Home > Ask the Security Experts > Application Security Questions & Answers > Are USB storage devices a serious enterprise risk?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Are USB storage devices a serious enterprise risk?

Michael Cobb EXPERT RESPONSE FROM: Michael Cobb

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 03 January 2007
Vendors often distribute USB drives as gifts, while some would argue that this is a bad idea because they can introduce risks into an environment. What exactly are these risks and how can they be avoided?

>
EXPERT RESPONSE
USB drives and other so-called thumb drives do pose a real network security risk. They have become so inexpensive that they are often used as promotional gifts. Although they can be useful, they can harbor confidential data or introduce malicious code to a network. Next-generation U3 smart devices pose an even greater risk because they store and execute their own applications directly from the drive. Software programs can be downloaded onto them without any requirement for administrative privileges on the host computer. As you can imagine, this is a potential administrative nightmare, since users can easily run unauthorized programs that may consume bandwidth, impair network performance and generally undermine productivity.

There are various options for controlling the use of these devices. One is to disable Universal Plug and Play, which automatically loads USB storage devices as a drive, though this method is a little draconian. A better solution is to control which USB devices are allowed to connect to your systems. GFI EndPointSecurity, for example, allows administrators to manage and log access and activity of storage devices such as USB drives, as well as communication devices like BlackBerrys. I would combine this type of product with some form of application control at the desktop. Safend Protector, for example, allows smart storage devices to be used as mere simple storage devices -- so long as they comply with the rest of your storage policy. The tool also blocks smart functionality so that programs can't be run from the device. Finally, if you are thinking of upgrading to Windows Vista, check out its built-in USB device control features.

More information:

  • Learn more about controlling U3 smart drive use in the enterprise.
  • Enforce a "no USB devices" policy.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Application Security
    Can IBM's SMash technology secure Web applications?
    Why is backscatter spam so difficult to block?
    What are the risks of disabling the User Account Control (UAC) feature on Windows Vista?
    Protecting exposed servers from Google hacks (and Google 'dorks')
    Which automated quality assurance tools can be used to test software?
    Has proof-of-concept mobile device malware translated into any meaningful attacks?
    Is it possible to ban chat programs on an enterprise LAN?
    How to test the security of personal details submitted to a website
    Is security improved when the number of Internet gateways is reduced?
    Are Internet cafe users' email credentials at risk?

    Device Security Policy
    How can organizations secure implanted microchips and RFID tags?
    Finding lost notebooks with 'LoJack for laptops'
    iPhone security in the enterprise: Mitigating the risks
    VMworld: Desktop virtualization drives security skepticism
    Blogging on corporate laptops is risky business
    Will disabling thumb drives also affect the use of the keyboard and mouse?
    Wireless security: IT pros warily watching mobile phone threats
    Controlling U3 smart drive use in the enterprise
    Pod slurping: The latest data threat
    Report: FBI still losing laptops
    Device Security Policy Research

    Mobile Code
    Smartphones opening up enterprise risks
    Information security book excerpts and reviews
    When will attackers go mobile?
    Kaminsky on DNS rebinding attacks, hacking techniques
    Discovery of malware cesspool triggers attack fears
    Should the contents of a USB token be copied to a hidden directory called 'IEDW?'
    Controlling U3 smart drive use in the enterprise
    Mobile carriers admit to malware attacks
    Dozens of Web sites spread malicious Trojan
    Do USB memory sticks pose enterprise threats?

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts