USB Flash drives are everywhere. Not only can you use them to store data, you can also use them to boot secured workstations. Which is more of a hassle, blocking USB drives or supporting them? This entry discusses the problem and the implications of your decisions about flash drives.
In ITDojo, Bill Detwiler just outlined the steps necessary to boot Windows XP from a USB flash drive. Likewise, you can also create bootable flash drives for Linux and other operating systems. Booting from USB is relatively recent development in the PC world, and as such it adds one more headache for security conscious IT professionals.
Flash drives have presented security problems for IT for some time now based on their ability to store and make portable gobs of your sensitive corporate data. It's not just flash drives either. Any device, such as digital cameras or iPods, that can store data and connects to USB present a method for people to remove data from your organization.
The question for IT leaders however, is what to do about flash drives and other USB storage options. Do you allow them in your organization or do you block them? And what are the implications for blocking USB?
More than a technical hurdle
It's not all that hard to disable USB devices. There are all kinds of options to keep flash drives off your systems. You can disable USB in BIOS. All modern operating systems like Windows and OS X allow you to disable USB as well. Using Group Policy in a Windows Server environment, you can set a policy in Active Directory and disable flash drives as well. If you don't have those options, there are third party utilities that can lock out USB devices. You could even go the low tech route and do something silly like gluing the ports closed.The problem so much isn't blocking flash drives from a technical standpoint as it is convincing users about the need to do so. Many users have a sense of entitlement, and even in organizations where security is important, they may balk at the idea of not being allowed to use flash drives. Or, if they do understand the need, they'll try to convince you why they are the exception to the rule.
Although it's possible to just create a policy on a paper, slap some controls on your network, and be done with it, that's not always the best route to take. The best course of action is to check and see even IF a policy is needed in the first place. If so, then do your best to educate users about the reason why and enlist as much support as possible. People naturally bristle at restrictions, but presented properly, they won't rebel as much.
Remember, if you do decide to block flash drives in your organization, you may need to come up with other options. Naturally any method that makes data portable enough to go around the office can make it portable enough to go out the door, but users won't complain as much if you give them alternatives. It might be more storage space on the server, more portable computers, CD or DVD-RW drives, or something else. Just be aware that blocking flash drives won't necessarily protect data nor lessen your administration headaches.
The bottom line for IT leaders
USB flash drives are as dangerous as they are ubiquitous. Not only can they be used to drain your organization dry, when used as boot devices they can also be used to overcome passwords and other security you have in place. If security is critical in your organization, you have policies and procedures in place to deal with them. Even in organizations where security isn't as critical, there are lots of good reasons to restrict them. Decide what's best for your organization, but be as clear to users as possible about what the decision is, why, and that there are no exceptions.