Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Smartphones Get Headlines, But Lax USB Security Is Just As Risky
Newest First  |  Oldest First  |  Threaded View
1eustace
50%
50%
1eustace,
User Rank: Strategist
1/7/2015 | 1:07:06 PM
Re: Managing USBs? Impossible!
Great points.  But such DLP policies come at a great cost – efficiency & productivity loss.  It is not a surprise organizations that sustain such models are less concerned about costs.  Most non-governmental organizations will go under if they make similar sacrifices, with very few exceptions.  I have worked with some of these exceptions, private companies with close to DoD type DLP strategies, and the only reason they get away with such is because they have other companies freely working for them.  Not an exact analogy but this is akin to Wal-Mart having suppliers doing most of their work towards stocking their shelves.  Outside of these select few, strict DLP strategies are not an option to most organizations.  Not to lose hope, more practical solutions are possible but such will require tying the USB infrastructure into hardened security hardware. Unfortunately, it might require more major exploitations for the industry to head in this direction.
exacttrak
50%
50%
exacttrak,
User Rank: Apprentice
12/15/2014 | 4:50:36 AM
Secure USB Flash Drives
It is one thing to have a USB Flash Drive that encrypts data but the issue is that what happens when a USB Flash Drive is lost or stolen. My company, ExactTrak manufactures and sells a USB Flash Drive that can be tracked, managed and destroyed all through a central management console and without the need to be plugged in to a host PC or Laptop. If one of our customers has a Security Guardian device lost or stolen they can locate the device, anywhere in the world and turn off access to the data. They can then choose to retrieve to the device or remotely destroy (not delete or overwrite the data but destroy the device). Same thing goes for when an employee leaves the company. If they don't hand the device back it can be destroyed to ensure company data is not compromised.
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/11/2014 | 4:55:35 PM
Re: Managing USBs? Impossible!
"Any data moved to USB devices at my former employer were automatically encrypted as was all data on laptop hard drives and SSDs."

Same here, as well as an email to the offender from the DLP system telling them what they just did was a violation of policy and alert that was sent to IR (Incedent Response) who inturn contacted the offending individuals manager within 10-15 minutes if it happened during the work day. All a company would need is a good DLP solution, policy and someone to monitor\manage it properly.
dholcombe
100%
0%
dholcombe,
User Rank: Apprentice
12/11/2014 | 4:32:05 PM
Re: Managing USBs? Impossible!
Any data moved to USB devices at my former employer were automatically encrypted as was all data on laptop hard drives and SSDs. Unfortunately they missed encrypting data going to drives attached via eSATA on laptops. You have to think about all vectors through which data can flow rather than a select few. Just targetting USB is also not enough, you must also make sure you take care of any built in card readers, eSATA, or other ports through which data may flow.

As far as encryption of USB itself, that policy/program was quite successful and most users outside of engineering/IT did not have eSATA ports. For 90%+ of our userbase it became impossible to copy unencrypted data to a USB key and then lose it in an airport.
aws0513
100%
0%
aws0513,
User Rank: Ninja
12/11/2014 | 11:05:25 AM
Re: Managing USBs? Impossible!
There are places where USB policies are quite strict and overtly enforced.

First would be government classified environments where USB storage is highly controlled.  In some SCIF environments, even having a USB device on your person is grounds for administrative action.  The DoD mandates the use of USB protections (both physical and logical) to prevent unauthorized use of USB storage of any kind.
Where USB devices are used in classified environments, they are (supposed to be) highly monitored and controlled.
The policies behind the USB restrictions in classified environments is usually part of a larger DLP strategy that includes how hard media (CDs/DVDs/tapes) is managed and controlled. 

BTW...  those classified programs still function just fine without USB storage devices.  Albeit some could claim they could be working better, most classified systems owners have determined the risk is not worthy of the benefits.
Workers within those environments are not given an opportunity to even try to buck the trend.  In general, all workers within classified environments accept the situation as necessary and normal. Anything less stringent seems alien to them and is usually met with distrust and very little acceptance.

Another place I have seen similar policies was on critical banking and finance systems where the organization implemented administrative and technical controls to prevent wholesale data exfiltration due to internal threats.
Again, the workers in those environments accepted the situation as normal. 

In the end, the implementation of a strong USB storage use policy is a matter of willpower of the organization to take the necessary steps to implement effective controls and cultural acceptance that such policies and practices must exist.
The best example analogy I can relate in this matter would be smoking.  Twenty years ago nobody would have considered it possible that laws would exist prohibiting smoking within pubs/taverns/bars.  Now we have several states with such laws with likely more to follow.  All of this still came down to willpower to enact/enforce and cultural acceptance to conform to the new standard.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/11/2014 | 9:30:22 AM
Re: Managing USBs? Impossible!
Prohibiting USBs or requring encryption seems to me like an a totally unenforceable policy. Simpler to plug up USB ports on all company-owned laptops -- and even that is unthinkable...

Curious to know what, if any, USB policies are in place within the Dark Reading community. Any success/horror stories to share?
CAMROBERSON
100%
0%
CAMROBERSON,
User Rank: Author
12/10/2014 | 7:48:53 PM
Re: Managing USBs? Impossible!
Agree completely. It's incredible (and illogical), though, given the ease of data loss! The exact same dangerous data on other digital platforms is watched like a hawk, but no polices (or cares?) seem to exist around protecting it on other forms. Maybe it's time to disallow USBs or start enforcing encryption/authentication like on other devices.
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
12/10/2014 | 3:51:48 PM
Managing USBs? Impossible!
It's hard for me to imagine enterprises -- let alone SMBs -- developing policies  and strategies around USB security. Smartphones may get headlines, but companies haven't really cracked the BYOD code for employees. The ubiquitous USB seems like an even greater challenge... 

 


Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...