Keep an eye on those flash drives – and USB ports
USB ports, as any IT security expert can tell you, are trouble just waiting to happen. Sure, they’re fine for keyboards and mice. However, think about the other things that can be plugged into them, like portable storage devices ready to hoover your data.
I was fascinated by Andrew Binstock’s recent post regarding the internal USB ports on enterprise workstations. Those ports are designed for applications that use dongles. The problem with dongles is that they easily fit into a pocket. But if you lock the dongle inside the computer, it’s less likely to fall into the wrong hands, or the wrong pocket.
USB-based flash drives are potentially even more dangerous than stolen dongles, as shown by a new study from the Ponemon Institute. This study was commissioned by and paid for by RedCannon Security, whose PR agency sent me the results. RedCannon sells stuff to secure USB flash drives. They paid for this study in order to drum up business.
With that said..
According to the study, 87% of their study’s respondents say that their company’s policies forbid them copying unprotected sensitive information onto a USB flash drive. However, 51% say that they have copied confidential info onto a flash drive — and 57% believe that other employees routinely use flash drives to store and move confidential info.
What’s so bad about that? Even assuming that all the employees are behaving totally above-board… 28% of respondents say that a flash drive has been either lost or stolen. The study doesn’t ask, unfortunately, how many respondents have lost a flash drive that contains confidential, proprietary or sensitive info.
Even so, a challenge is that flash drives frequently are used to backup information, to bring information home (to work on it), and to share information with other people. That came up last week, in fact, when I was in my New York office… the fastest way for one of our staff to give me some files was to copy them onto a flash drive.
Those files are still on the flash drive, which is in my briefcase. But what if it fell out? What if someone stole my briefcase?
Now, had those files been confidential (they weren’t), and I were to lose the flash drive, that would be a bad thing. Or what if I then reused that flash drive to give different data to someone else… and that person also copied those “confidential” files? The potential for inadvertent data loss is obvious. And that’s assuming no malicious intent.
With malicious intent, every USB port (and Firewire port) is a potential hole that an attacker can exploit to steal data, corrupt files, or plant malware.
Do you have polities and measures in place to prevent the copying of confidential data onto portable storage devices, and for securing USB ports? If not, you should.