U3 devices compound these problems, since software can be downloaded on the host computer without any need for administrative privileges. U3 smart drives are specially formatted USB flash drives developed for Microsoft Windows systems, and they store and execute their own applications directly from the drive. Any data written to files or the host computer's registry is removed when the flash drive is ejected. This is an administrative nightmare, since users can easily run unauthorized programs that may consume bandwidth, impair network performance or undermine productivity. And the problem isn't going to go away. According to U3, forecasts predict USB flash drive sales to grow to 150 million units worldwide by 2008, with 70% of them projected to be smart drives.
You have various options to control the use of these devices. You could disable Universal Plug and Play, a set of protocols that automatically load USB storage devices as a drive, though this is a little draconian. A better solution is to control which USB devices are allowed to connect to your systems. GFI Software Ltd.'s EndPointSecurity, for example, allows administrators to log access and monitor the activity of storage devices such as USB drives and communication devices like BlackBerrys.
I would combine this type of defense with some form of application control at the desktop. Safend's USB Port Protector, for example, allows smart storage devices to be used strictly as simple storage devices (so long as they comply with the rest of your storage policy). The tool blocks their smart functionality so that programs can't be run from the device.
To tackle security issues involving Skype in particular, I would look to review your network border controls, such as firewalls, and stop the traffic on the network. Also, visit the Skype Web site, where you'll find an administrative template file for Windows Active Directory environments, allowing you to control Skype's use. At the end of the day, though, the only way to really reduce the risk of thumb drives is to develop and enforce an acceptable usage policy for thumb drives and U3-based applications. Your staff should also be made aware of the consequences of non-compliance.
This was first published in February 2007