October 24, 2008, 9:49 AM — Todayâ€™s small, portable USB thumb drives can store significant amounts of data and be easily slipped into a pocket without anyone noticing. This makes it possible for someone to copy data from a network, walk out the company door, and transfer the same data onto another PC. If that data happens to be valuable company information that makes its way into the hands of a competitor, your company could be in serious trouble. The same applies when someone simply loses the device. Either way, you put your company at risk by allowing employees to access data through USB ports on your company network.
There are certainly some legitimate situations where employees need to transfer data to different locations so they can work on files from home or on the road. Oftentimes it's much more practical to copy a folder to a thumb drive versus e-mailing individual files to themselves.
Some companies have opted to set no policies or controls to address this risk, leaving the data vulnerable to attack and loss. Others have taken the other extreme by disabling USB services on all desktops for all employees, potentially inhibiting business transactions and diminishing employee productivity. One must consider, however, both the risk and the business impact of each extreme measure and choose a solution wisely.
The answer to the challenge is to find a balance by employing a set of policies that govern the use of USB ports and require the use of encryption and approved thumb drives. Businesses can configure systems to dictate which files can be accessed, who can copy files to USB devices, and to which USB devices the files can be stored.
When it comes to financial data, you may decide it's OK for only the CEO and CFO to copy any and all files from their desktops while you might allow the sales manager to copy his or her sales data to/from any desktop. In any case, youâ€™ll want to know what files are being taken. Therefore, it's also a good idea to establish an auditing process to analyze who within your company is copying files to removable USB drives. This helps to reduce the risk of one accidentally or intentionally violating company policy without your organization being aware of the breach.
Putting mal-intent aside for the moment, problems can also ensue due to carelessness. With proper permission, your CFO could copy sensitive financial data to a thumb drive to work on during a business trip. The data might then be copied to a home desktop. Once the data is on the home machine, it could be exposed to hackers and malware as the company likely has no control over protecting the home PC from attack or intrusion. Itâ€™s also possible the thumb drive could be accidentally lost or stolen once the CFO leaves the office. To protect against these situations, the best approach is to enforce the use of USB encryption and/or encrypted thumb drives.
USB encryption and encrypted thumb drives are both easy-to-use. Both methods force users to choose a password which is then required to copy or open the files on the drive. This protects your company against hackers that might access the data if the device is lost or stolen. To encrypt the data on the drive, it's just a matter of applying an encryption policy to the device or purchasing devices that come with the encryption built-in. With both options, you can ensure your data is safe and invisible to those without the password.
The policies and the encryption attributes you establish relative to thumb drives should also be applied to CD writers and other portable storage devices such as FireWire devices, floppy drives, and Infrared ports. It can be just as easy to maliciously steal or carelessly lose information from these devices. But with the proper use of the same policies, auditing and encryption you apply to your USB thumb drives, you should be in good shape when it comes to protecting your valuable data assets â€“ allowing you to give your business the thumbs up to use thumb drives.
Sean Martin, CISSP, is VP of Marketing for SkyRecon Systems of San Jose, Calif. and Paris. Write him at firstname.lastname@example.org.