Colleges Wrestle With Thumb Drives

Lucas123 writes "IT managers at colleges and universities are grappling with the problem of finding ways to better secure removable storage media in an environment that encourages information sharing. Draconian security mandates 'may be common in the corporate world, but "we don't have the flexibility to simply say all inbound traffic is locked down," said Jason Pufahl, information security team lead for IT services at the University of Connecticut.'"

Re:What the hell is this about?

[cp.tar]

If they don't want viruses coming in, install virus scanners or don't allow executables to be run from user drives... and have the machines re-image on a regular basis.

Or, as the GP suggested, use a more secure system.

Of course, no system is absolutely secure, but I feel that here we're dealing with stupidity, not malice - dumping Windows and Windows viruses seems like a foolproof plan to me. (Of course, nothing ever is foolproof.)

If they don't want sensitive data going out, banning media isn't going to stop some bonehead from using a floppy or emailing it to himself (or putting it on a "secret" part of his webpage).

Or using the camera on his mobile phone to make some screenshots. (I still can't believe that somebody took the time to take pictures of and then post the whole of Harry Potter.)

Re:What the hell is this about?

[Datamonstar]

The Harry Potter leak was a group effort. Everyone was responsible for only a range of pages instead of one person doing the whole book. But yeah, you're spot on with the cameras. It's difficult to secure sensitive information group when we have so many avenues of data collection in this so-called digital age. The best (fair) solution I can think of for beating cameras is to actually have a person walking around in the area and watching for people doing questionable things. Good old fashioned security that's simple to implement and really hard to beat. I don't know why it's not used more instead of people putting their trust in expensive and ultimately insecure solutions.

High Security leads to a false sense of security.

[jellomizer]

Not just in colleges but in corporate work environments. Block this stop that don't allow those.... But whatever they do if we need a way around we could get one. Most computers have bluetooth. So you have you cell phone right next to your computer unknown to the security guys you use your bluetooth as a PPP connection to the internet to check your mail or worse as a backdoor in, or a way to send traffic out. Even if the computers don't give you the security to boot there is always the Live CD option with a Linux distro with VMWare running in full screen most people won't know the difference. What ever they come up with there is normally some way around it. You are actually better off having a more open system, a good firewall to block outside traffic, allow external emails to come in and if you are silly enough to use Windows for your work station have your virus scanner up to date. Anything more make people realize that you are anal on security thus feel more pressure to find a way around it... Remember a worker may not know how to click the start menu to get to additional programs but if you stop them from their email they will learn to setup a Proxy Server in No time...

Huh?

[kalaf]

"In recent months, some universities have been hit by incidents of lost or stolen flash memory and storage devices.

In June, for example, Grand Valley State University was forced to notify 3,000 students of a stolen Zip drive."

The article is all over the map. They are worried about hackers getting into your system and stealing your data in one paragraph, viruses from iPods in the next, and then they have some idiot storing SSN's on an unencrypted flash drive...

I don't know about most universities, but the one I went to didn't give everone admin access. When you logged on it would clear the local temp directories (i.e. everywhere the previous student had write access). Simple, and it makes it very difficult for viruses to propagate or hackers to install a keylogger.

What prof's need your SSN/SIN for is beyond me. We had "student" numbers, which were posted everywhere and didn't hold huge potential for abuse. No doubt the university could translate those to a SIN, but that system was supposedly secure.

Well, even that is false

[WindBourne]

Corporations claim to lock down systems, but nearly ALL of their systems have a CD burner and/or USB ports. And almost ALL systems are capable of being opened, hard disk lifted out, taken home, copied, and then put back in the system. There really is no such thing as corporate lock-down if they are run a windows desktop env (which is 97% of them). But what amazes me, is that they all tell the CEO that it is secure, and the CEO acts like it is. Weird.

Re:Well, even that is false

[bhima]

This describes my office perfectly. The corporate IT policy bans everything: USB flash memory; Digital Music Players (like my iPod); Portable exernal drives; coming in or out of the building with *anything* that can store data; Any website that even faintly looks like you could upload something (Flickr, Gmail, Hotmail, photobucket, &tc); any program not available on the corporate NetInstall craplet; any encryption any time any where. Every person outside of R&D has this massive WindowsXP install regardless of what they actually need or want.

I've seen them fire people over it.

however... all the managers have laptops and we go in and out every day with them. Each department have a fleet of burners and scanners. Every single member of R&D has at least 2 USB memory sticks. and I've been using my iPod everyday for over 5 years.

So what's the point? Surly I am not about to steal corporate secrets, and the mechanisms preventing me if I was inclined to do so, have nothing to do with site or IT security. A disgruntled employee who didn't understand the difficulty in marketing such things is in no way going to be able to figure out what to take and how to do so (or even be able to get to the part of the building where he could have access to the data). The segmentation of the network encourages the use external memory to transfer data from the segment containing the devices that create the data to the workstations of the people that analyze data.

Loss of SSN should not be a serious issue.

[140Mandak262Jamuna]

Why losing a drive containing SSN of some 199 old students become a serious issue? In this day and age of information storage, it is high time we view SSN as public information. The number of strangers who have legal access to my name, address and social security number is staggering. Doctor's office staff, university offices, payroll department of employers ...

Why should I be held responsible if someone recites my name, rank and serial number correctly and obtains a loan based on that very simple trivial fact? The problem is in the credit industry that wants to lend money at a moments notice to people before their impulse to borrow fades away.

All we need is a very simple change of law about default reporting. Let the companies lend without checks if they want to, it is after all their money. But they should not be able to report a loan as overdue or unpaid or in default without going through due diligence to verify that the person they are accusing of being a deadbeat is really the correct person.

Let us change the burden of proof. Currently the victims of ID theft have to prove that ID theft occurred. Let us change it so that, it is the lender who should prove that ID theft did not take place.

Then it wont matter if some department loses a hard disk containing million SSNs. Will it?