USB flash drives, pen drives, portable hard disksthese tiny,
high-capacity storage devices have a thousand and one uses. They have rendered
most other types of portable storagefloppy disks, ZIP drives, and even
rewritable CDspretty much obsolete. Their high capacity and high reliability
(with no moving/mechanical parts to fail), combined with extreme ease of use
makes them the ultimate in portable storage. You rarely need to install drivers
for them, making them true plug and play devices. At the time of this writing,
a 2GBUSB2 flash drive will set you back £37thats pretty affordable!
There is no question that USB portable storage has changed
the way people view portable media and the way in which people work.
Previously, 3.5" floppy disks were used to cart work back and forth; any
IT support staff can tell you that these were less than reliable, and trying to
explain to users why their disks had become corrupted was no easy task! Any
files over the 1.4-MB limit of a floppy disk would require either a ZIP drive,
or later, a writable CD to transfer. The ZIP drive was awkward to carry around,
requiring drivers to be installed on most PCs, which was often not allowed by the
Windows policies in place. CDR/RW was a great improvement but the media was
delicate and still gave some compatibility issues with older CDROM drives not
being able to read the new disks. USB Flash drives saved us all; however, they
do now present administrators with a new set of problems, and re-present olderissues.
An interesting report in the
Los Angeles Times
Los Angeles Timesa few weeks back highlighted one major security issue
which has been created with the introduction of USB storage. Im sure we would
all imagine military security to be of a high standard when compared to small
businesses or even large corporationshow shocking it is, then, to see that
reporters bought USB flash devices from a bazaar 200 yards outside of the Bagram
military base in Afghanistan. These devices (stolen from the base by cleaners
and other local workers) contained documents marked "Secret," which
named suspected militants, documented U.S. efforts to remove Afghan government
officials, and a classified briefing on "man portable counter-mortar
radar" now being used in Iraq. One device also listed over 700 servicemembers with their social security details, opening them up to identity theft.
This highlights the greatest danger posed by plug and play
portable storagedata loss. While the spread of viruses and the theft of data
also pose an issue, there are clear and simple methods to deal with these
problems. Virus outbreaks are handled by ensuring that on-access scanning is
enabled on corporate machines and virus definitions are kept up to date. Data
theft can be hampered by making sure that all machines are password-protected
and locked while not in use (including once the screensaver has been
activated). Data loss, however (e.g., lost or stolen USB drives which contain
sensitive information) is much harder to deal with. One solution is to make
sure that users are equipped with secure
storage devices. These devices have encryption/conditional access programs
included, which require a password to access the contained data. If lost or
stolen, these will be pretty much useless to the new owner. The real problem
is that unless you equip every user with once of these devices, someone will
still use their own unsecured device (even if you do equip everyone, they may
still use their own devices). There are only two ways to stop thisboth prettydrastic.
locks these little devices basically blank off USB ports, meaning
that users cant plug in unauthorised devices. This means, however, that
if you authorise them to use one USB device, they can basically use any. Im
also sure than any smart and determined user would find a way to removethese by themselves.
Group Policy This addition to the Windows Group Policy will allow
administrators to disable removable media. This seems like a more sensible
approach as it still allows USB devices like mice to be used. It will alsomean administrators can exclude certain users from the restrictions.
All things considered, USB storage has been a godsend for
both administrators and end usershowever, it is important to be aware of therisks that they pose and to educate our users.
What is your company's policy on the usage of USB
media? How do you control its use? It would be interesting to hear yourexperiences and opinions.