Layer 8

USB afraid. USB very afraid.

There are few things that chill my blood more than having a colleague come up to me and show me proudly how they’ve got All! This! Data! on a USB flash drive.

From a security perspective, I hate USB fobs even more than I hate laptops and other removable media. Here’s why, in a nutshell: USBs are the easiest to have in an ambiguous security state.

You can generally tell right away when you’ve lost a laptop. CDs and floppy disks are a little harder to figure out, but they don’t carry nearly as much data as a 2-GB USB stick. This means that with a USB drive, you can potentially lose a large amount of data; the more data you have on it, the greater the chance that some of it will be confidential, and the greater the chance that you won’t remember exactly what it was. And because USB sticks are so small, you can very easily get into this state where you can’t find them, but you’re not ready to say that they’re actually lost or stolen. Did your dog swallow it? ‘Cause if that’s the case, maybe you don’t have to report a data breach. Maybe there wasn’t any confidential data on it; you’re not sure. Maybe, maybe, maybe ... that way lie the bogeymen called denial and rationalization, two of the security officer’s enemies.

Many of my colleagues don’t understand this risk until I pull out what I call the Boss Anger Scale for risk assessment. I ask them, “If you had to go tell your boss that you lost this, how mad would s/he be? How mad would the Top Boss be?” Then their eyes widen in terror and they finally Get It.

Yeah, I know there’s encryption available for USB sticks. But there’s nothing you can do to force users to limit themselves to those approved kinds, when every vendor booth at a trade show is handing out others. And if you can’t trust a user to keep a drive away from his dog, can you really trust him to use encryption?

Posted by shrdlu on Wednesday, April 18, 2007
(2) Comments • Permalink •

Next entry: Another trite detection analogy.

Previous entry: Going to a Forum.

Comments

Dan

on 04/18 at 07:26 AM:

I don’t know, I store music on mine, all 4 gigs worth of music, and it goes with me everywhere (it came with a leash). Although I do have 30 gig’s of music, it is just a matter of time until I cave and buy a USB Stick that big.

Although I do see your point, If I loan it out, it rarely comes back home.

LonerVamp

on 04/18 at 02:33 PM:

I have a bunch of smaller USB drives and I almost never have track of all of them at any given time. My old company used to get those freebies with Dell computers that were only 64MB in size. Nobody really needed or wanted them so I stored them up and eventually realized how nice they are to move config files around or smaller docs and stuff. But I could easily lose one and never know it.

Another problem with USB drives are those enabled to take advantage of autoruns on Windows. I have one of those Dell fobs (distinctly marked!) that, if put into a Windows system with local admin rights, it will pilfer quite a bit off that system including cached passwords/hashes, cookies, etc. Others are known to do far worse things…

The only problem I see with cracking down on USBs is that it is technology progression, and fighting against technology progression is often an empty, futile effort in the long run. The music and movie industries are learning this the costly way, and every other admin that refuses to keep up with new things. Sometimes this is necessary for security (perhaps in the case of the mighty USB drive/fob), but it’s just a question I keep in mind. Is the business better off by adopting the technology now and working to secure/workaround the issues, or to take a hardline against it?

I used to be anti-laptops in the workplace, but that productivity gains are really a no-brainer. Techs fighting against them for all the insecurities and admin headaches will almost always lose in the long run…

Definitely depends on the situations, and I bet you’re better off in your org not allowing the damned things. We are currently looking into port security (serial, firewire, usb, cd, etc) after hard drive encryption, but I think that will be met with more resistance than mgmt realizes due to all the portable devices people may just recharge while at work (ipod, etc)...