Thoughts on the USB/thumb/jump drives 1

[wlfpackr]

Just wondering what the thoughts were on these USB mass storage devices. I run an IT dept for a medium-sized company and these things always creep me out for a security hazard. How many times do you read that some company had a laptop stolen and now sensitive customer or employee data had been exposed?

These small little devices could easily bring a company to it's knees, but is there a way to really stop it? It's not only these objects, but iPods, cell phones, PDAs, etc. can all be used to carry data off site and can easily plug into a USB port on a PC.

Have I just become the old-IT fart that I used to complain about? Am I the crusty old man that is now trying to make the average Joe end-user's life complicated? Or is this a growing concern in other companies as well?

=================
There are 10 kinds of people in this world, those that understand binary and those that do not.

 

[mrdenny]

This is a security consern at companies. There are a few ways to lock them out.

1. Prevent end users from installing drivers. (There's an GPO setting for this if I remember correctly.)
2. There's a regestry setting somewhere to prevent users from using them (check the Windows forum I think).
3. Use monitoring software to log and block data transfers to these devices. (I work for a company that makes one such piece of software and can shamelessly plug it if you would like.)

I'm sure there are other options but this is what comes to mind.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog

 

[harebrain]

Speaking of old farts and USB flash drives, here's a tip someone passed on to me: keep your flash drives in your glasses case. They'll always be handy and you'll always know where they are. (Unless you're one of those dingbats who is always losing his glasses.)

But seriously, why should employee trustworthiness be an IT problem? Isn't that a problem that, like many, just got dumped on IT because a technology solution is "magic and painless" and IT is a wonderful, corporate, punching bag? What is HR for? What does a hiring manager do? Why don't IT people push this problem back where it belongs?

These devices won't ruin your business; a negligent or evil employee will. How is that an IT problem?

 

[sleipnir214]

How is that an IT problem?

I don't know about anyone else, but I'd rather take a few minutes to straighten out a user than several hours rebuilding a server or several days waiting to be deposed by some lawyer over a data breech.

As I see it, it would be reasonable to expect employee behavior to be exclusively an HR problem if and only if it would be reasonable to expect a well-trained employee to behave perfectly correctly 100% of the time. Since I have never seen anyone, myself included, who behaves perfectly correctly 100% of the time, I will take a belt-and-suspenders approach to managing users, and make employee behavior both an IT and HR problem.




Want to ask the best questions? Read Eric S. Raymond's essay "How To Ask Questions The Smart Way". TANSTAAFL!

 

[mrdenny]

How is it an IT problem?

Well HR or the business management has decided that the employees don't need to be able to use USB drives. As it's a technical issue who else besides IT should be tasked with stopping people from using them? It's a tech problem, so tech people should probably be the ones fixing the problem. Do we really want HR or the business people deciding how to prevent USB drives from being used?

While policies saying that you can't use them, if an employee is willing to steal company data why wouldn't they be willing to use a USB drive to do it?

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog

 

[Sympology]

Often it is down to technology (even old stuff) to restrict access.

Think of a HGV (truck or whatevery their called in the US!).
They are "supposed" to drive at a certain speed and for a set lenght of time, but often just ignored these. Along came the Tachograph and reduced the problem.
Same with your USB, you not supposed to steal data, but people do. So you restrict it via technology. It won't stop everyone, but it sure as heck will slow them down...

Only the truly stupid believe they know everything.
Stu.. 2004

 

[Glenn9999]

These conversations are always interesting to me, especially since I read there were debates/worries/concerns about these things when the telephone became widely available in American business, and have reoccurred for every technological resource invented and popularized since then (e-mail, personal computers, floppy disks, local computers, CD-burners, web access, etc).

Everything is a potential security hazard, even notebooks and paper. Again, it's not the thing but how the people use it. Truthfully this is a people problem and not a technology problem.

 

[wlfpackr]

But seriously, why should employee trustworthiness be an IT problem?[\quote]

It's not just about "trustworthiness". Have you ever lost your keys before? How hard would it be to lose a USB thumb drive? I'm more worried about accidental loss or theft than I am about an employee copying down 1GB of proprietary data and doing something malicious with it.


mrdenny,

Are you saying that there are registry/GPO settings that will prevent the usage of USB mass storage devices solely? Or are you just referring to locking down a computer so that no USB device can be used?

=================
There are 10 kinds of people in this world, those that understand binary and those that do not.

 

[dilettante]

There are certainly settings to prevent writing to a USB mass storage class device. Just as there are hacks to export data anyway using flash drives that present themselves as printer, still-image, video, or other USB device classes.

As usual, BOFH tactics serve to disenfranchise the legitimate user rather than provide any serious level of security.

 

[jet042]

2. There's a regestry setting somewhere to prevent users from using them (check the Windows forum I think).

This setting is in HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies. Set a DWORD named WriteProtect to "1" to disable writing to USB hard drives and sticks. It still allows writing to printers and sticks can still be read. I'm sure there are other ways around it, especially if your users run as admin and have unrestricted access to edit the registry...but no one would do that, right?

 

[SQLSister]

First thing is to formalize a policy of not allowing the use of these devices or defining their proper allowed uses. That way even if you have not yet prevented them from being used (or someone hacks around the restriction you put in place), the person who did it can be disciplined. You might consider if you want people to be allowed to use the devices in certain cases or not. I know people who use them to load power points or other files to carry offsite when doing a presentation where they will not have access to their normal work computer. If the person has a valid work reason to use these devices, a formal policy will still tell them what acceptable and unacceptable use of the device is, so that if they cross the line, they will be disciplined, yet their valid work use is still allowed. Others use these devices to take work home because they do not have remote access from their home computers. Again, a policy needs to be thought out as to how to handle this. Should people be allowed to work from home, if so what methods of file access are acceptable and what methods are not. Again you may have different levels of access. Perhaps for some people it would be preferable that they take the occasional file home to work on (as long as there is no data in it that in in a protected class such as Social security numbers, salaries, etc.) than be given remote access. Perhaps, everyone who works at home should be required to do so through VPN and files are never to leave the server. Perhaps some groups of people should not be allowed to work from home no matter what.

"NOTHING is more important in a database than integrity." ESquared

 

[mrdenny]

Thanks for posting the key Jet.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog

 

[GwydionM]

Where I work, the PCs do not have CD drives. When I plugged in an external drive to take a CD-ROM course that management had arraged, I also had to get security adjusted so that I could read it.

I assume there are also limits on writing anything - necessary since we have a lot of personal information.

As you say, USB flash drives are a bigger menace, since they might be plugged in without being obvious.

------------------------------
An old man who lives in the UK

 

[wlfpackr]

This setting is in HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies. Set a DWORD named WriteProtect to "1" to disable writing to USB hard drives and sticks. It still allows writing to printers and sticks can still be read. I'm sure there are other ways around it, especially if your users run as admin and have unrestricted access to edit the registry...but no one would do that, right?

Nice job. I'll be testing this one out over the holidays. If nothing else it gives some control back to the company and we can grant on an as-need basis.

=================
There are 10 kinds of people in this world, those that understand binary and those that do not.

 

[gbaughma]

Fortunately, the majority of our stations here are thin clients, so it's not too much of an issue.

Of course, if someone *really* wants to steal information, they'll just e-mail it to a gmail account or whatever.

I guess the thing that bothers me most is that often the IT department (read: me) is called upon to come up with a technological solution to counter a lack of employee training.

Case in point: When a certain report is filled out, notification goes to nursing. Simple enough. Unless the employee doesn't check the appropriate box that triggers the nursing notification.

I was asked yesterday why nursing wasn't getting notified, when they know that the report had been filled out because of certain events that had happened. After I pulled up my script, tested it, looked at it for a little bit, then went back to the original report did I realize that it wasn't a technology issue, it was a training issue.

Policies need to be in place to protect data, especially if you work in finance or health care. Without the policies, you, as an IT person, don't really have a leg to stand on. Training is also a consideration. I make it *very* clear in NEO (New Employee Orientation) about privacy laws, and things that are considered a "CLM" (Career Limiting Move). These include installing any unauthorized software, sending data outside of the corporation, or being on inappropriate sites.

Additionally, I'm a *big* one for audit trails. (I have to be, it's a HIPPA regulation). So, when someone pulls up PHI (Personal Health Information), they have to be logged on to the domain to do it, and I have an audit trail of who looked at what and when. If there were a security leak, I can trace it back to the person who leaked it.

Fortunaly, we haven't had that problem yet; but as they say, an ounce of prevention is worth a pound of cure.



Just my 2¢
-Cole's Law: Shredded cabbage

--Greg

http://parallel.tzo.com

 

[mrdenny]

I was asked yesterday why nursing wasn't getting notified, when they know that the report had been filled out because of certain events that had happened.

This is very much a training issue, and should be pushed back to the business. If reports need to go to nursing more often than not, purhaps the box should be checked by default, or a popup box that asks if it needs to go to nursing if it's not checked?

Training can only do some much. Some people simply don't want to bother to do thier job.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog

 

[strongm]

Note that the StorageDevicePolicies setting only works on XP SP2 (and, I think, Vista)

When forced to, I have used and favour the USBStor technique, one version of which is outlined here;

http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks

This works on W2K, XP (SP1 and 2) and W2K3

 

[kmcferrin]

I think that gbaughma's issue is related to working in a medical facility. I worked in various hospitals for several years, and the one thing that everybody fought tooth and nail was technology. If I had a nickel for every time some nurse said to me "I'm a nurse, not a computer person" I could have retired at 33. My response was always, "Are you a stethoscope person? Are you a blood pressure cuff person? No, you're a person who uses those tools, so learn to use this one too."

I was constantly fighting with nurse managers who didn't want their people to have to think about what they were doing when it came to computers. I always tried to convey to management that at some point you're going to have to trust the people to do the right thing. If you try to engineer the human element out of your solution, then you'll get users who don't bother thinking about what they're doing, and then you'll get mistakes. Then you'll try to re-engineer it to make it even more idiot proof and some idiot will make another mistake. Like I said, at some point you have to assume that the person doing the work isn't a moron and will do things the way that they were taught to do them.

 

[aarenot]

Doing the right thing is not more common procedure for other than IT depts, than it is for IT dpets. maybe that is the problem.

 

[Sympology]

Bit off topic...

gbaughma, one thing ever business needs to move away from is throse darn TLA's (Three Letter Acronyms)... it seem people make stupid phraae, just to fit an acronym these days.

In fact talking of acronymns our directors and marketing luurrvies decided to rebrand us a few years ago.

When then ended up as

SCHIT MIS !

When we told told off for using the acronym, we used the full title, which usually resulted in someone collapsing in shortness of breath !

Now we are shock horror.... ITS (IT Support!)



Only the truly stupid believe they know everything.
Stu.. 2004