By Vladimir Chernavsky
Security policy is not meant to signal to users that they are untrustworthy.
More security advice from an industry analyst doesn't usually rouse much interest. Then why such a stir after the recent Gartner report on threats from portable storage media?
The analyst, Ruggero Contu, simply pointed out that most Windows networks are wide open to unauthorized uploading and downloading activity through the USB port using consumer devices such as cameras and MP3 players with built-in or removable memory. Perhaps it was the mention of banning iPods from the workplace that grabbed the headlines. Or perhaps it was that the report and some of the media coverage that followed presented solutions that seemed drastic, mixed-up, complicated and expensive.
In any case, it unleashed a storm.
Many pointed out that open USB ports are not unlike open device drives--and few corporations, if any, ever banned the use of floppies, CDs or zip drives. A surprising number of the published rebuttals claimed that corporate security measures were becoming too meddling and were ultimately ineffective, and that really nothing could or should be done aside from educating and trusting PC users to do the right thing.
Regarding the first point, I'd agree.
Even Los Alamos National Laboratory didn't ban zip drives in the past. It took multiple incidents of removable drives purportedly loaded with classified information walking out the door before the Department of Energy put new policy in place. But what IT organization would like to be in the defensive position that the University of California is now in with its client, the Department of Energy, over this chain of events? This case also illustrates that the problem does not have to be one of information thieves well-meaning employees going around with sensitive data on removable storage devices are the source of equal or greater risk.
In the category of poorly chosen measures, there are many "cartoon caper customization" stories: tearing out floppy and CD drives cutting the wires squirting glue into USB port openings even placing system blocks in locked wooden boxes. "Blunt instrument" measures, to be sure. Yet, when you consider both the potential severity and the likelihood of a security breach occurring through an unsecured device port at a local end-point, at least the companies involved recognized there was a problem.
There are more-evolved, easier-to-implement technology solutions that allow system administrators to centrally control the users and times of uploading and downloading through device ports. I wouldn't consider them any more "meddling or impractical" than personal firewalls. By the way, a personal firewall will not protect your network from a threat that walks up to your computer and attacks locally--only when it attacks across the Internet.
Finally, security policy is not meant as a signal to users that they are untrustworthy. It does bring into focus the sensitivity of information and the vulnerabilities of a business and therefore requires enforcement. Someone intent on violating security policy may succeed at thwarting the means of enforcement, but this doesn't mean enforcement is a useless exercise. Like a cone fence around a sidewalk under repair or a turnstile in the subway, it is not so much that the barrier be unbeatable as that it is there.
Just in taking the step to manage access to external memory devices with technology, an IT department is giving weight and substance to its policy. Regarding this threat, the sooner boundaries are set, the better.