, my guess is that users see the rule as the kind of stupid, inconsistent and obstructionist policy it is, and therefore decide not to obey.

Rules need to be seen as fair and reasonable if they're going to be obeyed.

Re:Rather draconian, but ... (2, Insightful)

ndansmith (582590) | more than 9 years ago | (#13224753)

Yes, and the advancing technology of USB flash drives has made it easier to conceal them in other objects. For example, I have a friend at my school who has a watch which doubles as a 256MB USB drive. The connector and a short cable are hidden on the under-side of the band. Pretty tough to stop USB drives when they can be combined with common items, unless you want to have a company-wide strip-search policy . . .

Re:Rather draconian, but ... (1)

dariuscardren (826733) | more than 9 years ago | (#13225743)

Depending on who in the company was doing such searches, and if the stripped as well it may be fun ;)

I can seen in now:
We have hired a few strippers to insitute our new policy, of strip searches, we didn't want you to feel uncomfortible being the onlyoe naked at the time.

Re:Rather draconian, but ... (1)

John Harrison (223649) | more than 9 years ago | (#13228005)

If the question is one of security rather then one of keeping track of files, then you can disable the drivers for USB flash drives. There was a previous Ask /. about this, and I'm too lazy to look it up for you.

If the issue is keeping track of files as the original post implied, then the answer is one of training. Don't store anything long-term on removable media such as floppy drives or flash drives. (I'm ignoring backup solutions such as tape drives fo rthe moment.) Use flash drives as a convenience to walk files from one computer to another, not to store anything critical.

Appropriate Technology (1)

rueger (210566) | more than 9 years ago | (#13223944)

Revert to 486 machines and Windows 95. NO USB, no problem!

Hmmm... still have those floppy discs to deal with though....

Audit requirements are a bitch (2, Insightful)

kyouteki (835576) | more than 9 years ago | (#13223947)

I work at a bank, which of course has some pretty stringent security policies. It's pretty simple here: USB is disabled in the BIOS. It can be enabled by special request (usually for execs and their PDAs) and in such cases, we disable USB2.0 (just 1.1), require stronger passwords on the workstation, and have a screensaver set to lock the PC after 3 minutes of inactivity. This doesn't mean we don't have problems from enthusiuastic users that know how to change BIOS settings, but for the most part, problems were avoided.

Re:Audit requirements are a bitch (1)

PhilippeT (697931) | more than 9 years ago | (#13224022)

This doesn't mean we don't have problems from enthusiuastic users that know how to change BIOS settings, but for the most part, problems were avoided.
Why not lock the bios?

Re:Audit requirements are a bitch (2, Insightful)

kyouteki (835576) | more than 9 years ago | (#13224072)

Now, that's a very good question. I asked this myself when I first started working here. The fact of the matter is, in a 2000+ workstation environment where passwords need to change every 90 days, that's unrealistic. United States Banker's Law requires all passwords used to have a minimum level of complexity and for them to be changed every 90 days. We're fine if there isn't a password there, since the BIOS is not required to be protected, but if there was a password, it would have to be changed every 90 days.

Re:Audit requirements are a bitch (1)

PhilippeT (697931) | more than 9 years ago | (#13224113)

Thank god I'm Canadian... but realistically it should be put forth that the law be amended to state when password can be changed without requiring such a massive downtime/human labour. In other words excluding the BIOS but not excluding things like windows passwords as those can be simply set to expire and have criteria for the new password.

Re:Audit requirements are a bitch (1)

duffbeer703 (177751) | more than 9 years ago | (#13224425)

Do you want your credit information potentially stored on insecure desktops that any yahoo can compromise?

If you need to rotate BIOS passwords every 90 days, buy PCs that allow that capability. IBM/Lenovo PCs allow remote BIOS changes and upgrades, for instance.

Re:Audit requirements are a bitch (1)

TykeClone (668449) | more than 9 years ago | (#13224217)

Which reg?

If you want to exclude BIOS passwords from your policy, aren't you free to do so?

Driver? (1)

abrotman (323016) | more than 9 years ago | (#13223971)

I'm not sure if windows would freak out or not, but couldn't you just remove the usb mass storage driver from the system?

What's needed is software that limits USB... (1)

Futurepower(R) (558542) | more than 9 years ago | (#13224023)


What's needed is software that limits USB and other connections to those that are allowed. Such software exists, but is expensive. Here is software [newsoftwares.net] that is less expensive than packages I've seen, but the web site is so sloppy I lack confidence in it.

Re:What's needed is software that limits USB... (1)

rdieter (112462) | more than 9 years ago | (#13224741)

I thought WindowsXP Group Policy already included policies related to removable media.

760 policies in Windows 2000, more in Windows XP (1)

Futurepower(R) (558542) | more than 9 years ago | (#13226618)


Sounds very possible. A Microsoft technical support representative told me that there are 760 policies in Windows 2000, more in Windows XP. So, I'm not about to look. My guess is that the Windows policies are too crude to be effective in cases where you sometimes want to use the USB port for something authorized.

Re:What's needed is software that limits USB... (1)

jhoger (519683) | more than 9 years ago | (#13226551)

Well I didn't notice a mention of OS, but...

How about a kernel compiled without USB drivers. Hmm... while we're at it probably should remove serial port drivers, parallel port driver (backpack cdrom writer uh-oh) cd writer drivers, sound card drivers (the analog hole eek!), network drivers (don't want a hole through which data could escape to another machine which DOES have USB) and probably we won't be needing video drivers, because if you have those, then the employee might look at the company secrets on the monitor and assimilate them into their "brain" and OMFG WALK OFF WITH THEM.

There's nothing you can do. It's stupid to try. There are any number of ways to steal data electronically if an employee wishes to do it. If it's happening by accident maybe you could do random searches on exit of the premises (please, though be egalitarian... the execs should actually be the first to be searched since they have the most important data). Oh yeah, and fire the first poor soul that walks out with any data storage media with company data on it.

A few employees getting busted and the news will spread. People will be very careful about where the data ends up if they understand the policy AND that it is going to be enforced.

This is a human problem, unfortunately you can't solve every problem with technology. Attempting to do so will just interfere with hardworking creative techies who are actually just trying to get their work done efficiently.

-- John.

Re:What's needed is software that limits USB... (1)

aywwts4 (610966) | more than 9 years ago | (#13227376)

Dude, did you even read the effing summary?

quite clearly "Everyone involved here realizes that there's not much we can do against a malicious employee, but we're looking to avoid accidental data loss from USB sticks, and other solid-state storage media. Has anyone on Slashdot dealt with this issue?"

Congratulations, you win the most irrelevant rant this week award, have a gold star!

Re:What's needed is software that limits USB... (1)

jhoger (519683) | more than 9 years ago | (#13227914)

Yes El Duderino, I did.

Actually I responded to directly to his question. First, I reinforced his supposition (which he seems to be waffling on) that there's probably nothing you can do if you let people have general purpose computers. And I made the point that to attempt to try would be costly.

Then I said that if you're just worried about an employee acting negligently (i.e. not being careful) then you need to start checking people for secrets at the door, and make some examples. Suddenly you will find that the accidents become much less frequent.

So while yeah it is a rant, I think also hit all his points.

-- John.

Comprehensive 5 word policy (2, Funny)

BlackCobra43 (596714) | more than 9 years ago | (#13224049)

No USB storage devices allowed.

Get His Head Out Of The Ground (1)

klausner (92204) | more than 9 years ago | (#13224076)

Anyone panicked of USB security is only displaying their naivete! The risks with USB drives are essentially the same as those with floppies, tapes, or email attachments. Unless you want to strip search everyone leaving at night, the key to this kind of security is education and management vigilance.

Re:Get His Head Out Of The Ground (2, Funny)

mcmonkey (96054) | more than 9 years ago | (#13224225)

The risks with USB drives are essentially the same as those with floppies, tapes, or email attachments.

You're right. This is a much bigger issue than most people realize.

Every night employees leave the office with sensitive information retrieved through their monitors. The use of monitors is widespread in most offices. In fact there may be a monitor on your desk right now and you wouldn't even know it!

So while half your IT staff is frisking for USB drives, the other half should go around removing any monitors in the office. Then your information will be secure.

Re:Get His Head Out Of The Ground (0)

Anonymous Coward | more than 9 years ago | (#13224420)

I want to strip search everyone leaving at night, but for other reasons:(

No! You're wrong! (0)

Anonymous Coward | more than 9 years ago | (#13225032)

The risks with USB drives are essentially the same as those with floppies, tapes, or email attachments.

No, USB is a completely different and far more difficult issue to handle.

With floppies, tapes, CD-ROMs etc, it is easy to restrict a PC. The peripherals can either be removed completely or they can have physical locks [secure-it.com] placed on them that require a key in order to use them. The peripherals can also be disabled in the BIOS which in turn can be protected by password. So, with these devices, it is relatively easy to prevent users from using them at all.

But, USB is an entirely different beast. USB is not a peripheral, it is an interface that can be used by a vast array of peripherals, flash disks being only one such peripheral. Now, the interface could be disabled in the BIOS as above but, there is a major problem with this. The problem is that most new PCs use USB keyboards and mice. Disabling these two peripherals tends to limit the PC's functionality a bit too much for most people. It would also prevent the use of USB printers, scanners, modems, network cards, barcode readers, biometric devices and lots of other legitimate and often required peripherals.

So, the problem is a massive one. How do you limit the connection of certain USB devices, such as flash drives or WiFi dongles, to the machines on your network while still allowing most other devices to function? Right now, most people rely on policies for this. But, no policy will ever prevent the determined user from connecting a USB device.

The problem may be as small as a 512MB keychain fob or as large as a 300GB external USB hard drive hidden in a purse. Connecting a USB WiFi fob in a multi-story building is another monsterous security issue. In any case, USB security is different than floppies and CD-RWs and it is a serious matter for those that are concerned with security.

Solution: Unknown.

Re:No! You're wrong! (1)

Wonko (15033) | more than 9 years ago | (#13226892)

No, USB is a completely different and far more difficult issue to handle.

It is not really COMPLETELY different... USB may have other uses, but on a corporate desktop you are only likely to use USB for keyboards and mice.

With floppies, tapes, CD-ROMs etc, it is easy to restrict a PC. The peripherals can either be removed completely or they can have physical locks placed on them that require a key in order to use them. The peripherals can also be disabled in the BIOS which in turn can be protected by password. So, with these devices, it is relatively easy to prevent users from using them at all.

This is all technically true of USB as well. I have never specifically looked, but there is no technical reason you cannot manufacture a physical lock for a USB port. Lock in a keyboard and mouse (or use PS/2 instead) and you are set. And as you said, you can disable USB in the BIOS.

If your company is this concerned about data security then they should buy machines with PS/2 keyboards and mice.

However, most companies have still bought machines with floppy drives for the past 20 years. If they were not worried about this problem then, why would they be worried today?

So, the problem is a massive one. How do you limit the connection of certain USB devices, such as flash drives or WiFi dongles, to the machines on your network while still allowing most other devices to function?

If this is the issue, why not just remove all USB drivers from the system except for HID devices? I would imagine a USB drive would not work without the mass storage driver installed.

The problem may be as small as a 512MB keychain fob or as large as a 300GB external USB hard drive hidden in a purse.

Go back 10 years and substitute "keychain fob" with "floppy diskette." We have had this problem forever, and it is not new. If a company was truly concerned about this they would buy machines with no removable storage that was writeable. They can do the same today by going PS/2 for keyboards and mice. These companies will not care if they have to pay extra.

Connecting a USB WiFi fob in a multi-story building is another monsterous security issue.

Again, removing the drivers will fix this problem. You still, however, need to worry about someone plugging wireless bridges into your network... I can drop a hub and a wireless bridge under your secretary's desk. Then all I'd have to do is spoof her MAC address at night and poke around your network all I want. You would likely never notice it was happening until it was too late.

In any case, USB security is different than floppies and CD-RWs and it is a serious matter for those that are concerned with security.

It is a SLIGHTLY different problem with very similar solutions.

Re:Get His Head Out Of The Ground (1)

markjx (700808) | more than 9 years ago | (#13225045)

Uh... I actually worked at a company once where they did search people upon arrival and departure. No one brought laptops, documentation, or anything else in or out. If you couldn't fit it in your pants, then you weren't leaving with it.

Whats the dealio? (1)

douggmc (571729) | more than 9 years ago | (#13224090)

1) Have employees sign typical NDA type document.
2) Have employees read/trained/understand company security policies and procedures.
3) Have employees take periodic (e.g. yearly) ethics training.
4) Let them be professionals.

Heck my company (IBM .. particularly BCS division) gave us USB keys as a little gift not too long ago.

Re:Whats the dealio? (1)

duffbeer703 (177751) | more than 9 years ago | (#13224340)

Some companies are required by regulation to record who accesses what information where. Think banks, insurance companies and credit bureaus.

Where I work there are similar no removable storage (including floppy) policies for people dealing with sensitive information.

who accessed it... (1)

kris_lang (466170) | more than 9 years ago | (#13225369)

Yup, someone in Oregon/Washington got in trouble for accessing the medical records of that poor girl who was kidnapped when there was absolutely no reason for them to be looking at it. The hospital happened to have a policy that audits would be performed on every high-profile client (client, that's what they called 'em instead of patient) to make sure that no inappropriate accession of data occurred. They just happened to catch three people looking at her medical records pretty much for curiosity.

Whats the problem? (1)

BaudKarma (868193) | more than 9 years ago | (#13224174)

I'm not sure I understand what the concern is. Your question seems to imply that you're worried that employees will copy data onto a USB stick and then lose it, rather then intentionally stealing information that way.

If thats the problem, I'd be much more concerned about where the employee is taking that data. The only reason someone would put company information on a data key is so that they could move that information to a computer somewhere outside the company network. *That's* where your security concerns should be. Some manager copies your customer database onto his home computer, and he's sharing it with the whole internet.

The only way you'll be able to stop that sort of thing is to ensure that company data stays on company computers. Period. If you need to work from home, have the company get you a laptop, and have the IT department do that they can to make that laptop secure.

Re:Whats the problem? (1)

aaarrrgggh (9205) | more than 9 years ago | (#13224676)

How many "missing laptop" stories have there been?

Sadly, the only *real* solution to data ownership and control is DRM. The question then becomes can a DRM system be made that will allow sufficient control, but maintain the flexibility that is required for people to work within its constraints. At the same time, this snake oil must be easy to manage.

A USB thumb drive is more secure than a laptop in many ways; fewer people want to steal the thumb drive for theft of the physical object.

The trick is to find a nice, easy way to encrypt the data on a thumb drive to protect it against casual loss, and that is where the focus should really be.

Yeah. But DRM does *not* work (1)

hummassa (157160) | more than 9 years ago | (#13224977)

DRM = data + key in the same package. I have said this a thousand times -- cryptographically speaking, DRM just plain does not work.
Treat well your employees, and *that* you have the solution to the OP problems.

Re:Yeah. But DRM does *not* work (1)

R2.0 (532027) | more than 9 years ago | (#13225104)

"Treat well your employees, and *that* you have the solution to the OP problems."

Yoda is working in IT now? Better than the swamp, I guess.

Re:Yeah. But DRM does *not* work (0)

Anonymous Coward | more than 9 years ago | (#13227240)

DRM = data + key in the same package. I have said this a thousand times -- cryptographically speaking, DRM just plain does not work.

You are confusing DRM for consumer products (like DVDs) and DRM that applies strong encryption to a file and requires a password and secureID smartcard to access the file.

DVDs are sold to anyone, and they must be able to access the content. There is a world of difference. I think you need to relearn some cryptography.

Re:Whats the problem? (1)

Spoing (152917) | more than 9 years ago | (#13227183)

The only reason someone would put company information on a data key is so that they could move that information to a computer somewhere outside the company network.

Nope. The main reason they do is to avoid the network and sneakernet it around.

I've pointed people to network resources many many times...only to be told within minutes that 'Bob has the latest copy of that on his computer...ask him and he will make a copy for you'.

When Bob's computer dies...the admins should be able to restore all data. When Bob decides it's better to leave it on a USB key and the key dies or gets lost, it's gone!

Please explain (2, Insightful)

MobyDisk (75490) | more than 9 years ago | (#13224246)

I've heard of companies that had issues with flash drives, but I've never understood why. Could you explain it to me?

I assume it is a concern about people copying files to the flash drives and walking out with them. But small high-capacity removable media is not anything new. When 3.5" floppy drives were common, it was trivial to take large amounts of source code, documentation, etc. Then came CDs, with more of the same. Today, DVD disks are either 3.25" or 5.25" in diameter, completely flat, and hold far more than flash drives. Yet I've never heard of anyone concerned about the security implications of DVDs. Most of my coworkers have PDAs or laptops. And every computer in the office has internet access.

So why are flash drives so magical that they deserve special treatment?

Re:Please explain (1)

Scuff (59882) | more than 9 years ago | (#13224411)

my guess is that the companies who are worried about usb drives are already giving these employees systems without cd/dvd burners or floppy drives, and monitoring their internet access. Reasons for this sort of security might be legal responsibility for any sort of government or financial system, like the bank mentioned in an earlier post. I suppose such behavior can be excused in these cases, anywhere else, it merely creates an enviornment that says the employees aren't trusted.

Re:Please explain (1)

danzona (779560) | more than 9 years ago | (#13224486)

I agree with your sentiment, but if I was to try to look at it from a paranoid management perspective I would argue as follows:

3.5" floppies don't hold much data

My office desktop doesn't have a cd/dvd burner

If someone emails out sensitive data, there is a record of it

So I guess the advantages of a flash drive are that it holds a lot of data, requires no special hardware beyond what is found on the simplest of laptops, and there is no record of information being stolen.

Is that sufficient to develop a special policy? I don't think so, but I don't have to worry about explaining security breaches.

Email (1)

hummassa (157160) | more than 9 years ago | (#13225012)

"If someone emails out sensitive data, there is a record of it". I don't think so. You pack the data, encrypt it, put it inside a virus-looking executable, and send it to the destination with subject: "I love u", preferrently from another workstation, not yours, then infect said workstation with some (new?) virus. Plausible deniability.

Re:Email (1)

Sancho (17056) | more than 9 years ago | (#13226031)

You don't allow people to run un-authorized executables. How will they encrypt it?

Re:Email (1)

Ex Machina (10710) | more than 9 years ago | (#13226448)

I imagine that you could access cryptographic capabilities via Windows or Office scripting extensions. You could even make a Word or Excel macro that does this alone.

Re:Email (1)

jrockway (229604) | more than 9 years ago | (#13228378)

I can do RC-4 by hand. If millions of dollars were at stake I would figure out some way to do it.

Re:Please explain (1)

sconeu (64226) | more than 9 years ago | (#13225469)

I'm the article submitter.

As I said, we realize that there's not a damn thing we can do about malicious intent.

What the boss is concerned with is more along the lines of: "we use USB sticks for transferring data all over the place, including non-company machines (during demos, etc...). Sometimes a USB stick may be placed on a machine connected to a non-company network (e.g. a laptop). We want to avoid accidental disclosure in such cases."

Personally, I think the founder is a bit paranoid, but our company is an R&D company, and that info is our crown jewels, so it's a bit understandable.

Our current policy is to treat them as any other removable media.

Re:Please explain (1)

Hast (24833) | more than 9 years ago | (#13226280)

we use USB sticks for transferring data all over the place, including non-company machines (during demos, etc...). Sometimes a USB stick may be placed on a machine connected to a non-company network (e.g. a laptop). We want to avoid accidental disclosure in such cases.
Perhaps it would be a better idea to invest in a couple of portable HDDs. That way you could run the program from the HDD and that way it's easier to ensure that you actually take it with you.

Furthermore you should (of course) establish routines and inform people exactly what they can run on a clients machine. Eg it makes a lot of sense to only give them (clients) access to executables. No code should EVER be allowed on media that you want to give to clients.

Another alterative could be to use CDRs which you destroy after the demonstration.

Of course all of this assumes that the client doesn't have a program running which downloads everything. It's hard to protect against that. (Hence the no-code policy.)

Oh, and make sure that all laptops you use have VPN installed and configured so that you can connect to your office network safely while on the road.

Re:Please explain (1)

LuckyStarr (12445) | more than 9 years ago | (#13226345)

Pretty easy (in principle).

Make the sticks bootable, install your own OS on it so you can control the flow of data yourself. Encrypt it if you like to for extra (theft of device) security.

Re:Please explain (1)

sconeu (64226) | more than 9 years ago | (#13226926)

Makes it kind of useless for handing somebody a 100MB PPT file (and yes, we've thrown those around).

Re:Please explain (1)

Mooga (789849) | more than 9 years ago | (#13228099)

USB drives are small, tiny, easy to use, fast, and reusable. Burning a DVD takes time and "wasting" a DVD. With a USB drive, you plug it in, copy it over and your done. No burning, no playing wiht the CD drive. Just drag and drop. Then you pocket it. Bring it to the computer you want the info on. Drag and drop. You want to erase your tracks? Drag the files from the drvie to the trash. DONE!

While this may make USB drives dangorus, it also makes them VERY helpful! The guy down the hall wants the newist version of the presentation? Plug in, Drag, and Drop. The main office on the other side of the contry need all your data and ton of PowerPoints? Plug in, Drag, Drop and Over-Night it. My dad has done this many times. Plus, USB drives are smaller, cheaper, and easier to get then ever before! Many companies GIVE THEM AWAY. Sure, they may have the Visa logo on it but a little rubbing and gone. And besides, who cares? A free USB drive is a FREE USB DRIVE.

The other problem I an see with them is that they can carry viruses. If you plug it into an infected comp, it can infect others. But a good virus scan can pervent this.

I can see a BIG use of them if you could boot uncommen software off one. So if you need to show a file in a funny format you can plug the card into any comp and view/change the file.

windows AD domain policy (0)

Anonymous Coward | more than 9 years ago | (#13224329)

setup all of the machines in an active directory domain structure and then impose group policy security restrictions. Don't put the domain users into the Administrators groups on their local machines (but make sure to put yourself, the Domain Admin in the LOCAL COMPUTER administrator groups). This way, they will be locked down from configuring system settings and adding/removing hardware (they can put a usb drive in, but it will never be mounted). This will also get rid of many spyware/adware problems you might be having as they wont be able to install the malicious software. If they DO require software to be installed, temporarily add their domain account to their local Administrators group and ask them to log out and back in. They can then install whatever software they want, and then you can disconnect them (via enforced login hours) or simply remove their name from the Administrators group and trust them to log out. An upside to this is you can also finely control which windows services you would like to run or not run on every machine throughout your domain. Remote computer management also becomes easier since you can remotely connect to your domain machines through the Computer Management interface (you being the Domain Admin).

-Adam

Re:windows AD domain policy (1)

Scuff (59882) | more than 9 years ago | (#13224743)

his will also get rid of many spyware/adware problems you might be having as they wont be able to install the malicious software.


I just wanted to point out that most malicious software can be installed without the user having administrative rights. such software often exploits vulnerabilities in windows or IE to get the installation to run as a system process instead of using the rights assigned to the user.

Re:windows AD domain policy (1)

yuri benjamin (222127) | more than 9 years ago | (#13225457)

[yadda yadda tempory admin priviliges yadda yadda] ... and trust them to log out.

Of course they'll have to log out eventually. It's Windows. I can never keep my workstation at work logged in without reboot for more than a week.

Disable write access to USB devices. (1)

billn (5184) | more than 9 years ago | (#13224375)

Assuming you're in a managed windows environment where standard users are lacking the privileges to make changes to the operating system and it's settings (outside of application specific user options), you can apply certain registry settings that make all USB mass storage devices read-only.

This, coupled with good remote log hosts and alarm systems will not only prevent users from smuggling data, good or bad, it can also alert you to the activity.

This is, of course, moot if the workstations are equipped with floppies and burners. Your firewall policy can also negate the advantage is you have no network accounting in place or a hardened outbound traffic policy.

Re:Disable write access to USB devices. (1)

hummassa (157160) | more than 9 years ago | (#13225037)

most BIOSes I came across in the last year permit boot from USB, and none have some option to disable it -- yes, you can *think* you disabled it, but the magic (cntrl-f10) "boot menu" key continued to work. I found this tremendously insecure.

Re:Disable write access to USB devices. (1)

jrockway (229604) | more than 9 years ago | (#13228407)

If someone has gotten so close to the computer that they can plug in a keychain drive, boot their own OS, and steal data, then your security failed long ago. Ever hear of locking the door?

GFI LANGuard Portable Storage Contoller (1)

Llama Keeper (7984) | more than 9 years ago | (#13224391)

This product GFI LANGuard PSC http://www.gfi.com/lanpsc/ [gfi.com] will let you lock your USB mass storage on a per user basis on WinDoze machines.

We tried it in the demo mode when the administration at a client was freaking out about IPods. We ended up going with a written policy (that actually had enforcement!!!!!) instead of a technology solution!

over-reliance on policies and procedures (1)

sfjoe (470510) | more than 9 years ago | (#13224402)


More and more I see companies trying to solve every problem or perceived problem by putting a policy in place. Usually, this solves the problem at the expense of morale and productivity. A once simple task is now a complicated nightmare.
It's a mistake to put a policy into place as a knee-jerk, first response. Instead, hire good people, train them well, treat them well and let them be your first defense against problems. Policies are to clarify ambiguities and apply standardization - not as a cure-all for every situation.

Laptops? (1)

GreyyGuy (91753) | more than 9 years ago | (#13224489)

As long as you have laptops with 60+GB hard drives walking in and out of the building, any plan to limit USB drives is only going to bite the 99.99% of the people that actually use them from productivity. That .01% that has some illict reason to share files outside the company will be slowed down, but then email them, burn them to CD, FTP them, fax them, or just keep it on their laptop and walk it out the front door.

And even if all those are plugged, there is still the option of printing it out and mailing it.

The best solution (1)

pnutjam (523990) | more than 9 years ago | (#13224510)

I'm not here to preach about whether our not it is smart to manage removable media.
I'm just here to give you this link. [securewave.com] It's a great piece of software that works well.

hmmmm (0)

Anonymous Coward | more than 9 years ago | (#13224512)

I'm sitting on my work computer right now... that has the USB enabled (uses USB keyboard/mouse), has a cd-burner in it (I have NO idea why).. and my my 128MB thumb drive is in the front so I can run portable firefox.

You Need To Discuss More (1)

snookerdoodle (123851) | more than 9 years ago | (#13224922)

I had a similar position to yours for several years, so I have some very general thoughts I hope you find helpful.

Any time The Boss read an article about something new, she would ask me about it.

There are two things that really helped me:

1 - I had spent a LOT of time (with an attorney) researching and developing what I still believe were really good policies. The attorney and I both learned a lot, since I lean towards anarchy.

2 - I learned to anticipate her requests by reading tech news voraciously and keeping my eye on headlines in the journals she read.

In this specific case, you should already have addressed this issue, since USB devices are (as another poster already pointed out) just one of many ways data can be copied to a personal device.

We can't answer for you. That's what you need to discuss with the owner, since it is *their* company. You just need to come up with a list of all devices that will need to be nixed if you decide to nix these (and some research places *do* nix all of this stuff). A partial list to get you thinking: Cellphones, cameras, PDA's, floppy disks, CD writers and/or media, DVD writers and/or media, copy machines. Once you have a list, you can get with your owner and have a sincere "how serious are you about this?" conversation and then come up with a policy general enough to cover whatever you end up with.

Mark

Re:You Need To Discuss More (1)

LWATCDR (28044) | more than 9 years ago | (#13225145)

You left out IRDA, WiFI and Bluetooth.

Re:You Need To Discuss More (1)

snookerdoodle (123851) | more than 9 years ago | (#13225623)

"You left out IRDA, WiFI and Bluetooth."

I think I left out a whole lot more than that (keep thinking: laptops, email, notebooks...)...

It was just a list to start from.

Mark

Re:You Need To Discuss More (1)

legirons (809082) | more than 9 years ago | (#13225837)

I think I left out a whole lot more than that (keep thinking: laptops, email, notebooks...)...
Managers?

Depends upon how much you want to spend (1)

Safety Cap (253500) | more than 9 years ago | (#13224974)

On every box:

  • Zonealarm
  • McAfee/Symantec antivirus
  • AdAware + SpyBot S&D
  • Run HFNetcheck (or equivallent) to ensure all patches roll out promptly
  • Replace IE icons with FireFox
  • Enact general policy to not store any data locally,

Don't forget:

  • Backup the network every day

USB flash drives? Bah! (1)

Mycroft_514 (701676) | more than 9 years ago | (#13225068)

I have my personal laptop (80GB drive) sitting next to me, with some CD-RWs in my briefcase behind me. What was the question again?

this sounds like something... (1)

lobsterGun (415085) | more than 9 years ago | (#13225477)

...that a strick back up policy could help with.

You might need to write some custom software to monitor the backups, but it shouldnt be too hard to come up with some scripts that whip through a list of people that use USB drives and nag them to back up the data under penalty administrative punishment.

All unsecured devices will be stolen (0)

Anonymous Coward | more than 9 years ago | (#13225484)

The policy is for someone to steal all USB drives. Seriously, we've had two stolen in the past few months right out of people's drives.

We also have a policy that requires all laptops to be locked down at all times.

Not sure if they are hiring crackheads off the street to do this, there used to be an IT VP that would steal stuff off people's desks and then, when they claim to reclaim them, give them the big IT security lecture.

That's like the IP VP I worked with a few years ago that deliberately crafted a .EXE email attachment "virus", and then fired everyone who violated the "no opening .EXE attachments" policy.

In a previosu contract we had *real* crackheads wondering through our offices (right off S Park in San Francisco). Although we went though 3 LCD projects in two weeks once, people kept a close eye on laptops and peripherals.

That's what I like: security through - uhh - something!

Reasons for the policy (1)

Darth_brooks (180756) | more than 9 years ago | (#13225664)

People are missing the point here. It's not about just banning USB Flash drives. Policies & rules are created to give the company a level of paperwork to fall back on. Say somebody takes X amount of data or source code home, starts selling, and gets busted. At least in court they can't say "But there was no rule against it!" Think of it like having a logon banner for servers. Does it really deter hackers? No, but it gives you a bit more of a leg to stand on if it comes down to getting the authorities involved.

It's a lot like setting a speed limit. Yeah, most people ignore it, and the rule can be abused by those who make the rules. But in the end there's a valid reason for having it. Strong, well-written and enforced policies are just another layer in your security model.

Re:Reasons for the policy (1)

Bake (2609) | more than 9 years ago | (#13227170)

So, if I put a sign on my car saying "Stealing this car is illegal", I have a bit more of a leg to stand on if the car gets stolen?

Re:Reasons for the policy (1)

Darth_brooks (180756) | more than 9 years ago | (#13227487)

It's pretty hard to say "I didn't know stealing a car was illegal" and have it stand up in court.

OTOH you can make an argument that since a machine has services available to the public, e.g. a web server, the "Oh gosh, I didn't realize I wasn't supposed to dump the hash file, crack all the passwords, and turn the box into a warez dump" argument may stand up. But by explicitly denying "unauthorized use", you've got a slightly better case.

No, a banner won't help much. But it's there, and since common sense doesn't seem to matter in court, ("It's not what you know, it's what you can prove") you want the best possible case. It's the electronic equivlent of an "Employees Only" sign on a door.

Encryption? (1)

bklock (632927) | more than 9 years ago | (#13225762)

I worked at an R & D lab and our policy was that any system (laptops mainly) that could be expected to leave the physical security of the building had to have all data encrypted. We used a program that encrypted the entire harddrive and then required a passkey in order to decrypt at boot. At the time I left they had not yet got as far as instituting such a policy for flash drives, though I expect they have by now.

This won't protect against a malicious employee or a determined attacker, but should fix the problem of data left around accidently.

Why are they using flash drives? (1)

nmos (25822) | more than 9 years ago | (#13226028)

You really need to back up and find out exactly why they feel the need to use removable media and what they are doing with it. Chances are the answer will point to a bigger issue like maybe the users don't trust the backup system or cannot easily retreive files from said backups. It might be that they often use different workstations etc. Whatever the reason, if you provide a good alternative than a simple policy change and some training is all that is necessary but if you don't then no policy will be strong enough. The only ones that will actually listen to a policy that keeps them from getting work done are the weenies who probably wern't doing anything anyway and you'll end up fighting with the good employees.

don't allow them (1)

RogerWilco (99615) | more than 9 years ago | (#13226312)

If you're realy serious about security, disable USB mass storage devices on all machines, diskdrives and CD-burners too.
You'll maybe need to treat laptops differently, but those are a problem anyway, because they get stolen all the time. I haven't figured out how to handle those properly.

You don't have to ban the thumb drives... (1)

The Meeper (782183) | more than 9 years ago | (#13226387)

USB port + Epoxy resin = Security. Anything you currently do with flash drives can be done across the network, all nessecary peripherals can be run through PS/2, and you don't have the bother of patting people down for their flash drives.

Reduce need for removeable media (1)

Dr.Dubious DDQ (11968) | more than 9 years ago | (#13226524)

The most common reason I hear for why we just HAVE to give so many people, e.g., CD-burners is "they need to take data home to work on it..."

I keep wondering - wouldn't it be simpler to set up a "Windows Terminal Server" and have remote employees use THAT instead? That way, the only data leaving the company are (presumably encrypted) screen updates and key presses (yes, you CAN transfer files directly through the same mechanism, but how often would you legitimately need to if you can operate your "official" company computer from wherever you are instead of working off of some spyware-infested "home" computer directly?)

On a related note, anyone know how well the NoMachineNX [nomachine.com] RDP proxy would handle this sort of thing? Sure seems like it would be better than a more heavy-handed "VPN" connection that seems popular right now if it works effectively. Rumor is that it works reasonably well even on dial-up links, but I'm having trouble puzzling out how to set up to do RDP proxying from the various documents I've found so far.

For cases where someone really does need to make a CD of data to send to someone legitimately, perhaps a centrally located CDR "printer" with a web interface (perhaps something like this [suspectclass.com] ? Though I'd swear I'd seen more recent implementations of this concept using PHP) that users would send the files they need burned to, and the central box would make a record of what was being burned. (Ought to make the auditors happier, anyway).

Just my own thoughts on the problem.

Epoxy. (0)

Anonymous Coward | more than 9 years ago | (#13226525)

Epoxy.

Log Everything. Tell them. Enforce the rules. (1)

QuietRiot (16908) | more than 9 years ago | (#13226788)

[I'm not a windows admin so I've no idea if any of this is possible...]

You might....

Figure out how to log all USB plug-in/remove events and notify a central location when they are USB Mass Storage devices. Figure out how to log all copies or transfers to/from USB mass storage devices. Make up some reporting process and either have a talk with excessive USB-keyers or disable their USB ports. Remember that they can probably use other workstations to do as they please. Could USB Mass Storage devices be made 'read-only' via some policy editor?

(Probably easier on an OS in which you could mess with the kernel sources.)

Let your users know all activity on the corporate network is being logged (not keystrokes or file contents - file names probably OK) and what behaviour is not OK.

Notify that all USB key contents will be inspected and copy off of any USB drive as soon as it's inserted for later inspection. Tell them big brother made you do it and if they're worried about their personal stuff being looked at to not use their personal USB key at work.

Just ideas....

Go with thin clients with no USB ports (1)

cecil36 (104730) | more than 9 years ago | (#13227728)

My wife was telling me that the hospital she works at uses a thin client solution where none of the desktop workstations have any type of removable storage, whether it be on floppy, USB drive, or optical media. All the applications and data are kept on blade servers in the data center. If your company has the money available in the budget, I'd go with at minimum a remote desktop solution and have the security policy configured that no data can be copied from the server to a workstation. Only thing left to worry about is the integrity of the employee who has access to the data.

Cheap solution (1)

hrieke (126185) | more than 9 years ago | (#13228264)

Hot glue the USB ports on each PC, so nothing can be plugged in.

We have disabled them. (1)

Reverant (581129) | more than 9 years ago | (#13228920)

I work for your typical 15-employee company. Because of an incident lately (data theft & deletion after firing a guy), we have locked down cd/dvd recorders and USB mass storage devices. These can both be done through the registry. Just set:

HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Services\
UsbStor = 4 (from 3)

to disable USB mass storage support. To disable CD burning:

HKEY_CURRENT_USER\
Software\
Microsoft\
Windows\
CurrentVersion\
Policies\
Explorer\
NoCDBurning=dword:00000001

Just make sure your users don't have admin privileges on their boxes (ie. simple user accounts only!)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?