The vast majority of security breaches are perpetrated by trusted employees; it is therefore extremely important to take a hard look at your network's internal security. One of the single biggest internal threats to network security is the use of USB storage devices. USB storage devices can be used to steal large quantities of data from your network. Anything a user has access to can be copied to a USB storage device.
The risk of users copying data to removable storage devices has always been a problem, but USB devices present some unique challenges. For example, a few years ago, if a user wanted to steal data, his or her primary option for doing so was to use a floppy disk. Floppy disks are slow and have a very limited capacity, severely limiting the quantity of data a user could steal.
In contrast, USB storage devices are much faster and can store vast quantities of data. Even a simple USB flash drive can accommodate up to 4 GB of data, and the sky is pretty much the limit when it comes to USB hard drives. Furthermore, USB flash drives are cheap and easy to conceal.
Another problem with USB storage devices is they can also be used to upload applications to an organization's computer. I have seen several instances in which a user has copied an installation disk to a USB flash drive and then used the drive to install the application on his or her PC at work.
When a user installs an unauthorized application, it has the potential to cause all sorts of problems. For example, the application might be infected with a virus or malware. Likewise, the application may interfere with legitimate applications or with Windows' stability, resulting in unnecessary support calls.
One often-overlooked problem with unauthorized applications is companies are required by law to purchase software licenses for any application in use. If a user installs an unauthorized application, technically the company is required to have a license for that application -- even if it did not know about the application.
As you can see, many problems can be caused by rogue use of USB storage devices. Fortunately, there are a number of things you can do to combat the problem. None of these solutions are perfect in and of themselves, but you can usually combine some of the various techniques in a way that helps your organization effectively control USB storage devices. In this tip, we'll start out with two basic methods used to address the security concerns that USB storage devices pose.
One of the oldest and most effective techniques for controlling the use of USB storage devices involves pumping the workstation's USB ports full of epoxy. This makes it physically impossible for a user to plug a USB device into his or her workstation.
Although this approach is extremely effective, there are a couple of problems with it. In many organizations, workstations are not equipped with CD or DVD drives. This helps to save costs, and reduces the chances of users installing unauthorized software. Often, though, help desk staff members may need to use a CD or DVD to reinstall Windows or fix a problem with an application. That being the case, it is common for the help desk staff to use a portable CD or DVD drive that connects to the machine's USB port. It the ports are plugged up, this isn't an option.
The help desk staff still has the option of temporarily installing an IDE-based drive, but this is far more time consuming, since it involves opening the PC's case. It is usually much more efficient to plug a portable drive into a USB port.
One of the biggest arguments against plugging up a computer's USB ports with epoxy is that doing so usually voids the system's warranty. I have also heard unconfirmed stories of technicians turning on a PC before the epoxy is completely dry and causing damage to the system board as a result.
Another common technique for preventing use of USB storage devices is to disable the workstation's USB ports at the BIOS level. This technique isn't nearly as drastic as pumping the ports full of epoxy, because a support technician has the option of re-enabling the ports should they be needed.
This technique works relatively well, but it does have two major drawbacks. First, not all systems offer the option of disabling USB ports. The other drawback is that disabling USB ports is an all-or-nothing proposition. If you disable a system's USB ports, you will prevent unauthorized use of USB storage devices, but at the same time you will also prevent them from using legitimate USB-based keyboards, mice or printers.
In the next tip in this series, I will continue the discussion by showing you how group policies can be used to prevent the use of USB storage devices.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security at Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.
Are USB storage devices a serious enterprise risk?
Using Windows Vista group policy to prevent unauthorized USB device use
USB storage devices: Two ways to stop the threat to network security
Scan your network for devices
OSI: Securing the stack, Layer 1 -- Physical security threats
USB security: Secure USB drives and CoCO compliance