Stop threats to network security by USB storage devices

The vast majority of security breaches are perpetrated even by "trusted" employees... Hence it is extremely important to take a hard look at internal security of your company's network. One of the single biggest internal threats to network security is the use of USB storage devices.

USB storage devices can be used to steal large quantities of data from your network. Anything a user has access to can be copied to a USB storage device. The risk of users copying data to removable storage devices has always been a problem, but USB devices present some unique challenges. For example, a few years ago, if a user wanted to steal data, his or her primary option for doing so was to use a floppy disk. Floppy disks are slow and have a very limited capacity, severely limiting the quantity of data a user could steal. In contrast, USB storage devices are much faster and can store vast quantities of data & are tiny in size. Even a simple USB flash drive (in the form of a keychain) can accommodate at least 4 GB of data. USB hard drives pose even more threat as they are pocket-sized and can store huge data. Furthermore, USB flash drives are cheap and easy to conceal.

Another problem with USB storage devices is they can also be used to upload applications. I have seen several instances in my work at Capgemini where a user has copied an installation disk to a USB flash drive and then used the drive to install the application on his or her PC at work. When a user installs an unauthorized application, it has the potential to cause all sorts of problems. It can also invite virus or malware. Likewise, the application may interfere with legitimate applications or with Windows' stability, resulting in unnecessary support calls.

One often-overlooked problem with unauthorized applications is companies are required by law to purchase software licenses for any application in use. If a user installs an unauthorized application, technically the company is required to have a license for that application - even if it did not know about the application!

Fortunately, there are a number of things you can do to combat the problems generated by USB storage devices. Though none of these solutions are fool-proof, but they act as a deterrent to using them and thus prove an effective measure to control their menace.

Method 1: Ghetto engineering

One of the oldest and most effective techniques for controlling the use of USB storage devices involves pumping the workstation's USB ports full of epoxy. This makes it physically impossible for a user to plug a USB device into his or her workstation.

Although this approach is extremely effective, there are a couple of problems with it. In many organizations, workstations are not equipped with CD or DVD drives. This helps to save costs, and reduces the chances of users installing unauthorized software. Often, though, help desk staff members may need to use a CD or DVD to reinstall operating system or fix a problem with an application. That being the case, it is common for the help desk staff to use a portable CD or DVD drive that connects to the machine's USB port. It the ports are plugged up, they simply can't use the drives and this may affect their services too.

Though the helpdesk staff still has the option of temporarily installing an IDE-based drive, it is quite time consuming, since it involves opening the PC's case. It is usually much more efficient to plug a portable drive into a USB port. One of the biggest arguments against plugging up a computer's USB ports with epoxy is that doing so usually voids the system's warranty.

Method 2: BIOS settings

Another common technique for preventing use of USB storage devices is to disable the workstation's USB ports at the BIOS level. This technique isn't nearly as drastic as pumping the ports full of epoxy, because a support technician has the option of re-enabling the ports should they be needed.

This technique works relatively well, but it has 2 major drawbacks. First, not all systems offer the option of disabling USB ports. Second, disabling USB ports is an all-or-nothing proposition. If you disable a system's USB ports, you will prevent unauthorized use of USB storage devices, but at the same time you will also prevent them from using legitimate USB-based keyboards, mice or printers.