USB drives- Prohibit, audit or ignore?
August 25, 2009 5:33 AM

USB Drives in the sensitive data workplace. Should they be banned, audited or ignored. What is the best way and how to do it?

Assuming a workplace with protected data, how should one best address USB drives? Optimally they would be banned outright at the port, but if that is not an option, what else can be done? Can they be audited with a bit of software that would audit their use and even the items on the drive used? Encrypted thumb drives don't solve the virus issue, but maybe an audit software would only let docs and not executables to be run from the drive. (bonus points for a solution that addresses backing-up/data capture off the USB drive)
posted by BrodieShadeTree to Technology (22 answers total) 3 users marked this as a favorite
How sensitive is the data? That should drive your decision.

You can ban them outright, on windows clients, by using group policy.

I'd think the hassle of auditing would quickly outweigh their usefulness. I have no rec's here.

As for the virus issue, you should enforce mandatory client side scanning if you allow any outside media on your network (cd-roms, usb devices, etc) at minimum.
posted by anti social order at 5:42 AM on August 25, 2009


The DOD bans them completely, for what that's worth.
posted by rokusan at 5:45 AM on August 25, 2009


My office (mid to small size financial firm in NYC) bans them as well. Not sure exactly how, though... I think it's with group policy as aso said above..
posted by Grither at 5:46 AM on August 25, 2009


Ban. Make an individual account on-line file transfer option available, and let them know that you keep track of everything that they put in and take out. It's easier to scan for things you don't want walking out (sensitive data) or in (viruses) at a server level than desktop.
posted by a robot made out of meat at 5:47 AM on August 25, 2009


I sometimes work in an office with a policy/system as ARMooM describes. They call it "the checkout server".

Files are scanned when "checked in" (put on server) and "checked out" (downloaded from).
posted by rokusan at 5:58 AM on August 25, 2009


You can pretty much make them useless by using up all the drive letters with network drives. The work computers only have one drive letter that is unassigned and if it was used by another network drive, a usb drive wouldn't work.
posted by JJ86 at 5:59 AM on August 25, 2009


Some group policy settings are bypassable and some flash drives appear to the system as CD/DVD devices and not flash drives. The only 100% reliable way of blocking flash drives is to fill in the USB slot with epoxy.
posted by Rhomboid at 6:15 AM on August 25, 2009


And, a much more straightforward method would be to just stick a linux liveCD boot image on a thumb drive, reboot the computer, and proceed to copy any desired files from the local hard drive(s). This can be prevented only if the BIOS is configured to disallow booting from USB and if it's also password protected -- how many office setups have you seen where that's the case? But even that is not absolute: an employee could just take the case off and short the CMOS memory reset jumper. Essentially if you have physical access to a machine all bets are off.

[And yes, this is all very abstract and bordering on tinfoil hat-ish. If you want the 99% solution just use the group policy tool and be done with it. All I'm trying to point out is that if you really want to prevent industrial espionage as opposed to accidental copying, you really have to do a lot more than just GPO.]
posted by Rhomboid at 6:32 AM on August 25, 2009


First disable autorun/autoplay. Second, disable usb drives themselves. You can do both using group policy. This will stop 99% of it. The last 1% can be dealt with with non-technological means (firing).
posted by damn dirty ape at 6:46 AM on August 25, 2009


No matter the OS you use, the only system that will be secure with physical access is a thin client, and even then privilege escalations are frequently found in WIndows.

If you use the drive letters up with network drives like suggested above, what happens when the machine is off the network? (also, I can't say I would be surprised if Windows could not mount a new drive if the letters of the alphabet were used up, but I also think that is very stupid if it is the case).

A meatspace rule seems to make more sense in this sort of case than technological impediment. If you can't handle viruses/trojans or you can't risk employees taking data home with them, a strict no usb key solution seems the only option.
posted by idiopath at 6:48 AM on August 25, 2009


Before you enact this policy, might want to write down exactly what your goals are.

If you want to reduce the exposure of viruses and trojans delivered accidentally, or prevent clueless employees from accidentally taking files home, then this will help.

But if you're trying to prevent espionage, it's only a minor inconvenience to someone knowledgeable who has physical access, especially if the machines have any kind of network access.
posted by qxntpqbbbqxl at 7:00 AM on August 25, 2009


FYI - you can mount media as folders or network locations, not just as 'drive letters' so that's not a solution. No "AA: drive" but still accessible.

a much more straightforward method would be to just stick a linux liveCD boot image on a thumb drive, reboot the computer, and proceed to copy any desired files from the local hard drive(s)

Full disk encryption is the standard protection against that issue. Also protects against data loss if someone walks out the door with a system under an arm.


I recommend you implement the windows group policy and take Rhomboid's physical solutions suggestion a step farther and disconnect power cables to the CD/DVD and unhook external USB connectors from the PC case. The integrated USB slots around back are a risk but I like the epoxy solution along with disabling in bios.
posted by anti social order at 7:05 AM on August 25, 2009


On the computer network in the Israeli army, they physically block USB and disk drives. In order to transfer information into the system, you use a gateway computer which is limited to authorized users and which tracks what is transferred in.
Although if your systems are connected to the internet, you would essentially be closing the windows but leaving the door wide open...
posted by eytanb at 7:08 AM on August 25, 2009


IF you have physical access to the inside of the box, unplug the ports on the front and epoxy the ports on the back. That way, if there is some sort of special issue, they can be reenabled.
posted by TomMelee at 7:30 AM on August 25, 2009


use group policy to block them at a software layer. physical blocks are also a good idea.

you probably want to set up group policy anyways to limit what your computers with sensitive info can do, anyways.

as for the internet access, you probably want other controls on internet access/filtering. (filtering proxy, ideally an application layer proxy so you can't tunnel things through port 80)

yes, a dedicated person with appropriate physical access and sufficient technical skill can probably bypass it, but that doesn't mean you shouldn't block it as best you can.
posted by rmd1023 at 8:21 AM on August 25, 2009


Full disk encryption is the standard protection against that issue.

It's the standard protection against a random third party stealing the workstation (or just its hard drives.) It's not any kind of protection against a worker funneling company data outside the office because they must by definition know the password to boot and therefore use their workstation. And with that they could just mount the encrypted volumes using the livecd.
posted by Rhomboid at 9:02 AM on August 25, 2009


Really what is the point? besides USB drives there are plenty of ways to transfer sensitive data... print it out, burn a CD, email the files, Copy onto floppies...Steal the HD, or just 'borrow' it overnight... Encryption is great unless you are an authorized user, who should have access, and thus could copy anything.
posted by Gungho at 9:34 AM on August 25, 2009


The point is that many drives are infected and set to run the infection with autoplay/autorun. So a lot of users just click "OK" and run an infection. Then all the USB drives put in since then get infected the same way. Its a pretty major malware vector now.

With email theres attachment scanning before it even gets to the local machine, so theres slightly more protection.
posted by damn dirty ape at 9:39 AM on August 25, 2009


You need a data loss prevention solution. This is usually an agent on the client that compares data in motion with 'fingerprints' of sensitive data and/or key terms. This will prevent your sensitive data from being transferred to portable media except in those instances where you allow it. Most have auditing capabilities, administrative bypass, end user justification, encryption suggestion prompts and lots of other good stuff. Some starting points:

Definition from Wikipedia
Products I've done some resarch on which may or may not meet your needs:
Websense
Vontu
Leakproof
There are many others out there. It's a field that is starting to experience some consolidation, but still has a lot of niche players. Gartner did a good report that you may want to look up.
posted by IanMorr at 10:19 AM on August 25, 2009


The question is, how paranoid do you need to be? I want to present another scenario to banning:
If you basically think that USB sticks are a useful way to transfer data, but you want to make sure that an accidentally misplaced stick will not be a 'leak', you have to go with fully encrypted thumbdrives. You can go with truecrypts traveller mode for free, but then truecrypt must be installed on all used computers or the user will have to have local admin privileges (aaaaargh, no!). Or you can use a "hardware" encrypted thumb drive,where the application can be run by unprivileged users. Many, many so called encrypted USB sticks are not very safe at all. The only (expensive) solution I have heard good things about is IronKey.
posted by mmkhd at 2:36 PM on August 25, 2009


Really what is the point? besides USB drives there are plenty of ways to transfer sensitive data...

there are plenty of ways for a thief to get into my house. what's the point of locking my door?

you can't block everything, but you can make it substantially harder and thus reduce your threat exposure. honestly, from a tech standpoint, a lot of the PCI requirements come down to making sure that you've blocked as many of the easy paths as possible.
posted by rmd1023 at 9:44 PM on August 25, 2009


At the company I work for, we use a Pointsec solution. Whole-drive encryption, and every time a USB device (with storage potential) is inserted, Pointsec pops up and encrypts the drive.

I think this is a good balance between trying to completely block USB usage, and keeping data secure.

It's not possible to get at files on the encrypted drive by booting from a USB thumb since the drive is encrypted. The USB stick gets encrypted, and is also usable on non-company computers; it simply runs a small program to decrypt the data.
posted by dwbrant at 9:30 AM on August 26, 2009


« Older Plates...?   |   Lets go fly a cheap, homemade kite Newer »
This thread is closed to new comments.