USB afraid. USB very afraid.
There are few things that chill my blood more than having a colleague come up to me and show me proudly how they’ve got All! This! Data! on a USB flash drive.
From a security perspective, I hate USB fobs even more than I hate laptops and other removable media. Here’s why, in a nutshell: USBs are the easiest to have in an ambiguous security state.
You can generally tell right away when you’ve lost a laptop. CDs and floppy disks are a little harder to figure out, but they don’t carry nearly as much data as a 2-GB USB stick. This means that with a USB drive, you can potentially lose a large amount of data; the more data you have on it, the greater the chance that some of it will be confidential, and the greater the chance that you won’t remember exactly what it was. And because USB sticks are so small, you can very easily get into this state where you can’t find them, but you’re not ready to say that they’re actually lost or stolen. Did your dog swallow it? ‘Cause if that’s the case, maybe you don’t have to report a data breach. Maybe there wasn’t any confidential data on it; you’re not sure. Maybe, maybe, maybe ... that way lie the bogeymen called denial and rationalization, two of the security officer’s enemies.
Many of my colleagues don’t understand this risk until I pull out what I call the Boss Anger Scale for risk assessment. I ask them, “If you had to go tell your boss that you lost this, how mad would s/he be? How mad would the Top Boss be?“ Then their eyes widen in terror and they finally Get It.
Yeah, I know there’s encryption available for USB sticks. But there’s nothing you can do to force users to limit themselves to those approved kinds, when every vendor booth at a trade show is handing out others. And if you can’t trust a user to keep a drive away from his dog, can you really trust him to use encryption?
Posted by shrdlu on Wednesday, April 18, 2007
(2) Comments • Permalink •
