Enterprises struggle to enforce security policies on thumb drives and other portable storage media
Do you know what devices your users are plugging into their laptops and desktops right now? And if those activities aren't authorized, do you have a way to stop them?
If your answer is "no" to both questions, you're not alone. All over the Web, IT and security managers are struggling to keep USB drives, Firewire devices, and other portable storage from carrying sensitive data outside their secure perimeter and from bringing in viruses, Trojans, or other malware.
"Our policy is that sensitive data shouldn't go out of the building, and unauthorized media shouldn't come in. But that's policy, not technology," says Phil Kirsch, systems administrator for the Statistical Center for HIV/AIDS Research in Seattle. "There are no audits or other enforcement activities. I don't know that there is any practical way to enforce it. There are just too many forms of media someone could put data on."
"Every [user] has access to [removable storage devices] right now, and they can put anything they can get access to on them," agrees Sean Grady, IT security administrator for the Eastern Band Cherokee Nation. "We are very vulnerable to internal manual attacks. I have a policy, but I cannot enforce it."
Complaints such as these aren't isolated. Last week, Dark Reading columnist Steve Stasiukonis, vice president and founder of penetration testing firm Secure Network Technologies, described a test in which 20 USB thumb drives infected with a benign Trojan were dropped around the headquarters of a credit union. Fifteen of the drives found their way onto the company's desktops and into its corporate network. (See Social Engineering, the USB Way.)
Dozens of IT and security administrators wrote to Dark Reading and Stasiukonis to say that they are struggling to plug similar vulnerabilities in their enterprises.
The problem, in a nutshell, is that most IT organizations have no way to detect what physical media are plugged into their client machines, or what data might be imported or exported from those media. At the same time, the latest portable storage devices can hold gigabytes of data in a pocket-sized form factor at consumer-level prices, which means that huge amounts of data can be transported in or out before IT can do anything about it.
In response to this confluence of events, many enterprise IT organizations have adopted one of two diametrically-opposed policies: Either they disallow all portable storage devices, to the point of physically disabling USB ports, or they allow everything, because an unenforceable policy is worse than none at all.
"If you really want to prevent this sort of thing from happening, your best bet is to just disable it across the board," says Stasiukonis.
"We have no policy," says an IT administrator at a large university. "We have to allow everything."
Isn't there some middle ground here?
An emerging class of security vendors says there is. These companies -- mostly small startups -- have developed tools that can collect information from PC ports, informing IT about the devices they are receiving, locking out unauthorized media and, in some cases, enforcing encryption on all data that passes through those ports.
There are significant differences among these new "port control" or "endpoint security" products, but as a rule, they operate in a common model. The IT department equips each PC with a driver or agent application, costing anywhere from $10 to $50 per client, that's capable of monitoring the use of external interfaces, including USB, PCMCIA, CD/DVD burners, and other devices. Most of the vendors maintain an equipment library that can tell IT not only the type of device that's plugged into each port, but the make and model as well.
"We have a lot of customers who just use our product for that 'audit' function. They just want to know who's plugging something in, and what they're using," says David. "Most of our customers find a lot of things they didn't know were being connected to their networks: thumb drives, iPods, even PlayStations."
Once they know what storage media users want to plug into their machines and why, IT administrators can use these emerging tools to create policies that can be enforced by the agent on the PC. For example, IT can disallow USB access for some groups of users while permitting it for others. Or it can allow access for all groups, but limit that access to business hours.
Virtually all of these products also offer a central console that enables administrators to manipulate permissions or monitor user activity in real time throughout the day. If a user plugs an unauthorized device into a PC port, the agent will disallow the device and send a message to the console to let IT know which user and which devices are involved.
Early users give positive reviews to the products. "We tried the policy of denying access to all [removable storage devices], but it just doesn't work," says Chris Duffy, CIO at Peirce College, which uses the USB Security product. "Now that we have a way to control removable storage and enforce the policy, we're actually doing the reverse: Encouraging students to carry removable devices from the lab back to their rooms, so they aren't limited by the availability of the lab machines."
Martin, Fletcher, a healthcare staffing firm, likes the flexibility of USB port management. (See Healthcare Firm Secures USB.) "It allows me to give access to an executive or [other users] who legitimately need access for a certain period of time," says Fabi Gower, vice president of IS at the company. "I don’t have to tell a vice president of a department, 'Sorry, that’s just not allowed.'"
Several of the port control and endpoint security product makers have already established relationships with storage providers that embed their agents into the device drivers of the storage device itself. In this way, enterprises can mandate and enforce the use of certain portable devices that contain only specified access control and/or encryption capabilities. Securewave announced its vendor certification program just yesterday.
Experts and analysts had generally positive views of the emerging category of port control products, but they warned that the need for the technology is so fundamental that it will surely catch the eye of big players such as Microsoft, Symantec which already offer endpoint security suites that don't include the port control function.
"In a market like this, some consolidation is inevitable," says Dennis. "As with any niche product, you either spread out and offer more functionality, or you get absorbed."
— Tim Wilson