The vast majority of security breaches are perpetrated by trusted employees; it is therefore extremely important to take a hard look at your network's internal security. One of the single biggest internal threats to network security is the use of USB storage devices. USB storage devices can be used to steal large quantities of data from your network. Anything a user has access to can be copied to a USB storage device.
The risk of users copying data to removable storage devices has always been a problem, but USB devices present some unique challenges. For example, a few years ago, if a user wanted to steal data, his or her primary option for doing so was to use a floppy disk. Floppy disks are slow and have a very limited capacity, severely limiting the quantity of data a user could steal.
In contrast, USB storage devices are much faster and can store vast quantities of data. Even a simple USB flash drive can accommodate up to 4 GB of data, and the sky is pretty much the limit when it comes to USB hard drives. Furthermore, USB flash drives are cheap and easy to conceal.
Another problem with USB storage devices is they can also be used to upload applications to an organisation's computer. I have seen several instances in which a user has copied an installation disk to a USB flash drive and then used the drive to install the application on his or her PC at work.
When a user installs an unauthorised
One often-overlooked problem with unauthorised applications is companies are required by law to purchase software licenses for any application in use. If a user installs an unauthorised application, technically the company is required to have a license for that application -- even if it did not know about the application.
As you can see, many problems can be caused by rogue use of USB storage devices. Fortunately, there are a number of things you can do to combat the problem. None of these solutions are perfect in and of themselves, but you can usually combine some of the various techniques in a way that helps your organisation effectively control USB storage devices. In this tip, we'll start out with two basic methods used to address the security concerns that USB storage devices pose.
One of the oldest and most effective techniques for controlling the use of USB storage devices involves pumping the workstation's USB ports full of epoxy. This makes it physically impossible for a user to plug a USB device into his or her workstation.
Although this approach is extremely effective, there are a couple of problems with it. In many organisations, workstations are not equipped with CD or DVD drives. This helps to save costs, and reduces the chances of users installing unauthorised software. Often, though, help desk staff members may need to use a CD or DVD to reinstall Windows or fix a problem with an application. That being the case, it is common for the help desk staff to use a portable CD or DVD drive that connects to the machine's USB port. It the ports are plugged up, this isn't an option.
The help desk staff still has the option of temporarily installing an IDE-based drive, but this is far more time consuming, since it involves opening the PC's case. It is usually much more efficient to plug a portable drive into a USB port.
One of the biggest arguments against plugging up a computer's USB ports with epoxy is that doing so usually voids the system's warranty. I have also heard unconfirmed stories of technicians turning on a PC before the epoxy is completely dry and causing damage to the system board as a result.
Another common technique for preventing use of USB storage devices is to disable the workstation's USB ports at the BIOS level. This technique isn't nearly as drastic as pumping the ports full of epoxy, because a support technician has the option of re-enabling the ports should they be needed.
This technique works relatively well, but it does have two major drawbacks. First, not all systems offer the option of disabling USB ports. The other drawback is that disabling USB ports is an all-or-nothing proposition. If you disable a system's USB ports, you will prevent unauthorised use of USB storage devices, but at the same time you will also prevent them from using legitimate USB-based keyboards, mice or printers.
In the next tip in this series, I will continue the discussion by showing you how group policies can be used to prevent the use of USB storage devices.
This was first published in October 2007