Slashdot Mirror
Towards a Comprehensive USB Flash Drive Policy?
sconeu asks: "The company I work for is going through some growing pains. This is a -good- thing, but due to the growth, some changes are necessary. I'm the guy who does IT and IT policy, however I'm actually a developer by job description -- I was doing IT on the side. Anyways, we're going through growth, and one of the things we are trying to address is security.
Currently, our policy is wide-open (for internal machines). The owner has expressed some reservations about the increasing use of flash drives, in an overall security setting. Everyone involved here realizes that there's not much we can do against a malicious employee, but we're looking to avoid accidental data loss from USB sticks, and other solid-state storage media.
Has anyone on Slashdot dealt with this issue? What policies and protections did you end up putting in place, if any?"
I don't understand why this is a new challenge. Why can't existing policies regarding floppy disks simply be applied to this?
Well at least my department anything that could be used as a mass storage device is forbidden. It would have been much easier for them to disable the USB ports as out keyboards and mice still all have PS/2 connectors or USB to PS/2 converters.
A psychopath can't tell the difference between right and wrong. A sociopath knows the difference - he just doesn't care.
Two bits of advice:
1) Watch out for hot women with stainless steel thermal mugs; they'll have a USB drive in the false bottom of the mug.
2) Don't trust anything Al Pacino tells you about your father's service in the CIA or your mission.
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
> "Currently, our policy is wide-PrivoxyWindowOpen(for internal machines)"
;)
Does this cut down on the ads and spyware for you, too?
The unofficial
In my company (I'm a second-level helpdesk tech for a large multinational tech company), USB flash / disc devices are outright banned. It doesn't prevent people from bringing them in and using them though. *sigh*
Revert to 486 machines and Windows 95. NO USB, no problem!
Hmmm... still have those floppy discs to deal with though....
Three Squirrels
I work at a bank, which of course has some pretty stringent security policies. It's pretty simple here: USB is disabled in the BIOS. It can be enabled by special request (usually for execs and their PDAs) and in such cases, we disable USB2.0 (just 1.1), require stronger passwords on the workstation, and have a screensaver set to lock the PC after 3 minutes of inactivity. This doesn't mean we don't have problems from enthusiuastic users that know how to change BIOS settings, but for the most part, problems were avoided.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I'm not sure if windows would freak out or not, but couldn't you just remove the usb mass storage driver from the system?
What's needed is software that limits USB and other connections to those that are allowed. Such software exists, but is expensive. Here is software that is less expensive than packages I've seen, but the web site is so sloppy I lack confidence in it.
No USB storage devices allowed.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Anyone panicked of USB security is only displaying their naivete! The risks with USB drives are essentially the same as those with floppies, tapes, or email attachments. Unless you want to strip search everyone leaving at night, the key to this kind of security is education and management vigilance.
1) Have employees sign typical NDA type document.
.. particularly BCS division) gave us USB keys as a little gift not too long ago.
2) Have employees read/trained/understand company security policies and procedures.
3) Have employees take periodic (e.g. yearly) ethics training.
4) Let them be professionals.
Heck my company (IBM
I'm not sure I understand what the concern is. Your question seems to imply that you're worried that employees will copy data onto a USB stick and then lose it, rather then intentionally stealing information that way.
If thats the problem, I'd be much more concerned about where the employee is taking that data. The only reason someone would put company information on a data key is so that they could move that information to a computer somewhere outside the company network. *That's* where your security concerns should be. Some manager copies your customer database onto his home computer, and he's sharing it with the whole internet.
The only way you'll be able to stop that sort of thing is to ensure that company data stays on company computers. Period. If you need to work from home, have the company get you a laptop, and have the IT department do that they can to make that laptop secure.
It's the land of the brave, and the home of the free
Where the less you know, the better off you'll be.
I've heard of companies that had issues with flash drives, but I've never understood why. Could you explain it to me?
I assume it is a concern about people copying files to the flash drives and walking out with them. But small high-capacity removable media is not anything new. When 3.5" floppy drives were common, it was trivial to take large amounts of source code, documentation, etc. Then came CDs, with more of the same. Today, DVD disks are either 3.25" or 5.25" in diameter, completely flat, and hold far more than flash drives. Yet I've never heard of anyone concerned about the security implications of DVDs. Most of my coworkers have PDAs or laptops. And every computer in the office has internet access.
So why are flash drives so magical that they deserve special treatment?
setup all of the machines in an active directory domain structure and then impose group policy security restrictions. Don't put the domain users into the Administrators groups on their local machines (but make sure to put yourself, the Domain Admin in the LOCAL COMPUTER administrator groups). This way, they will be locked down from configuring system settings and adding/removing hardware (they can put a usb drive in, but it will never be mounted). This will also get rid of many spyware/adware problems you might be having as they wont be able to install the malicious software. If they DO require software to be installed, temporarily add their domain account to their local Administrators group and ask them to log out and back in. They can then install whatever software they want, and then you can disconnect them (via enforced login hours) or simply remove their name from the Administrators group and trust them to log out. An upside to this is you can also finely control which windows services you would like to run or not run on every machine throughout your domain. Remote computer management also becomes easier since you can remotely connect to your domain machines through the Computer Management interface (you being the Domain Admin).
-Adam
Assuming you're in a managed windows environment where standard users are lacking the privileges to make changes to the operating system and it's settings (outside of application specific user options), you can apply certain registry settings that make all USB mass storage devices read-only.
This, coupled with good remote log hosts and alarm systems will not only prevent users from smuggling data, good or bad, it can also alert you to the activity.
This is, of course, moot if the workstations are equipped with floppies and burners. Your firewall policy can also negate the advantage is you have no network accounting in place or a hardened outbound traffic policy.
- billn
This product GFI LANGuard PSC http://www.gfi.com/lanpsc/ will let you lock your USB mass storage on a per user basis on WinDoze machines.
We tried it in the demo mode when the administration at a client was freaking out about IPods. We ended up going with a written policy (that actually had enforcement!!!!!) instead of a technology solution!
Rule of Life Number 2: Remember, it can all go to hell at any minute. --Jimmy Buffet
More and more I see companies trying to solve every problem or perceived problem by putting a policy in place. Usually, this solves the problem at the expense of morale and productivity. A once simple task is now a complicated nightmare.
It's a mistake to put a policy into place as a knee-jerk, first response. Instead, hire good people, train them well, treat them well and let them be your first defense against problems. Policies are to clarify ambiguities and apply standardization - not as a cure-all for every situation.
It's simple: I demand prosecution for torture.
As long as you have laptops with 60+GB hard drives walking in and out of the building, any plan to limit USB drives is only going to bite the 99.99% of the people that actually use them from productivity. That .01% that has some illict reason to share files outside the company will be slowed down, but then email them, burn them to CD, FTP them, fax them, or just keep it on their laptop and walk it out the front door.
And even if all those are plugged, there is still the option of printing it out and mailing it.
I'm not here to preach about whether our not it is smart to manage removable media.
I'm just here to give you this link. It's a great piece of software that works well.
Cheap storage VM.
I'm sitting on my work computer right now... that has the USB enabled (uses USB keyboard/mouse), has a cd-burner in it (I have NO idea why).. and my my 128MB thumb drive is in the front so I can run portable firefox.
I had a similar position to yours for several years, so I have some very general thoughts I hope you find helpful.
Any time The Boss read an article about something new, she would ask me about it.
There are two things that really helped me:
1 - I had spent a LOT of time (with an attorney) researching and developing what I still believe were really good policies. The attorney and I both learned a lot, since I lean towards anarchy.
2 - I learned to anticipate her requests by reading tech news voraciously and keeping my eye on headlines in the journals she read.
In this specific case, you should already have addressed this issue, since USB devices are (as another poster already pointed out) just one of many ways data can be copied to a personal device.
We can't answer for you. That's what you need to discuss with the owner, since it is *their* company. You just need to come up with a list of all devices that will need to be nixed if you decide to nix these (and some research places *do* nix all of this stuff). A partial list to get you thinking: Cellphones, cameras, PDA's, floppy disks, CD writers and/or media, DVD writers and/or media, copy machines. Once you have a list, you can get with your owner and have a sincere "how serious are you about this?" conversation and then come up with a policy general enough to cover whatever you end up with.
Mark
On every box:
Don't forget:
Yeah, right.
DRM = data + key in the same package. I have said this a thousand times -- cryptographically speaking, DRM just plain does not work.
Treat well your employees, and *that* you have the solution to the OP problems.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
"If someone emails out sensitive data, there is a record of it". I don't think so. You pack the data, encrypt it, put it inside a virus-looking executable, and send it to the destination with subject: "I love u", preferrently from another workstation, not yours, then infect said workstation with some (new?) virus. Plausible deniability.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
The risks with USB drives are essentially the same as those with floppies, tapes, or email attachments.
No, USB is a completely different and far more difficult issue to handle.
With floppies, tapes, CD-ROMs etc, it is easy to restrict a PC. The peripherals can either be removed completely or they can have physical locks placed on them that require a key in order to use them. The peripherals can also be disabled in the BIOS which in turn can be protected by password. So, with these devices, it is relatively easy to prevent users from using them at all.
But, USB is an entirely different beast. USB is not a peripheral, it is an interface that can be used by a vast array of peripherals, flash disks being only one such peripheral. Now, the interface could be disabled in the BIOS as above but, there is a major problem with this. The problem is that most new PCs use USB keyboards and mice. Disabling these two peripherals tends to limit the PC's functionality a bit too much for most people. It would also prevent the use of USB printers, scanners, modems, network cards, barcode readers, biometric devices and lots of other legitimate and often required peripherals.
So, the problem is a massive one. How do you limit the connection of certain USB devices, such as flash drives or WiFi dongles, to the machines on your network while still allowing most other devices to function? Right now, most people rely on policies for this. But, no policy will ever prevent the determined user from connecting a USB device.
The problem may be as small as a 512MB keychain fob or as large as a 300GB external USB hard drive hidden in a purse. Connecting a USB WiFi fob in a multi-story building is another monsterous security issue. In any case, USB security is different than floppies and CD-RWs and it is a serious matter for those that are concerned with security.
Solution: Unknown.
I have my personal laptop (80GB drive) sitting next to me, with some CD-RWs in my briefcase behind me. What was the question again?
Yup, someone in Oregon/Washington got in trouble for accessing the medical records of that poor girl who was kidnapped when there was absolutely no reason for them to be looking at it. The hospital happened to have a policy that audits would be performed on every high-profile client (client, that's what they called 'em instead of patient) to make sure that no inappropriate accession of data occurred. They just happened to catch three people looking at her medical records pretty much for curiosity.
...that a strick back up policy could help with.
You might need to write some custom software to monitor the backups, but it shouldnt be too hard to come up with some scripts that whip through a list of people that use USB drives and nag them to back up the data under penalty administrative punishment.
The policy is for someone to steal all USB drives. Seriously, we've had two stolen in the past few months right out of people's drives.
.EXE email attachment "virus", and then fired everyone who violated the "no opening .EXE attachments" policy.
We also have a policy that requires all laptops to be locked down at all times.
Not sure if they are hiring crackheads off the street to do this, there used to be an IT VP that would steal stuff off people's desks and then, when they claim to reclaim them, give them the big IT security lecture.
That's like the IP VP I worked with a few years ago that deliberately crafted a
In a previosu contract we had *real* crackheads wondering through our offices (right off S Park in San Francisco). Although we went though 3 LCD projects in two weeks once, people kept a close eye on laptops and peripherals.
That's what I like: security through - uhh - something!
People are missing the point here. It's not about just banning USB Flash drives. Policies & rules are created to give the company a level of paperwork to fall back on. Say somebody takes X amount of data or source code home, starts selling, and gets busted. At least in court they can't say "But there was no rule against it!" Think of it like having a logon banner for servers. Does it really deter hackers? No, but it gives you a bit more of a leg to stand on if it comes down to getting the authorities involved.
It's a lot like setting a speed limit. Yeah, most people ignore it, and the rule can be abused by those who make the rules. But in the end there's a valid reason for having it. Strong, well-written and enforced policies are just another layer in your security model.
There are some people that if they don't know, you can't tell 'em.
I worked at an R & D lab and our policy was that any system (laptops mainly) that could be expected to leave the physical security of the building had to have all data encrypted. We used a program that encrypted the entire harddrive and then required a passkey in order to decrypt at boot. At the time I left they had not yet got as far as instituting such a policy for flash drives, though I expect they have by now.
This won't protect against a malicious employee or a determined attacker, but should fix the problem of data left around accidently.
You really need to back up and find out exactly why they feel the need to use removable media and what they are doing with it. Chances are the answer will point to a bigger issue like maybe the users don't trust the backup system or cannot easily retreive files from said backups. It might be that they often use different workstations etc. Whatever the reason, if you provide a good alternative than a simple policy change and some training is all that is necessary but if you don't then no policy will be strong enough. The only ones that will actually listen to a policy that keeps them from getting work done are the weenies who probably wern't doing anything anyway and you'll end up fighting with the good employees.
If you're realy serious about security, disable USB mass storage devices on all machines, diskdrives and CD-burners too.
You'll maybe need to treat laptops differently, but those are a problem anyway, because they get stolen all the time. I haven't figured out how to handle those properly.
RogerWilco the Adventurous Janitor
USB port + Epoxy resin = Security. Anything you currently do with flash drives can be done across the network, all nessecary peripherals can be run through PS/2, and you don't have the bother of patting people down for their flash drives.
-Meeper
The most common reason I hear for why we just HAVE to give so many people, e.g., CD-burners is "they need to take data home to work on it..."
I keep wondering - wouldn't it be simpler to set up a "Windows Terminal Server" and have remote employees use THAT instead? That way, the only data leaving the company are (presumably encrypted) screen updates and key presses (yes, you CAN transfer files directly through the same mechanism, but how often would you legitimately need to if you can operate your "official" company computer from wherever you are instead of working off of some spyware-infested "home" computer directly?)
On a related note, anyone know how well the NoMachineNX RDP proxy would handle this sort of thing? Sure seems like it would be better than a more heavy-handed "VPN" connection that seems popular right now if it works effectively. Rumor is that it works reasonably well even on dial-up links, but I'm having trouble puzzling out how to set up to do RDP proxying from the various documents I've found so far.
For cases where someone really does need to make a CD of data to send to someone legitimately, perhaps a centrally located CDR "printer" with a web interface (perhaps something like this? Though I'd swear I'd seen more recent implementations of this concept using PHP) that users would send the files they need burned to, and the central box would make a record of what was being burned. (Ought to make the auditors happier, anyway).
Just my own thoughts on the problem.
Hacker Public Radio is our Friend
Epoxy.
Sounds very possible. A Microsoft technical support representative told me that there are 760 policies in Windows 2000, more in Windows XP. So, I'm not about to look. My guess is that the Windows policies are too crude to be effective in cases where you sometimes want to use the USB port for something authorized.
[I'm not a windows admin so I've no idea if any of this is possible...]
You might....
Figure out how to log all USB plug-in/remove events and notify a central location when they are USB Mass Storage devices. Figure out how to log all copies or transfers to/from USB mass storage devices. Make up some reporting process and either have a talk with excessive USB-keyers or disable their USB ports. Remember that they can probably use other workstations to do as they please. Could USB Mass Storage devices be made 'read-only' via some policy editor?
(Probably easier on an OS in which you could mess with the kernel sources.)
Let your users know all activity on the corporate network is being logged (not keystrokes or file contents - file names probably OK) and what behaviour is not OK.
Notify that all USB key contents will be inspected and copy off of any USB drive as soon as it's inserted for later inspection. Tell them big brother made you do it and if they're worried about their personal stuff being looked at to not use their personal USB key at work.
Just ideas....
My wife was telling me that the hospital she works at uses a thin client solution where none of the desktop workstations have any type of removable storage, whether it be on floppy, USB drive, or optical media. All the applications and data are kept on blade servers in the data center. If your company has the money available in the budget, I'd go with at minimum a remote desktop solution and have the security policy configured that no data can be copied from the server to a workstation. Only thing left to worry about is the integrity of the employee who has access to the data.
Hot glue the USB ports on each PC, so nothing can be plugged in.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
I work for your typical 15-employee company. Because of an incident lately (data theft & deletion after firing a guy), we have locked down cd/dvd recorders and USB mass storage devices. These can both be done through the registry. Just set:
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Services\
UsbStor = 4 (from 3)
to disable USB mass storage support. To disable CD burning:
HKEY_CURRENT_USER\
Software\
Microsoft\
Windows\
CurrentVersion\
Policies\
Explorer\
NoCDBurning=dword:00000001
Just make sure your users don't have admin privileges on their boxes (ie. simple user accounts only!)
Obtain a large number of memory sticks branded distinctively with the company's logo/colours. Hand these out freely to employees. Make replacements easily obtainable on request subject to a record of issue being made.
Only company-branded memory sticks can be used in company-owned machines. Using non-company-owned sticks in company-owned machines is considered a disciplinary offence.
Company-owned sticks that are inserted into non-company owned machines must be considered compromised and the company must be informed of such events.
On termination of employment, all company-issued property must be returned, including memory sticks. These are scanned for presence of illegitimate files.
The above policies aren't perfect, but they may be good enough to stop the most stupid offenders.
Alternatively, just put physical locks on the USB ports of company-owned hardware.
Lock the door, and your developers out?
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
I think you need to relearn some cryptography.
?!
We are on the topic of data theft BY YOUR OWN EMPLOYEES. You know, Bob and Eve are the same person. Again, the disgruntled employee HAVE THE FSCKING KEY, he can access the data, or the guy in the next cubicle (that can have his computer eavesdropped, and his key discovered) has it.
If I really need lessons in crypto, state your name (as in opposition to AC) and indulge me, please.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Here where I work (a large defense contractor) there are signs posted all over that forbid having flash drives and other things such as camera phones anywhere in the complex. There are no IT policies though, and I still see people using them just about every single day.
If your so concerned about security, why use thin clients? flash drives won't work, no cd burners, the only way to get data out is through the firewall, perfect for a high security situation, and less work to.
AFAIK: all your employees have physical access to the workstations. Any data they can access and some they shouldn't, they can put in an USB drive. Any data they can put in an USB drive / iPod / laptop HD / other removable media they can take home to your competition.
Can one do something to avoid it? Can one put a policy in USB drives to avoid it?
And the answer is: no. The only (somewhat) effective measures that you can take are (try to) get good people and treat your employees well, compensating them adequately, etc.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
XP SP2 does support using Group Policy to limit USB storage devices to read only. Where I work the Corporate Security group doesn't even want to allow read access. That makes sense for a number of reasons, so that wasn't an option for us. Not to mention the fact that SP2 is a minority in our environment.
Our solution was to create a package for software delivery that does the following:
1) Create the reg key HKLM/System/CurrentControlSet/Services/USBSTOR if it does not exist.
2) Create a REG_DWORD value named Start if it does not exist. Set to 4.
3) Change permissions on the key, removing all inherited perms, and setting System:Read, Everyone:Deny
This will effectively disable any USB storage device and stop Plug and Play from installing any new drivers for USB storage. The job runs multiple times a day on each machine. In addition, it also reads machine names from an exception list (VIP users approved by Corp Sec) and takes no action (or reverses the changes) if it finds it's running on a listed machine. It also logs any non-exempt machine where an administrator has removed the restrictions manually.
Works surprisingly well.
I reflect your pompous signature back upon you.
If you are runing an AD Domain, use group policy.
Fuck, even in the future nothin' works!
Its in C:\WINDOWS\system32\drivers\usbstor.sys - Just remove all users/groups from the permissions on it and Windows wont be able to access it anymore. It will also not try to fix or restore it. USB Mass storage devices will no longer work and theres no indication to the user of why they arent working, they just dont.