Slashdot Mirror
Towards a Comprehensive USB Flash Drive Policy?
sconeu asks: "The company I work for is going through some growing pains. This is a -good- thing, but due to the growth, some changes are necessary. I'm the guy who does IT and IT policy, however I'm actually a developer by job description -- I was doing IT on the side. Anyways, we're going through growth, and one of the things we are trying to address is security.
Currently, our policy is wide-open (for internal machines). The owner has expressed some reservations about the increasing use of flash drives, in an overall security setting. Everyone involved here realizes that there's not much we can do against a malicious employee, but we're looking to avoid accidental data loss from USB sticks, and other solid-state storage media.
Has anyone on Slashdot dealt with this issue? What policies and protections did you end up putting in place, if any?"
I don't understand why this is a new challenge. Why can't existing policies regarding floppy disks simply be applied to this?
Well at least my department anything that could be used as a mass storage device is forbidden. It would have been much easier for them to disable the USB ports as out keyboards and mice still all have PS/2 connectors or USB to PS/2 converters.
A psychopath can't tell the difference between right and wrong. A sociopath knows the difference - he just doesn't care.
Two bits of advice:
1) Watch out for hot women with stainless steel thermal mugs; they'll have a USB drive in the false bottom of the mug.
2) Don't trust anything Al Pacino tells you about your father's service in the CIA or your mission.
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
> "Currently, our policy is wide-PrivoxyWindowOpen(for internal machines)"
;)
Does this cut down on the ads and spyware for you, too?
The unofficial
Revert to 486 machines and Windows 95. NO USB, no problem!
Hmmm... still have those floppy discs to deal with though....
Three Squirrels
I work at a bank, which of course has some pretty stringent security policies. It's pretty simple here: USB is disabled in the BIOS. It can be enabled by special request (usually for execs and their PDAs) and in such cases, we disable USB2.0 (just 1.1), require stronger passwords on the workstation, and have a screensaver set to lock the PC after 3 minutes of inactivity. This doesn't mean we don't have problems from enthusiuastic users that know how to change BIOS settings, but for the most part, problems were avoided.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I'm not sure if windows would freak out or not, but couldn't you just remove the usb mass storage driver from the system?
What's needed is software that limits USB and other connections to those that are allowed. Such software exists, but is expensive. Here is software that is less expensive than packages I've seen, but the web site is so sloppy I lack confidence in it.
No USB storage devices allowed.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Anyone panicked of USB security is only displaying their naivete! The risks with USB drives are essentially the same as those with floppies, tapes, or email attachments. Unless you want to strip search everyone leaving at night, the key to this kind of security is education and management vigilance.
I'm not sure I understand what the concern is. Your question seems to imply that you're worried that employees will copy data onto a USB stick and then lose it, rather then intentionally stealing information that way.
If thats the problem, I'd be much more concerned about where the employee is taking that data. The only reason someone would put company information on a data key is so that they could move that information to a computer somewhere outside the company network. *That's* where your security concerns should be. Some manager copies your customer database onto his home computer, and he's sharing it with the whole internet.
The only way you'll be able to stop that sort of thing is to ensure that company data stays on company computers. Period. If you need to work from home, have the company get you a laptop, and have the IT department do that they can to make that laptop secure.
It's the land of the brave, and the home of the free
Where the less you know, the better off you'll be.
I've heard of companies that had issues with flash drives, but I've never understood why. Could you explain it to me?
I assume it is a concern about people copying files to the flash drives and walking out with them. But small high-capacity removable media is not anything new. When 3.5" floppy drives were common, it was trivial to take large amounts of source code, documentation, etc. Then came CDs, with more of the same. Today, DVD disks are either 3.25" or 5.25" in diameter, completely flat, and hold far more than flash drives. Yet I've never heard of anyone concerned about the security implications of DVDs. Most of my coworkers have PDAs or laptops. And every computer in the office has internet access.
So why are flash drives so magical that they deserve special treatment?
Some companies are required by regulation to record who accesses what information where. Think banks, insurance companies and credit bureaus.
Where I work there are similar no removable storage (including floppy) policies for people dealing with sensitive information.
Conformity is the jailer of freedom and enemy of growth. -JFK
Assuming you're in a managed windows environment where standard users are lacking the privileges to make changes to the operating system and it's settings (outside of application specific user options), you can apply certain registry settings that make all USB mass storage devices read-only.
This, coupled with good remote log hosts and alarm systems will not only prevent users from smuggling data, good or bad, it can also alert you to the activity.
This is, of course, moot if the workstations are equipped with floppies and burners. Your firewall policy can also negate the advantage is you have no network accounting in place or a hardened outbound traffic policy.
- billn
This product GFI LANGuard PSC http://www.gfi.com/lanpsc/ will let you lock your USB mass storage on a per user basis on WinDoze machines.
We tried it in the demo mode when the administration at a client was freaking out about IPods. We ended up going with a written policy (that actually had enforcement!!!!!) instead of a technology solution!
Rule of Life Number 2: Remember, it can all go to hell at any minute. --Jimmy Buffet
More and more I see companies trying to solve every problem or perceived problem by putting a policy in place. Usually, this solves the problem at the expense of morale and productivity. A once simple task is now a complicated nightmare.
It's a mistake to put a policy into place as a knee-jerk, first response. Instead, hire good people, train them well, treat them well and let them be your first defense against problems. Policies are to clarify ambiguities and apply standardization - not as a cure-all for every situation.
It's simple: I demand prosecution for torture.
As long as you have laptops with 60+GB hard drives walking in and out of the building, any plan to limit USB drives is only going to bite the 99.99% of the people that actually use them from productivity. That .01% that has some illict reason to share files outside the company will be slowed down, but then email them, burn them to CD, FTP them, fax them, or just keep it on their laptop and walk it out the front door.
And even if all those are plugged, there is still the option of printing it out and mailing it.
I'm not here to preach about whether our not it is smart to manage removable media.
I'm just here to give you this link. It's a great piece of software that works well.
Cheap storage VM.
So do you also ban mobile phones, laptops, CD-Rs and CD-RWs, and so on?
If not, my guess is that users see the rule as the kind of stupid, inconsistent and obstructionist policy it is, and therefore decide not to obey.
Rules need to be seen as fair and reasonable if they're going to be obeyed.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
I just wanted to point out that most malicious software can be installed without the user having administrative rights. such software often exploits vulnerabilities in windows or IE to get the installation to run as a system process instead of using the rights assigned to the user.
Yes, and the advancing technology of USB flash drives has made it easier to conceal them in other objects. For example, I have a friend at my school who has a watch which doubles as a 256MB USB drive. The connector and a short cable are hidden on the under-side of the band. Pretty tough to stop USB drives when they can be combined with common items, unless you want to have a company-wide strip-search policy . . .
I had a similar position to yours for several years, so I have some very general thoughts I hope you find helpful.
Any time The Boss read an article about something new, she would ask me about it.
There are two things that really helped me:
1 - I had spent a LOT of time (with an attorney) researching and developing what I still believe were really good policies. The attorney and I both learned a lot, since I lean towards anarchy.
2 - I learned to anticipate her requests by reading tech news voraciously and keeping my eye on headlines in the journals she read.
In this specific case, you should already have addressed this issue, since USB devices are (as another poster already pointed out) just one of many ways data can be copied to a personal device.
We can't answer for you. That's what you need to discuss with the owner, since it is *their* company. You just need to come up with a list of all devices that will need to be nixed if you decide to nix these (and some research places *do* nix all of this stuff). A partial list to get you thinking: Cellphones, cameras, PDA's, floppy disks, CD writers and/or media, DVD writers and/or media, copy machines. Once you have a list, you can get with your owner and have a sincere "how serious are you about this?" conversation and then come up with a policy general enough to cover whatever you end up with.
Mark
On every box:
Don't forget:
Yeah, right.
DRM = data + key in the same package. I have said this a thousand times -- cryptographically speaking, DRM just plain does not work.
Treat well your employees, and *that* you have the solution to the OP problems.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
"If someone emails out sensitive data, there is a record of it". I don't think so. You pack the data, encrypt it, put it inside a virus-looking executable, and send it to the destination with subject: "I love u", preferrently from another workstation, not yours, then infect said workstation with some (new?) virus. Plausible deniability.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
I have my personal laptop (80GB drive) sitting next to me, with some CD-RWs in my briefcase behind me. What was the question again?
Yup, someone in Oregon/Washington got in trouble for accessing the medical records of that poor girl who was kidnapped when there was absolutely no reason for them to be looking at it. The hospital happened to have a policy that audits would be performed on every high-profile client (client, that's what they called 'em instead of patient) to make sure that no inappropriate accession of data occurred. They just happened to catch three people looking at her medical records pretty much for curiosity.
[yadda yadda tempory admin priviliges yadda yadda] ... and trust them to log out.
Of course they'll have to log out eventually. It's Windows. I can never keep my workstation at work logged in without reboot for more than a week.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
...that a strick back up policy could help with.
You might need to write some custom software to monitor the backups, but it shouldnt be too hard to come up with some scripts that whip through a list of people that use USB drives and nag them to back up the data under penalty administrative punishment.
People are missing the point here. It's not about just banning USB Flash drives. Policies & rules are created to give the company a level of paperwork to fall back on. Say somebody takes X amount of data or source code home, starts selling, and gets busted. At least in court they can't say "But there was no rule against it!" Think of it like having a logon banner for servers. Does it really deter hackers? No, but it gives you a bit more of a leg to stand on if it comes down to getting the authorities involved.
It's a lot like setting a speed limit. Yeah, most people ignore it, and the rule can be abused by those who make the rules. But in the end there's a valid reason for having it. Strong, well-written and enforced policies are just another layer in your security model.
There are some people that if they don't know, you can't tell 'em.
I worked at an R & D lab and our policy was that any system (laptops mainly) that could be expected to leave the physical security of the building had to have all data encrypted. We used a program that encrypted the entire harddrive and then required a passkey in order to decrypt at boot. At the time I left they had not yet got as far as instituting such a policy for flash drives, though I expect they have by now.
This won't protect against a malicious employee or a determined attacker, but should fix the problem of data left around accidently.
You really need to back up and find out exactly why they feel the need to use removable media and what they are doing with it. Chances are the answer will point to a bigger issue like maybe the users don't trust the backup system or cannot easily retreive files from said backups. It might be that they often use different workstations etc. Whatever the reason, if you provide a good alternative than a simple policy change and some training is all that is necessary but if you don't then no policy will be strong enough. The only ones that will actually listen to a policy that keeps them from getting work done are the weenies who probably wern't doing anything anyway and you'll end up fighting with the good employees.
If you're realy serious about security, disable USB mass storage devices on all machines, diskdrives and CD-burners too.
You'll maybe need to treat laptops differently, but those are a problem anyway, because they get stolen all the time. I haven't figured out how to handle those properly.
RogerWilco the Adventurous Janitor
USB port + Epoxy resin = Security. Anything you currently do with flash drives can be done across the network, all nessecary peripherals can be run through PS/2, and you don't have the bother of patting people down for their flash drives.
-Meeper
The most common reason I hear for why we just HAVE to give so many people, e.g., CD-burners is "they need to take data home to work on it..."
I keep wondering - wouldn't it be simpler to set up a "Windows Terminal Server" and have remote employees use THAT instead? That way, the only data leaving the company are (presumably encrypted) screen updates and key presses (yes, you CAN transfer files directly through the same mechanism, but how often would you legitimately need to if you can operate your "official" company computer from wherever you are instead of working off of some spyware-infested "home" computer directly?)
On a related note, anyone know how well the NoMachineNX RDP proxy would handle this sort of thing? Sure seems like it would be better than a more heavy-handed "VPN" connection that seems popular right now if it works effectively. Rumor is that it works reasonably well even on dial-up links, but I'm having trouble puzzling out how to set up to do RDP proxying from the various documents I've found so far.
For cases where someone really does need to make a CD of data to send to someone legitimately, perhaps a centrally located CDR "printer" with a web interface (perhaps something like this? Though I'd swear I'd seen more recent implementations of this concept using PHP) that users would send the files they need burned to, and the central box would make a record of what was being burned. (Ought to make the auditors happier, anyway).
Just my own thoughts on the problem.
Hacker Public Radio is our Friend
Sounds very possible. A Microsoft technical support representative told me that there are 760 policies in Windows 2000, more in Windows XP. So, I'm not about to look. My guess is that the Windows policies are too crude to be effective in cases where you sometimes want to use the USB port for something authorized.
[I'm not a windows admin so I've no idea if any of this is possible...]
You might....
Figure out how to log all USB plug-in/remove events and notify a central location when they are USB Mass Storage devices. Figure out how to log all copies or transfers to/from USB mass storage devices. Make up some reporting process and either have a talk with excessive USB-keyers or disable their USB ports. Remember that they can probably use other workstations to do as they please. Could USB Mass Storage devices be made 'read-only' via some policy editor?
(Probably easier on an OS in which you could mess with the kernel sources.)
Let your users know all activity on the corporate network is being logged (not keystrokes or file contents - file names probably OK) and what behaviour is not OK.
Notify that all USB key contents will be inspected and copy off of any USB drive as soon as it's inserted for later inspection. Tell them big brother made you do it and if they're worried about their personal stuff being looked at to not use their personal USB key at work.
Just ideas....
No, USB is a completely different and far more difficult issue to handle.
It is not really COMPLETELY different... USB may have other uses, but on a corporate desktop you are only likely to use USB for keyboards and mice.
With floppies, tapes, CD-ROMs etc, it is easy to restrict a PC. The peripherals can either be removed completely or they can have physical locks placed on them that require a key in order to use them. The peripherals can also be disabled in the BIOS which in turn can be protected by password. So, with these devices, it is relatively easy to prevent users from using them at all.
This is all technically true of USB as well. I have never specifically looked, but there is no technical reason you cannot manufacture a physical lock for a USB port. Lock in a keyboard and mouse (or use PS/2 instead) and you are set. And as you said, you can disable USB in the BIOS.
If your company is this concerned about data security then they should buy machines with PS/2 keyboards and mice.
However, most companies have still bought machines with floppy drives for the past 20 years. If they were not worried about this problem then, why would they be worried today?
So, the problem is a massive one. How do you limit the connection of certain USB devices, such as flash drives or WiFi dongles, to the machines on your network while still allowing most other devices to function?
If this is the issue, why not just remove all USB drivers from the system except for HID devices? I would imagine a USB drive would not work without the mass storage driver installed.
The problem may be as small as a 512MB keychain fob or as large as a 300GB external USB hard drive hidden in a purse.
Go back 10 years and substitute "keychain fob" with "floppy diskette." We have had this problem forever, and it is not new. If a company was truly concerned about this they would buy machines with no removable storage that was writeable. They can do the same today by going PS/2 for keyboards and mice. These companies will not care if they have to pay extra.
Connecting a USB WiFi fob in a multi-story building is another monsterous security issue.
Again, removing the drivers will fix this problem. You still, however, need to worry about someone plugging wireless bridges into your network... I can drop a hub and a wireless bridge under your secretary's desk. Then all I'd have to do is spoof her MAC address at night and poke around your network all I want. You would likely never notice it was happening until it was too late.
In any case, USB security is different than floppies and CD-RWs and it is a serious matter for those that are concerned with security.
It is a SLIGHTLY different problem with very similar solutions.
My wife was telling me that the hospital she works at uses a thin client solution where none of the desktop workstations have any type of removable storage, whether it be on floppy, USB drive, or optical media. All the applications and data are kept on blade servers in the data center. If your company has the money available in the budget, I'd go with at minimum a remote desktop solution and have the security policy configured that no data can be copied from the server to a workstation. Only thing left to worry about is the integrity of the employee who has access to the data.
If the issue is keeping track of files as the original post implied, then the answer is one of training. Don't store anything long-term on removable media such as floppy drives or flash drives. (I'm ignoring backup solutions such as tape drives fo rthe moment.) Use flash drives as a convenience to walk files from one computer to another, not to store anything critical.
Lasers Controlled Games!
Hot glue the USB ports on each PC, so nothing can be plugged in.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
I work for your typical 15-employee company. Because of an incident lately (data theft & deletion after firing a guy), we have locked down cd/dvd recorders and USB mass storage devices. These can both be done through the registry. Just set:
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Services\
UsbStor = 4 (from 3)
to disable USB mass storage support. To disable CD burning:
HKEY_CURRENT_USER\
Software\
Microsoft\
Windows\
CurrentVersion\
Policies\
Explorer\
NoCDBurning=dword:00000001
Just make sure your users don't have admin privileges on their boxes (ie. simple user accounts only!)
Obtain a large number of memory sticks branded distinctively with the company's logo/colours. Hand these out freely to employees. Make replacements easily obtainable on request subject to a record of issue being made.
Only company-branded memory sticks can be used in company-owned machines. Using non-company-owned sticks in company-owned machines is considered a disciplinary offence.
Company-owned sticks that are inserted into non-company owned machines must be considered compromised and the company must be informed of such events.
On termination of employment, all company-issued property must be returned, including memory sticks. These are scanned for presence of illegitimate files.
The above policies aren't perfect, but they may be good enough to stop the most stupid offenders.
Alternatively, just put physical locks on the USB ports of company-owned hardware.
Lock the door, and your developers out?
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
I think you need to relearn some cryptography.
?!
We are on the topic of data theft BY YOUR OWN EMPLOYEES. You know, Bob and Eve are the same person. Again, the disgruntled employee HAVE THE FSCKING KEY, he can access the data, or the guy in the next cubicle (that can have his computer eavesdropped, and his key discovered) has it.
If I really need lessons in crypto, state your name (as in opposition to AC) and indulge me, please.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Here where I work (a large defense contractor) there are signs posted all over that forbid having flash drives and other things such as camera phones anywhere in the complex. There are no IT policies though, and I still see people using them just about every single day.
If your so concerned about security, why use thin clients? flash drives won't work, no cd burners, the only way to get data out is through the firewall, perfect for a high security situation, and less work to.
AFAIK: all your employees have physical access to the workstations. Any data they can access and some they shouldn't, they can put in an USB drive. Any data they can put in an USB drive / iPod / laptop HD / other removable media they can take home to your competition.
Can one do something to avoid it? Can one put a policy in USB drives to avoid it?
And the answer is: no. The only (somewhat) effective measures that you can take are (try to) get good people and treat your employees well, compensating them adequately, etc.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
XP SP2 does support using Group Policy to limit USB storage devices to read only. Where I work the Corporate Security group doesn't even want to allow read access. That makes sense for a number of reasons, so that wasn't an option for us. Not to mention the fact that SP2 is a minority in our environment.
Our solution was to create a package for software delivery that does the following:
1) Create the reg key HKLM/System/CurrentControlSet/Services/USBSTOR if it does not exist.
2) Create a REG_DWORD value named Start if it does not exist. Set to 4.
3) Change permissions on the key, removing all inherited perms, and setting System:Read, Everyone:Deny
This will effectively disable any USB storage device and stop Plug and Play from installing any new drivers for USB storage. The job runs multiple times a day on each machine. In addition, it also reads machine names from an exception list (VIP users approved by Corp Sec) and takes no action (or reverses the changes) if it finds it's running on a listed machine. It also logs any non-exempt machine where an administrator has removed the restrictions manually.
Works surprisingly well.
I reflect your pompous signature back upon you.
If you are runing an AD Domain, use group policy.
Fuck, even in the future nothin' works!