Manage Learn to apply best practices and optimize your operations.

Controlling U3 smart drive use in the enterprise

Many users have loaded Skype on U3 smart drives to get around their company's security policy. In this expert Q&A, application security pro Michael Cobb explains the best ways to control the use of mobile storage devices and protect the confidentiality of your data.

Users have discovered that they can load Skype on U3 smart drives to get around our security policies. If we want to control p2p applications, what are our options? Can we employ application control on the desktop?
Mobile storage devices, or so called thumb drives, pose a real risk to network security. They can be used to download confidential data or introduce malicious code to the network. There has probably been far more corporate data lost to misplaced or stolen thumb drives than to laptops!

U3 devices compound these problems, since software can be downloaded on the host computer without any need for administrative privileges. U3 smart drives are specially formatted USB flash drives developed for Microsoft Windows systems, and they store and execute their own applications directly from the drive. Any data written to files or the host computer's registry is removed when the flash drive is ejected. This is an administrative nightmare, since users can easily run unauthorized programs that may consume bandwidth, impair network performance or undermine productivity. And the problem isn't going to go away. According to U3, forecasts predict USB flash drive sales to grow to 150 million units worldwide by 2008, with 70% of them projected to be smart drives.

You have various options to control the use of these devices. You could disable Universal Plug and Play, a set of protocols that automatically load USB storage devices as a drive, though this is a little draconian. A better solution is to control which USB devices are allowed to connect to your systems. GFI Software Ltd.'s EndPointSecurity, for example, allows administrators to log access and monitor the activity of storage devices such as USB drives and communication devices like BlackBerrys.

I would combine this type of defense with some form of application control at the desktop. Safend's USB Port Protector, for example, allows smart storage devices to be used strictly as simple storage devices (so long as they comply with the rest of your storage policy). The tool blocks their smart functionality so that programs can't be run from the device.

To tackle security issues involving Skype in particular, I would look to review your network border controls, such as firewalls, and stop the traffic on the network. Also, visit the Skype Web site, where you'll find an administrative template file for Windows Active Directory environments, allowing you to control Skype's use. At the end of the day, though, the only way to really reduce the risk of thumb drives is to develop and enforce an acceptable usage policy for thumb drives and U3-based applications. Your staff should also be made aware of the consequences of non-compliance.

More information:

  • Learn more about the threats that USB memory sticks pose to an enterprise.
  • Use this Messaging Security School lesson to protect your Blackberrys and other mobile devices.
  • This was last published in February 2007

    Dig Deeper on Information security policies, procedures and guidelines

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.