Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/5/2006
06:50 AM
50%
50%

Thumbs Down on Thumb Drives

Enterprises shut down their USB ports to deal with thumb-drive security threat

NEW YORK -- Where portable data's concerned, convenience has a cost -- a rather steep one if it's USB-based -- according to IT managers and CIOs attending an event here today.

"It's a disaster waiting to happen," warned Randy Kahn, principal of legal consultancy Kahn Consulting, in an address this morning. "The smaller it gets, and the more mobile it gets, the easier it is to lose the thing."

To illustrate his point, Kahn pointed to a recent report from the Committee on Government Reform, which painted a depressing picture of federal data security. As well as the highly publicized laptop loss at the Department of Veterans' Affairs, Committee members also cited the Department of Commerce which lost thumb-drives containing sensitive census records on 46 separate occasions between January 2003 and September 2006. (See VA Reports Massive Data Theft, Laptop Liabilities, and Portable Problems Prompt IT Spending.)

For Kahn, though, this may be just the tip of the iceberg. "How many thousands of thumb-drives were lost by the government over the last three years?" he wondered aloud. "Places need to have really stringent controls on how they use and how they manage" USB drives.

"It's a big challenge," agreed another speaker, Bob Venable, manager of enterprise systems at BlueCross BlueShield of Tennessee. "We're planning on banning USB drives at the start of January," he said, explaining that the threat of end-users introducing viruses via USB ports helped prompt this decision.

Despite recent enhancements from vendors, many execs are still wary of the security threats posed by USB drives. (See Lexar Locks Down USB Storage.) Some users are concerned that the software used to automatically boot up many USB drives could open the door to hackers, whereas others balk at the idea of staff losing critical corporate data.

Last month, for example, the Los Alamos National Lab hit the headlines when three USB drives containing sensitive data were reportedly found by police in the home of a lab worker. This latest storage snafu followed the supposed disappearance of classified defense secrets on portable floppies at Los Alamos a couple of years ago. (See Los Alamos Disks May Not Be Lost, Latest From Los Alamos, and Los Alamos Fallout Continues.)

An IT manager from a major New York bank, who asked not to be named, told Byte and Switch that security fears have already prompted his firm to implement a tough USB strategy. "In our bank we have turned off the USB ports -- you're not allowed to access them unless you get authorization from the chief operating officer," he explained.

Even with this authorization, though, the bank only allows encrypted USB drives from two vendors, one of which is SanDisk, according to the exec. (See SanDisk Buys msystems.)

For BlueCross BlueShield's Venable, the move away from USB drives refocused his firm's vigilance of email as a way to share critical or sensitive data. By using a "reverse firewall" the insurer checks outgoing emails for sensitive corporate data such as customer lists.

The exec admitted that he still needs to work out some of the trickier details of his USB ban. "We will have to have exceptions because there are vendors that come in and want to bring in fixes via the USB port," he said.

Overall, according to Kahn Consulting's Randy Kahn, firms need to set up policies for auditing and monitoring portable media if they want to make their organizations more secure. Other key factors include staff training and communication. "Policies matter hugely -- they tell people what you expect from them," he explained.

At least one IT manager attending the event warned that, in reality, many firms are forced to compromise on the extent of their security strategy. "It's a question of money and the time that you have," explained Hossur Srikantan, CIO of U.K.-based online gaming company Blueberry Software. "You have to make a business decision based on that."

— James Rogers, Senior Editor, Byte and Switch

  • Kahn Consulting Inc.
  • Lexar Media Inc.
  • msystems
  • SanDisk Corp. (Nasdaq: SNDK)

     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/9/2020
    Omdia Research Launches Page on Dark Reading
    Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
    4 Security Tips as the July 15 Tax-Day Extension Draws Near
    Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15105
    PUBLISHED: 2020-07-10
    Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
    CVE-2020-11061
    PUBLISHED: 2020-07-10
    In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
    CVE-2020-4042
    PUBLISHED: 2020-07-10
    Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
    CVE-2020-11081
    PUBLISHED: 2020-07-10
    osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
    CVE-2020-6114
    PUBLISHED: 2020-07-10
    An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...