Forgot your password?
typodupeerror
Security

Towards a Comprehensive USB Flash Drive Policy? 121

Posted by Cliff
from the time-for-a-usb-device-blacklist dept.
sconeu asks: "The company I work for is going through some growing pains. This is a -good- thing, but due to the growth, some changes are necessary. I'm the guy who does IT and IT policy, however I'm actually a developer by job description -- I was doing IT on the side. Anyways, we're going through growth, and one of the things we are trying to address is security. Currently, our policy is wide-open (for internal machines). The owner has expressed some reservations about the increasing use of flash drives, in an overall security setting. Everyone involved here realizes that there's not much we can do against a malicious employee, but we're looking to avoid accidental data loss from USB sticks, and other solid-state storage media. Has anyone on Slashdot dealt with this issue? What policies and protections did you end up putting in place, if any?"
This discussion has been archived. No new comments can be posted.

Towards a Comprehensive USB Flash Drive Policy?

Comments Filter:
  • I don't understand why this is a new challenge. Why can't existing policies regarding floppy disks simply be applied to this?
    • or CDR and DVDR
    • Damnit Dong, I like the cut of your jib.

      Meeting over. Happy hour!
    • Everyone commenting on this subject seems to be whining about this being nothing new. It's just like floppies!

      How many floppies have you seen that can act as a wireless network adapter?

      • How many wireless network adapters have you seen that you can transfer 128MB of secret files to?

        Granted,it's probably more than the number of floppies that can be wireless nics, as I counted zero.
        • Huh? I think you missed the point somewhat, but I'll reply anyway.

          A wireless network adapter cannot store 128M of "secret files", no. But it can transfer them elsewhere in a minute or so.. And possibly give more network access than you ever intended in the meantime, as well.

          • The original submitter is looking for a policy on USB flash drives. That has nothing to do with network adapters. I would hope the users don't have permissions to setup a new network adapter.
        • How many wireless network adapters have you seen that you can transfer 128MB of secret files to?

          Dood! [sandisk.com]

    • Re:Floppies? (Score:2, Insightful)

      by UncleBex (176073)
      I'm not sure why it should matter at all. If you are already resigned to the fact that a malicious person would still be able to do something or steal data, then why punish other individuals who use USB storage devices for the hypothetical Forces of Good. In my organization, we have several users who use USB sticks so that they can take their work home with them and we're supposed to encourage/enable them to do it (as the Admins).

      But for what it's worth, we are not a bank or the military, so our policies
      • No, what he's saying is that they realize they can't do much to stop malicious intent, but they're trying to make sure that since they will be using the Solid State Drives, they want a policy that will make sure that the critical data isn't on the USB devices, that tend to have a relatively high failure rate (and/or don't normally get backed up)
  • Well at least my department anything that could be used as a mass storage device is forbidden. It would have been much easier for them to disable the USB ports as out keyboards and mice still all have PS/2 connectors or USB to PS/2 converters.
    • Well, not everyone can afford to ban laptops and mobile phones, CD-Rs and CD-RWs, and cripple the USB ports on their machines. Some organizations like to, you know, get work done.
    • This is a bit misleading, as not all parts of the "Government" have a policy such as this. All of the work that we do in my "Goverment" organization is availiable via FoIA requests, so in general we don't limit our users with stupid policies regarding USB sticks.
    • > Well at least my department anything > that could be used as a mass storage > device is forbidden. Check your brain at the door... :)
    • USB cards aren't only used to "store" data. I have several and I rarely use them simply to "store" data. I use it for moving information. Whether that's a paper for school or a huge power point or several programs for a friend's computer. In business, USB cards can be very helpful. I know that my dad uses email to transfer information back and forth. However, if you have a huge presentation with lots of media in it, e-mail doesn't cut it. E-mailing a 500mb file is not an easy task. So what do they d
  • Two bits of advice:

    1) Watch out for hot women with stainless steel thermal mugs; they'll have a USB drive in the false bottom of the mug.

    2) Don't trust anything Al Pacino tells you about your father's service in the CIA or your mission.
  • > "Currently, our policy is wide-PrivoxyWindowOpen(for internal machines)"

    Does this cut down on the ads and spyware for you, too? ;)
  • Revert to 486 machines and Windows 95. NO USB, no problem!

    Hmmm... still have those floppy discs to deal with though....

  • I work at a bank, which of course has some pretty stringent security policies. It's pretty simple here: USB is disabled in the BIOS. It can be enabled by special request (usually for execs and their PDAs) and in such cases, we disable USB2.0 (just 1.1), require stronger passwords on the workstation, and have a screensaver set to lock the PC after 3 minutes of inactivity. This doesn't mean we don't have problems from enthusiuastic users that know how to change BIOS settings, but for the most part, problems
    • This doesn't mean we don't have problems from enthusiuastic users that know how to change BIOS settings, but for the most part, problems were avoided.
      Why not lock the bios?
      • Now, that's a very good question. I asked this myself when I first started working here. The fact of the matter is, in a 2000+ workstation environment where passwords need to change every 90 days, that's unrealistic. United States Banker's Law requires all passwords used to have a minimum level of complexity and for them to be changed every 90 days. We're fine if there isn't a password there, since the BIOS is not required to be protected, but if there was a password, it would have to be changed every 90 da
        • Thank god I'm Canadian... but realistically it should be put forth that the law be amended to state when password can be changed without requiring such a massive downtime/human labour. In other words excluding the BIOS but not excluding things like windows passwords as those can be simply set to expire and have criteria for the new password.
          • Do you want your credit information potentially stored on insecure desktops that any yahoo can compromise?

            If you need to rotate BIOS passwords every 90 days, buy PCs that allow that capability. IBM/Lenovo PCs allow remote BIOS changes and upgrades, for instance.

        • Which reg?

          If you want to exclude BIOS passwords from your policy, aren't you free to do so?

        • >United States Banker's Law requires all passwords
          >used to have a minimum level of complexity

          Good.

          >and for them to be changed every 90 days.

          Stupid!

          Passwords should be changed when there is some specific *reason* to change them.

          -kb
          • specific reasons like 1 million customer records were stolen by someone?
            • What is the connection?

              Say some car is stolen. Does that mean every car's locks should be changed every 90-days?

              A password should be changed when there is reason to believe it has been compromised. Also, passwords should never be reused across different circumstances. And they should be complex enough to not be guessable (no, "golum" is NOT a good password). But changing them every 90-days? What does that accomplish beyond making them really hard to manage, forcing people into putting them on postit no
  • I'm not sure if windows would freak out or not, but couldn't you just remove the usb mass storage driver from the system?

  • What's needed is software that limits USB and other connections to those that are allowed. Such software exists, but is expensive. Here is software [newsoftwares.net] that is less expensive than packages I've seen, but the web site is so sloppy I lack confidence in it.
    • I thought WindowsXP Group Policy already included policies related to removable media.

      • Sounds very possible. A Microsoft technical support representative told me that there are 760 policies in Windows 2000, more in Windows XP. So, I'm not about to look. My guess is that the Windows policies are too crude to be effective in cases where you sometimes want to use the USB port for something authorized.
    • Well I didn't notice a mention of OS, but...

      How about a kernel compiled without USB drivers. Hmm... while we're at it probably should remove serial port drivers, parallel port driver (backpack cdrom writer uh-oh) cd writer drivers, sound card drivers (the analog hole eek!), network drivers (don't want a hole through which data could escape to another machine which DOES have USB) and probably we won't be needing video drivers, because if you have those, then the employee might look at the company secrets on
      • Dude, did you even read the effing summary?

        quite clearly "Everyone involved here realizes that there's not much we can do against a malicious employee, but we're looking to avoid accidental data loss from USB sticks, and other solid-state storage media. Has anyone on Slashdot dealt with this issue?"

        Congratulations, you win the most irrelevant rant this week award, have a gold star!
        • Yes El Duderino, I did.

          Actually I responded to directly to his question. First, I reinforced his supposition (which he seems to be waffling on) that there's probably nothing you can do if you let people have general purpose computers. And I made the point that to attempt to try would be costly.

          Then I said that if you're just worried about an employee acting negligently (i.e. not being careful) then you need to start checking people for secrets at the door, and make some examples. Suddenly you will find that
  • No USB storage devices allowed.
  • Anyone panicked of USB security is only displaying their naivete! The risks with USB drives are essentially the same as those with floppies, tapes, or email attachments. Unless you want to strip search everyone leaving at night, the key to this kind of security is education and management vigilance.
    • The risks with USB drives are essentially the same as those with floppies, tapes, or email attachments.

      You're right. This is a much bigger issue than most people realize.

      Every night employees leave the office with sensitive information retrieved through their monitors. The use of monitors is widespread in most offices. In fact there may be a monitor on your desk right now and you wouldn't even know it!

      So while half your IT staff is frisking for USB drives, the other half should go around removing

  • I'm not sure I understand what the concern is. Your question seems to imply that you're worried that employees will copy data onto a USB stick and then lose it, rather then intentionally stealing information that way.

    If thats the problem, I'd be much more concerned about where the employee is taking that data. The only reason someone would put company information on a data key is so that they could move that information to a computer somewhere outside the company network. *That's* where your security con
    • How many "missing laptop" stories have there been?

      Sadly, the only *real* solution to data ownership and control is DRM. The question then becomes can a DRM system be made that will allow sufficient control, but maintain the flexibility that is required for people to work within its constraints. At the same time, this snake oil must be easy to manage.

      A USB thumb drive is more secure than a laptop in many ways; fewer people want to steal the thumb drive for theft of the physical object.

      The trick is to find
      • DRM = data + key in the same package. I have said this a thousand times -- cryptographically speaking, DRM just plain does not work.
        Treat well your employees, and *that* you have the solution to the OP problems.
        • "Treat well your employees, and *that* you have the solution to the OP problems."

          Yoda is working in IT now? Better than the swamp, I guess.
      • Just because a laptop is missing or stolen doesn't mean the data on it is instantly compromised. You can easily use transparent encryption for everything on the hard drive and unless it's stolen while turned on and unlocked, the data is most likely safe.

        Most people who steal computers take them for the hardware, not the data. If they can't get into the HD to take a look around in a few minutes, they're just going to reformat it and sell it on eBay.

        Also, why would encrypting the data and putting it on a thum
    • The only reason someone would put company information on a data key is so that they could move that information to a computer somewhere outside the company network.

      Nope. The main reason they do is to avoid the network and sneakernet it around.

      I've pointed people to network resources many many times...only to be told within minutes that 'Bob has the latest copy of that on his computer...ask him and he will make a copy for you'.

      When Bob's computer dies...the admins should be able to restore all data.

  • Please explain (Score:3, Insightful)

    by MobyDisk (75490) on Tuesday August 02, 2005 @03:10PM (#13224246) Homepage
    I've heard of companies that had issues with flash drives, but I've never understood why. Could you explain it to me?

    I assume it is a concern about people copying files to the flash drives and walking out with them. But small high-capacity removable media is not anything new. When 3.5" floppy drives were common, it was trivial to take large amounts of source code, documentation, etc. Then came CDs, with more of the same. Today, DVD disks are either 3.25" or 5.25" in diameter, completely flat, and hold far more than flash drives. Yet I've never heard of anyone concerned about the security implications of DVDs. Most of my coworkers have PDAs or laptops. And every computer in the office has internet access.

    So why are flash drives so magical that they deserve special treatment?
    • my guess is that the companies who are worried about usb drives are already giving these employees systems without cd/dvd burners or floppy drives, and monitoring their internet access. Reasons for this sort of security might be legal responsibility for any sort of government or financial system, like the bank mentioned in an earlier post. I suppose such behavior can be excused in these cases, anywhere else, it merely creates an enviornment that says the employees aren't trusted.
    • I agree with your sentiment, but if I was to try to look at it from a paranoid management perspective I would argue as follows:

      3.5" floppies don't hold much data

      My office desktop doesn't have a cd/dvd burner

      If someone emails out sensitive data, there is a record of it

      So I guess the advantages of a flash drive are that it holds a lot of data, requires no special hardware beyond what is found on the simplest of laptops, and there is no record of information being stolen.

      Is that sufficient to de
      • "If someone emails out sensitive data, there is a record of it". I don't think so. You pack the data, encrypt it, put it inside a virus-looking executable, and send it to the destination with subject: "I love u", preferrently from another workstation, not yours, then infect said workstation with some (new?) virus. Plausible deniability.
        • You don't allow people to run un-authorized executables. How will they encrypt it?
          • I imagine that you could access cryptographic capabilities via Windows or Office scripting extensions. You could even make a Word or Excel macro that does this alone.
          • I can do RC-4 by hand. If millions of dollars were at stake I would figure out some way to do it.
    • I'm the article submitter.

      As I said, we realize that there's not a damn thing we can do about malicious intent.

      What the boss is concerned with is more along the lines of: "we use USB sticks for transferring data all over the place, including non-company machines (during demos, etc...). Sometimes a USB stick may be placed on a machine connected to a non-company network (e.g. a laptop). We want to avoid accidental disclosure in such cases."

      Personally, I think the founder is a bit paranoid, but our company i
      • we use USB sticks for transferring data all over the place, including non-company machines (during demos, etc...). Sometimes a USB stick may be placed on a machine connected to a non-company network (e.g. a laptop). We want to avoid accidental disclosure in such cases.
        Perhaps it would be a better idea to invest in a couple of portable HDDs. That way you could run the program from the HDD and that way it's easier to ensure that you actually take it with you.

        Furthermore you should (of course) establish routin
      • Pretty easy (in principle).

        Make the sticks bootable, install your own OS on it so you can control the flow of data yourself. Encrypt it if you like to for extra (theft of device) security.
    • USB drives are small, tiny, easy to use, fast, and reusable. Burning a DVD takes time and "wasting" a DVD. With a USB drive, you plug it in, copy it over and your done. No burning, no playing wiht the CD drive. Just drag and drop. Then you pocket it. Bring it to the computer you want the info on. Drag and drop. You want to erase your tracks? Drag the files from the drvie to the trash. DONE!

      While this may make USB drives dangorus, it also makes them VERY helpful! The guy down the hall wants the new

  • Assuming you're in a managed windows environment where standard users are lacking the privileges to make changes to the operating system and it's settings (outside of application specific user options), you can apply certain registry settings that make all USB mass storage devices read-only.

    This, coupled with good remote log hosts and alarm systems will not only prevent users from smuggling data, good or bad, it can also alert you to the activity.

    This is, of course, moot if the workstations are equipped wit
    • most BIOSes I came across in the last year permit boot from USB, and none have some option to disable it -- yes, you can *think* you disabled it, but the magic (cntrl-f10) "boot menu" key continued to work. I found this tremendously insecure.
      • If someone has gotten so close to the computer that they can plug in a keychain drive, boot their own OS, and steal data, then your security failed long ago. Ever hear of locking the door?
        • Lock the door, and your developers out?
          • If you do not trust the people with physical access to the servers, then fire them. Security through insecurity is no security at all.
            • AFAIK: all your employees have physical access to the workstations. Any data they can access and some they shouldn't, they can put in an USB drive. Any data they can put in an USB drive / iPod / laptop HD / other removable media they can take home to your competition.
              Can one do something to avoid it? Can one put a policy in USB drives to avoid it?
              And the answer is: no. The only (somewhat) effective measures that you can take are (try to) get good people and treat your employees well, compensating them adequ
  • This product GFI LANGuard PSC http://www.gfi.com/lanpsc/ [gfi.com] will let you lock your USB mass storage on a per user basis on WinDoze machines.

    We tried it in the demo mode when the administration at a client was freaking out about IPods. We ended up going with a written policy (that actually had enforcement!!!!!) instead of a technology solution!

  • More and more I see companies trying to solve every problem or perceived problem by putting a policy in place. Usually, this solves the problem at the expense of morale and productivity. A once simple task is now a complicated nightmare.
    It's a mistake to put a policy into place as a knee-jerk, first response. Instead, hire good people, train them well, treat them well and let them be your first defense against problems. Policies are to clarify ambiguities and apply standardization - not as a cure-all for ev
  • As long as you have laptops with 60+GB hard drives walking in and out of the building, any plan to limit USB drives is only going to bite the 99.99% of the people that actually use them from productivity. That .01% that has some illict reason to share files outside the company will be slowed down, but then email them, burn them to CD, FTP them, fax them, or just keep it on their laptop and walk it out the front door.

    And even if all those are plugged, there is still the option of printing it out and mailing
  • I'm not here to preach about whether our not it is smart to manage removable media.
    I'm just here to give you this link. [securewave.com] It's a great piece of software that works well.
  • I had a similar position to yours for several years, so I have some very general thoughts I hope you find helpful.

    Any time The Boss read an article about something new, she would ask me about it.

    There are two things that really helped me:

    1 - I had spent a LOT of time (with an attorney) researching and developing what I still believe were really good policies. The attorney and I both learned a lot, since I lean towards anarchy.

    2 - I learned to anticipate her requests by reading tech news voraciously and keep
  • On every box:

    • Zonealarm
    • McAfee/Symantec antivirus
    • AdAware + SpyBot S&D
    • Run HFNetcheck (or equivallent) to ensure all patches roll out promptly
    • Replace IE icons with FireFox
    • Enact general policy to not store any data locally,

    Don't forget:

    • Backup the network every day
  • I have my personal laptop (80GB drive) sitting next to me, with some CD-RWs in my briefcase behind me. What was the question again?
    • You can get a 2GB SD card that is the size of a postage stamp. That has a much higher data density than even a DVD, and it is much easier to write to. You can get a USB card reader for that that is about 1/2 the size of a pen.

      These two things are also much easier to smuggle out the building than a CD.
      • Maybe you didn't understand the response. My personal laptop goes in and out with me every day. Along with my briefcase, which has a partial box of CD-RWs in it.

        A 2GB SD card won't fit in the work machine that is here, but the CD-RWs will fit in my R/W drive on that machine.

        Heck, up until recently, I was allowed to connect my laptop to the company LAN.
  • ...that a strick back up policy could help with.

    You might need to write some custom software to monitor the backups, but it shouldnt be too hard to come up with some scripts that whip through a list of people that use USB drives and nag them to back up the data under penalty administrative punishment.

  • People are missing the point here. It's not about just banning USB Flash drives. Policies & rules are created to give the company a level of paperwork to fall back on. Say somebody takes X amount of data or source code home, starts selling, and gets busted. At least in court they can't say "But there was no rule against it!" Think of it like having a logon banner for servers. Does it really deter hackers? No, but it gives you a bit more of a leg to stand on if it comes down to getting the authorities in
    • So, if I put a sign on my car saying "Stealing this car is illegal", I have a bit more of a leg to stand on if the car gets stolen?
      • It's pretty hard to say "I didn't know stealing a car was illegal" and have it stand up in court.

        OTOH you can make an argument that since a machine has services available to the public, e.g. a web server, the "Oh gosh, I didn't realize I wasn't supposed to dump the hash file, crack all the passwords, and turn the box into a warez dump" argument may stand up. But by explicitly denying "unauthorized use", you've got a slightly better case.

        No, a banner won't help much. But it's there, and since common sense do
  • I worked at an R & D lab and our policy was that any system (laptops mainly) that could be expected to leave the physical security of the building had to have all data encrypted. We used a program that encrypted the entire harddrive and then required a passkey in order to decrypt at boot. At the time I left they had not yet got as far as instituting such a policy for flash drives, though I expect they have by now.

    This won't protect against a malicious employee or a determined attacker, but should fix th
  • You really need to back up and find out exactly why they feel the need to use removable media and what they are doing with it. Chances are the answer will point to a bigger issue like maybe the users don't trust the backup system or cannot easily retreive files from said backups. It might be that they often use different workstations etc. Whatever the reason, if you provide a good alternative than a simple policy change and some training is all that is necessary but if you don't then no policy will be st
  • If you're realy serious about security, disable USB mass storage devices on all machines, diskdrives and CD-burners too.
    You'll maybe need to treat laptops differently, but those are a problem anyway, because they get stolen all the time. I haven't figured out how to handle those properly.
  • USB port + Epoxy resin = Security. Anything you currently do with flash drives can be done across the network, all nessecary peripherals can be run through PS/2, and you don't have the bother of patting people down for their flash drives.
  • The most common reason I hear for why we just HAVE to give so many people, e.g., CD-burners is "they need to take data home to work on it..."

    I keep wondering - wouldn't it be simpler to set up a "Windows Terminal Server" and have remote employees use THAT instead? That way, the only data leaving the company are (presumably encrypted) screen updates and key presses (yes, you CAN transfer files directly through the same mechanism, but how often would you legitimately need to if you can operate your "officia

    • Your suggestions are good.

      you CAN transfer files directly through the same mechanism [RDP]

      You can also disable file transferes, clipboard copieing, and the other redirected services. It won't stop a dedicated attacker, but few things will.

  • [I'm not a windows admin so I've no idea if any of this is possible...]

    You might....

    Figure out how to log all USB plug-in/remove events and notify a central location when they are USB Mass Storage devices. Figure out how to log all copies or transfers to/from USB mass storage devices. Make up some reporting process and either have a talk with excessive USB-keyers or disable their USB ports. Remember that they can probably use other workstations to do as they please. Could USB Mass Storage devices be mad
  • My wife was telling me that the hospital she works at uses a thin client solution where none of the desktop workstations have any type of removable storage, whether it be on floppy, USB drive, or optical media. All the applications and data are kept on blade servers in the data center. If your company has the money available in the budget, I'd go with at minimum a remote desktop solution and have the security policy configured that no data can be copied from the server to a workstation. Only thing left t
  • Hot glue the USB ports on each PC, so nothing can be plugged in.
  • I work for your typical 15-employee company. Because of an incident lately (data theft & deletion after firing a guy), we have locked down cd/dvd recorders and USB mass storage devices. These can both be done through the registry. Just set:

    HKEY_LOCAL_MACHINE\
    SYSTEM\
    CurrentControlSet\
    Services\
    UsbStor = 4 (from 3)

    to disable USB mass storage support. To disable CD burning:

    HKEY_CURRENT_USER\
    Software\
    Microsoft\
    Windows\
    CurrentVersion\
    Policies\
    Explorer\
    NoCDBurning=dword:00000001

    Just make sure your users don't
  • ...my policy would go something like this:

    Obtain a large number of memory sticks branded distinctively with the company's logo/colours. Hand these out freely to employees. Make replacements easily obtainable on request subject to a record of issue being made.

    Only company-branded memory sticks can be used in company-owned machines. Using non-company-owned sticks in company-owned machines is considered a disciplinary offence.

    Company-owned sticks that are inserted into non-company owned machines must be con

  • by Darktyco (621568)
    Here where I work (a large defense contractor) there are signs posted all over that forbid having flash drives and other things such as camera phones anywhere in the complex. There are no IT policies though, and I still see people using them just about every single day.

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...