– Brian Tokuyoshi, senior product marketing manager at Symantec (www.symantec.com), says:
USB storage devices provide a clear benefit to making it easier to handle the large amounts of data that people need on a day to day basis. The benefits arise out of not having to rely on network services which often have technical and policy limitation on the amount of data that can be moved easily. For instance, for as long as I can remember, it’s been fairly common to impose a 10 megabyte limitation on email attachment size. Yet over the years, that size limit is growing tighter and tighter – coders need to move virtual machine images, artists need to transport video and digital photography, accountants have reports and databases, all of which take more room than that.
Employees that need to get their jobs done see USB drives as an easy alternative to using network services – instead of using the network as a transportation device, why not just use larger storage devices? The days of floppy disks and optical media are taking a back seat to better storage devices. USB devices are both ubiquitous (found in devices such as external hard drives, removable memory cards, flash drives, and built-in to many consumer devices such as smart phones, voice recorders, and MP3 players) as well as cheap (8GB Flash drives cost less than the price of a footlong sandwich). As a result, the employee can bring their own storage devices for use on corporate computers, and that introduces the element of risk: Will the employee use the devices safely? Will they use it inappropriately? Will an attacker try to use it to their advantages?
In the past, IT organizations relied on less-than-ideal solutions to the problem – they simply identified computers that should have limited use cases, and physically blocked the ports. For instance, a point of sale computer used at a store may have USB ports on it, and there’s really no reason why a clerk should insert a USB device in it. The low-tech method of blocking access to USB is to physically plug up the USB port with permanent material, such as filling it with epoxy glue. This is not truly a policy-based method of blocking the port (what happens if an admin needs to use the port to update the firmware?) and it really doesn’t prevent the problem should the attacker open the case and use the port without authorization. What’s needed is a better approach to determine who can access the port, and what principles should be applied to what they can do. That’s why device control is so important.
What’s a data center/IT manager to do about these problems?
The place to start always begins with security policies that determine what an organization wants to do. Nothing can be done until the organization determines the requirements, such as what devices are essential for work purposes? Who is allowed to use them? What data should such a person be allowed to handle on a portable device? Is it against our data policies to allow a user to take work home, and if so, does it make sense to give them access to removable storage?
With that said, a security policy is only a starting point. We’ve talked with customers who start with a security policy and hope that users do the right thing to honor the policy. Most of the time, the user gets it right. Sometimes lapses occur. Sometimes a user doesn’t know what to do. Sometimes a user will try to subvert the policy with good intentions but the wrong actions (i.e. trying to get a report done while working at home, but taking the raw data home on an unencrypted device).
What’s needed is a way for the desktop operations team to provide tools that allow users to follow the rules without having to think through it, and that’s where device control comes in. Device control generically describes a way for an organization to identify the types of devices plugged into a computer, and determine whether such devices fall within policy. Some organizations may see external hard drive storage as a risk, and block them entirely. Some organizations may see MP3 players as an acceptable risk, and allow a user to plug it in for charging. With device control software, it can map out the security policy into rules that govern what particular users may do with a particular device on a given computer.
Other issues to expect.
Unapproved storage – Perhaps an organization wants to provide users the benefit of portable storage, but they want to make sure that only approved devices are used. For instance, an organization may deploy encrypted USB storage devices that have methods for enterprise data recovery in case the user forgets the password. By having proper device control software in place, they can ensure that only IT-approved devices are used in the employee’s system, and unapproved devices are not.
Direct attack – The next generation of malware has arrived with USB devices that emulate a keyboard. While the concept is not new (there are certain one time password tokens that emulate a keyboard, for instance), the attack vector is interesting because there is NO malware on the drive. There’s no rogue program for an antivirus program to detect. What these devices do is that they pretend to be a keyboard, and the programming on the device allows it to type commands into the user’s computer with all of the rights & privileges of the user. For instance, the target receives what looks like a USB flash drive, and plugs it into the computer. It mounts as a keyboard, except that it’s programmed to type commands all on its own. The drive may open a shell to escalate its own privileges, mail an important file or change the firewall settings, allowing an attacker to log on directly. This all occurs without software running on the victim’s computer. The only way to prevent it is to stop the device from mounting in the first place.
Is an enterprise-wide policy needed?
Enterprise-wide policies are important to setting the groundwork for honoring the security policy (and that’s why I emphasized it before, because data classification exercises often reveal the use cases for when to allow/prevent the usage of removable storage devices). The rule of thumb here is that there will need to be more policies with larger user populations. For instance, a policy that only does allow/prevent for a broad range of devices is like cutting a diamond with a chainsaw. There’s not enough precision within the policy to something that everyone can live with. That’s why being able to adapt according to who the user is and what they should do, along with mapping that back to what data they can handle can play a big difference in how to roll out an appropriate set of policies across the enterprise.
We thank you for the opportunity to share some strategies on this topic. It’s both important and has direct effects on what’s going on today as organizations struggle to keep the upper hand over data breaches and malware. Device Control is a sound part of the strategy to keep sensitive data safe and under control.