In several occasions i noticed a trend by which companies are identifying and protecting themselves against information theft and virus infections from all electronic transport channels, like email, web, file transfers, p2p etc. Those same companies are flagrantly overlooking the risks related to physical transport media, especially USB flash drives
The older readership will certainly agree state that the USB flash drive is the new floppy. For the younger generations, the floppy disk (diskette) was a primary means of data transfer in the late 80ies and early 90ies - before the era of CD-RW and high speed Internet.
In those days Large corporations removed floppy drives from corporate pc's to prevent the employees from stealing information, or bringing in things like Tetris and GP2 (small racing game, fitte in 300kB).
This same trend is now being repeated via the USB flash drives. Here are the possible risks of using personal USB flash drives:
- An employee can take corporate documents home (excel sheets, word documents, even larger data-sets) - a very easy method of information theft. Even if done with the best possible intentions, like taking materials to work at home, a lot of such documents are forgotten on private USB drives, which leads to information leaks.
- An employee can bring pass time games downloaded from the Internet - there is no such thing as a free lunch. A lot of these "free" games are loaded with keyloggers, trojans and viruses, which will be brought in by the persons you trust - your employees!
- An employee can bring music to and from work (mostly pirated) - whether music increases productivity can be discussed, but should an audit occur, a lot of pirated mp3s will be found on the corporate network, leading to costly litigation.
- An unsupervised visitor may bring a USB flash drive and insert a malware through the Autorun function - It is very easy to enable Autorun on a USB Flash drive. The Autorun will run an executable and can possibly bring in a keylogger or trojan in the network.
It is very difficult to control the carrying of USB flash drives unless you enforce a full body search policy. So here are several steps that can be used to control their usage
- Institute a formal corporate policy banning the use of USB flash drives, subject to disciplinary action.
- Organize periodic awareness training for all employees on the risks of using USB flash drives. In the training, include a demo of a malicious attack which will install a trojan from a rogue USB.
- Disable Autorun on all drives
- Implement a technical policy preventing the use of USB flash drives on your network. This is usually done through Active Directory Group Policy in Windows. Here are two tutorials from Microsoft http://support.microsoft.com/kb/823732 and http://support.microsoft.com/kb/555324
Check Your DNS Zone Transfer Status
6 steps to securing your backup media
8 Tips for Securing from the Security experts
Talkback and comments are most welcome