Over the last few years, computers have started shipping with more and more USB connections – it’s that little rectangular plug usually found on the back (and now front and even sides) of your PC, used to connect all sorts of devices to your computer – keyboards, mice, scanners, cameras, MP3 players, and a myriad of others. In fact, it is now impossible to get a computer without one. One of the most popular uses is to connect small thumb drives (also known as pen drives or USB drives) in order to back up, store, and transport data. In such a fashion, these are quickly becoming the de facto replacement for both write-able CD-ROMS and floppy disks. Typically, these are either dedicated storage devices or integrated as part of portable music players (such as the ever popular iPod) and can hold anywhere from 128 megabytes to 80 gigabytes (enough for most companies ENTIRE record set).
What, exactly, is the problem with this? A standard, high-speed, easy to use connection for almost every device sounds like a great advantage for computer users.
Unfortunately, there are some very serious security implications associated with USB and its ease of use. The worst of these deals with letting data get into the wrong hands. There are several ways that someone interested in your data might leverage USB to get your sensitive information and take over your computer resources. Even worse, as these devices grow in capacity, the danger they pose also increases.
The root of the problem stems from the way Microsoft’s Windows® operating system handles plug and play devices (which is what USB devices are). As you may have noticed, whenever you plug anything into a USB port, nine times out of ten, Windows® will automagically recognize and configure that device for use. If it is a USB drive, it even gets a drive letter. If Windows® detects that the device isn’t classified as “removable”, it will automatically run certain files found on that drive. (This is known as auto-run and is enabled by default in Windows®.) While many of the drives on the market today are considered by Windows® as “removable”, certain USB drive vendors actually configure their drives so Windows® detects them as “permanent”, thus making them capable of “auto-running” these files.
Someone trying to get your information could use one of these devices with a specially crafted auto-run program. When it is inserted into a computer, Windows® will happily launch this program without even asking the user and very likely not even letting the user know something is happening.
This approach can be used in several ways to compromise your data and computers. An attacker could come to your location posing as a legitimate customer and manufacture some excuse to be alone with your computer for a few minutes (how many times have you left your computer unattended even for a few minutes to check on something or get a print out on a printer?) while they insert one of the small devices into the computer. Within a few seconds or minutes, hundreds of files could be copied to the USB drive (the new term for this is called “pod slurping”). They then unplug the drive and walk out of your business with data they can sell or otherwise use.
Another scenario involves an attacker at a trade show offering “free” USB drives –a very popular item. They might easily distribute hundreds of these if the convention is large enough. Anytime someone inserts one of these drives, it quickly goes about its job of finding sensitive data and emailing or uploading it someplace on the internet. Even worse, it could be used to install a virus, worms, or other malware onto the computer and allow the attacker to connect to the computer whenever they are ready, potentially by-passing any forms of firewalls, virus scanners, and other security measures.
However, this type of threat isn’t only limited to outside attacks. With the size of these drives and the power of readily available software, a disgruntled employee could easily and very quickly copy thousands of files and walk out the door without raising any suspicions even from the most carefully monitored network (Sound far fetched? There have been several reported cases of this.).
Even worse, the danger might not even be directly the cause of disgruntled employees or malicious attackers. Many people use these devices to keep a copy of their files as they travel or take them home to work on them after-hours. With the capacity and small physical size, a lot of data is kept in a way that can be easily lost or stolen. It’s easy to spot someone running away with your laptop bag, but if they slip the USB drive into a pocket, they become impossible to find. More dangerous is the doubting of theft: was it stolen or did you just happen to lose it? This leads to delayed reporting of the loss and potentially greater damage if it was indeed stolen.
Finally, if an employee does use these drives to take work home, is there any guarantee that the home computer is as well protected as the corporate one? Too many times have there been stories about malware making their way into a corporate setting because someone brought a USB drive from home that was infected. Since Windows® configures these drives on the fly, its possible that the anti-virus program could be by-passed since they may be only set to scan previously existing drives, allowing the virus to gain access to your company network.
So what can you do?
Thankfully, there are quite a few strategies that can help mitigate the risk of USB drives in your environment. Naturally, the strength of your solution will need to be tailored to the sensitivity of your data, the potential for harm, and the potential for attack. A bank will have much different exposure from this threat than would a cash-only craft’s store, although both should take care to protect their customer’s data.
Although it seems everyone jumps to the technical solutions first, one of the best ways to combat this problem is through a strong, well enforced policy regarding USB drives. If possible and applicable, USB drives should be prohibited. This includes everyone (even the IT staff and system administrators who are some of the most likely to want to use them, but also the most likely to go to conferences that offer them as free gifts!). This means anyone seeing a USB drive will know instantly that it shouldn’t be there and can report the incident immediately.
If this isn’t possible, their use should be permitted on a use-by-use basis to employees that have been made aware of the risk. Any drives of unknown origin (from vendors, gifts, etc) should be connected to an isolated machine to be scanned for viruses and wiped clean before use.
Once a good policy has been established, technical measures can be put into place to enforce it. One of the easiest and cheapest of these is to disable the use of USB ports from the BIOS. The BIOS controls many of the hardware settings of your computer and is typically accessed at the very onset of the boot up process – often a black screen with the manufactures logo on it.
Unfortunately, this means that ALL USB devices will be non-operational. With the spreading use of USB, this solution is impractical on newer machines since they don’t allow for traditionally connected keyboards and mice, only USB connected.
That leaves a software solution. Growing awareness of this problem has seen the introduction of software that allows you to control what kind of devices Windows® will allow to be connected and used. For example, keyboards and mice could be o.k., but any type of storage would be denied. Ultimately, this is the most flexible technical solution. Even better, as these products mature, they are allowing for centralized management. This means if John in accounting gets a scanner to digitize receipts, you could authorize its use from anywhere on the network.
Finally, if USB drives are an integral part of your business, and the use outweighs the risk, then all data should be encrypted on them. This keeps data from being readable should the drive get stolen or lost. There are many products out there that make this process simple and mostly transparent, and offer excellent levels of protection.
Three other strategies can also help mitigate the risk of USB drives if their use is a must in your company. These three are not directly related to USB concerns, but are good network security practices in general. First, special care should be taken to ensure that your users only have access to files and information that is commensurate with their job titles – don’t let the new hire have access to the president’s files! Second, don’t let your users run as full administrators of their own workstations – many viruses and Trojans rely on this for successful attacks. And finally, keep customers away from your computers if possible. Keep them behind a counter or out of sight. Using these three strategies help limit the amount of data accessible by hackers or disgruntled employees.
Many organizations have no need to allow these devices on all computers and should take steps to ensure they are not used. Those that do feel a need to use these devices should work on training their users and taking the appropriate actions to protect their data, both on their computers and while on the USB drives.
In fact, each company will likely need to investigate and adopt a blend of these strategies to meet their needs and still protect their data.
USB drives really do offer a vast improvement over floppy disks and CD-ROMs. They are fast, portable, and easily re-writeable, making them ideal for certain applications. Unfortunately, the things that make them so convenient can also make them very dangerous and their use must be tempered with knowledge of that danger and the risks weighed against the benefits.
David Hefley operates Meridian Consulting, an information technology firm based out of Lincoln, NE.
Copyright 2007 David Hefley