Tiny, almost undetectable and with almost limitless powers to wreak havoc on your network: USB drives are like thousands of back doors through which malicious code can sneak in and confidential data can gush out whenever your back is turned.
The rise in popularity of USB flash memory drives over the last few years has been as inexorable as their falling prices. Instantly recognized by Windows XP or Mac OS X without the need to install any drivers, they can be used to copy gigabytes of data from your network, or to introduce applications, data, viruses and malware in a matter of minutes. In fact it's not just flash drives that are a problem. Any MP3 player with a USB interface – and that includes almost all players, including Apple's iPod – can also be used as a data storage medium, with the potential to hold tens of gigabytes of information which can be transferred to or from the network. IDC predicts that sales of mini-hard disks – most of them portable devices and many built in to MP3 players – will increase by 500 per cent to 100 million units a year by 2008.
Since anyone can install a USB drive by simply plugging it in to a USB port – you don't need to be an administrator in Windows XP or 2000 – and since USB devices can't be managed using Group Policy, this presents a very serious security problem from a network administrator's point of view.
Here are the main potential problems that USB devices present:
Viruses. For the last ten years or so, most viruses have come from the Internet, and network administrators have been able to confront them using a variety of methods including email scanners and firewalls to block suspect sites. But USB drives make it easy to bypass these methods by introducing software and data straight on to network PCs
Other malware. Because of their vast capacity, it's easy to use USB devices to introduce pornography and other inappropriate video clips, illegally copied MP3 files, bandwidth hogging peer to peer file swapping applications and spyware on to the network.
Data theft. Again because of their capacity, USB devices are ideal for copying price lists, entire customer databases, product designs and any other confidential information. Employees armed with a keyring-sized flash device could walk out of the office with most of a company's information assets on a tiny and almost undetectable device.
Loss of confidential information. In many organizations, employees find it tempting to load data onto USB drives to take home with them to use on a desktop machine rather than carrying a laptop between work and home. But being much smaller, they are far more likely to drop out of a bag or pocket unnoticed. Consequences can range from inconvenience and bad publicity to serious commercial setbacks or even regulatory penalties and legal action.
So what can be done?
For organizations where the primary concern is theft of data by employees, it's necessary to look to third party security software. Products such as SecureWave's Sanctuary Device Control give network administrators complete control over every I/O port on every Windows PC on the network on which the Sanctuary client software is installed. Using a centralized data base, it's possible to grant permissions for particular users to use specific devices – the secure USB drive issued by the IT department, for example. For compliance and security purposes each data transfer can be logged, so administrators know which user is copying data and when, and an exact copy of the data transferred can also be stored. The software is relatively inexpensive – about $30 per user - and for some organizations it may be worth investing in. It is up to you, however, to determine that the software you select is secure enough and can be relied upon not to be easily bypassed.
This sort of software may not suit your organization, or it may be that you are more concerned about the accidental introduction of viruses onto your network than data theft, so it's worth examining other solutions. These are likely to involve many parts of the company including IT, HR, and possibly even the legal department.
The best way to tackle the USB drive problem is probably to recognize that many of the people who use USB storage devices are not doing so maliciously – they just see them as neat gadgets for moving apps and data around. So educating users about the dangers of USB devices - viruses, data loss and so on - should be a first priority.
Since USB flash memory sticks are convenient, the chances are that some employees will still want to use them, even when they are aware of the risks. It is probably better to control rather than prohibit their use by making them available to those that really benefit from them through the IT department. There should then be a clearly stated corporate policy indicating that employees' own USB drives, including MP3 players, should not to be connected to corporate PCs – only drives issued by the IT department should be permitted. The legal and HR departments may have to become involved if rules about employees' own USB drives are to be enforced, but it is probably impractical to try to prevent employees from bringing their iPods in to the workplace to listen to at lunch time just because they could connect them to their PCs.
How does this help? Because the IT department can issue flash drives such as Lexar's JumpDrive Secure which offer password protection and 256 bit AES data encryption so that even if the device is lost or stolen, the data stored on it is inaccessible. For greater protection, drives which include a biometric fingerprint scanner are also available. Staff that are issued with USB drives to transfer data should also be educated to scan them for viruses regularly.
Deciding exactly what steps to take to minimize the risks posed by USB drives is a tricky task, and there is no one-size-fits-all solution. Every organization's needs are different, and the costs and benefits of particular measures have to be assessed individually. As USB drives become ubiquitous it seems inevitable that most operating systems will, in the future, provide some way for network administrators to control their use quickly and easily. But until then these handy little devices will continue to be a security risk and should not be ignored.