How to lock down USB devices

Despite all the attention paid by enterprises and vendors alike to data leaks that occur over email or the Web, the truth is that sensitive corporate data is far more likely to end up in someone else's hands through a lost laptop, CD, or USB drive. Here are just a few real-world examples:

1. In May 2006, the U.S. Department of Veteran's Affairs revealed the personal information -- including Social Security numbers -- of more than 26 million veterans was lost on a stolen laptop. The records were actually on a portable hard drive, later recovered.

2. In October 2007, Her Majesty's Revenue & Customs service lost two CDs containing the financial records of 25 million UK citizens.

3. In February 2006, a Deloitte & Touche employee leaves a CD with personal records of 9,290 McAfee Inc. employees in an airline seatback.

4. In 2007, reports surface that USB flash ...

BROWSE BY TAG Network Security Tactics,   Enterprise Data Protection,   Enterprise Data Governance,   Data Loss Prevention,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler How to provide access to Web content (while ensuring network security) Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Data Loss Prevention Information Security magazine February 2010 issue download Disaster recovery plans and DLP solutions top 2010 priorities Endpoint DLP fills data protection gap Fact or fiction: Inside extrusion detection and prevention technology Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Layoffs prompt insider threat fears, cybersecurity survey finds Breach prevention: How to keep track of data and applications Trend Micro to address DLP after analyst report criticizes strategy How to secure USB ports on Windows machines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

drives with sensitive military information are being sold in street markets in Afghanistan.

While it's fairly straightforward to protect a laptop using full-disk encryption, portable media presents more challenges. Mobile employees often have a legitimate need to use such devices to transfer data, even sensitive data, while on the road. At one time specialized hardware was considered for this task, but prices have dropped so much that even gigabyte thumb drives are routinely handed out for free on conference floors, and it's hard to find a laptop without a CD or DVD burner included as standard.

Although there are still a few organizations sending techs out armed with hot glue guns to gum up the USB ports and read-only CD drives on their client machines, most enterprises rely on a slew of software options to manage these potential leak points. Let's review a few of them below:

1. On Windows XP and Vista, group policy objects can be used to restrict device installation. Vista offers more granular policies than XP, but devices already installed by the user may still be accessible depending on how the GPO is configured. This option is free, but it is not as flexible as alternatives, and it may not offer as much security.

2. A variety of third-party software tools can restrict access to portable storage, including CD-ROM and USB devices -- Policies can be extremely granular, allowing access to only corporate-approved devices, or allowing read-only connections to digital cameras and music layers while still preventing outbound data transfers. Most tools support role- and system-based policies, allowing restrictions for different user and computer groups (e.g. completely disabling write access for desktops, while allowing it for executive laptops).

3. Third-party software to block or audit access to portable storage -- Policies can allow access while keeping a secure copy of the files, which are then sent to the management server the next time the laptop connects to the corporate network. An administrator can then review the activity, including the contents of the file, to see if it complies with policy.

4. Encryption software for optional or mandatory encryption of data on portable storage -- Users can choose (depending on policy) between corporate and group keys, or self-decrypting archives with password protection for transfer to partners not using the same encryption software. Some tools can apply policies based on user, group, system or even storage device.

5. Dedicated USB devices tied to central policies -- Probably the most expensive option and they don't offer any material security benefits over software solutions.

6. Data loss prevention products with endpoint protection -- These tools can apply dynamic policies based on detected content. For example, a file with credit card numbers can be restricted, while a PowerPoint presentation with no sensitive content can be transferred. The best tools use deep content analysis to protect not only easily recognizable data like credit card and account numbers, but also less structured data like portions of protected documents. Some tools include, or partner for, encryption. DLP is the most flexible option, and all tools will eventually have to include content-based capabilities. They are more complex to define policies for, however, and maturity levels vary greatly.

Enterprises have a wide variety of options, from simply blocking devices to real-time content-based policies tied to dynamic encryption. The best option for your organization will depend on your specific needs, user tolerance, budget, and existing infrastructure.

About the author
Rich Mogull is the founder of Securosis LLC, an independent security consulting practice. Prior to founding Securosis, he spent seven years as an analyst at Gartner Inc. He blogs regularly on security issues at http://securosis.com.