The Thumb-sucking Threat

Joe Wagner, senior vice president and general manager of Systems and Resource Management at Novell, explains the security implications of all those popular portable storage devices.

Thumb drives, media players and other portable storage devices have become widely accepted as tools that bring down costs while increasing employee mobility and productivity. For a mere $20, one can buy a USB device, easily transport data from a work computer to a home computer, and stay ahead of the game.

So small and seemingly innocuous, one rarely thinks about the security implications at hand; but the low cost and convenience of thumb drives could also introduce greater risk into the enterprise. The physical size and large storage capacity of these devices make them a potential data breach time bomb. For example, if a thumb drive containing business files is lost and lands in the wrong hands, there could be severe consequences. Even more terrifying is the potentialfor a malicious attack using these inconspicuous devices. In minutes, a rogue user can load proprietary files on to a thumb drive unnoticed and potentially expose a business to a massive data breach.

These acts can be referred to as thumbsucking - the intentional or unintentional use of a portable storage device to download confidential data from a network endpoint. It is one of the top causes of security breaches, yet it has garnered little attention while the threat continues to grow. According to the Identity Theft Resource Center, the number of publicly reported data breaches in the United States rose by more than 40 percent in 2007. However, even with fears at an all-time high,very few companies have put direct controls and policies in place to prevent these attacks on the endpoint.

Stay in Control

Thumbsucking is a huge threat companies face due to the proliferation of portable storage devices. As people increasingly use media players, BlackBerrys and external hard drives for personal and business needs, each device becomes both a friend and foe to the modern-day corporation. In fact, a 2008 Applied Research-West survey found that workers born after 1980 are 200 percent more likely to have corporate data on their storage devices. This threat becomes even more prominent when devices are not company-owned or issued, but can still be used to store and transport sensitive corporate data, leaving no audit trail or trace of what's been taken. Without control, portable storage devices present four major threats to the enterprise:

1.) They can allow users to bypass the perimeter and introduce malware into the enterprise.

2.) They can allow internal users to remove confidential information such as financial files, health records, and other intellectual property from the organization.

3.) They can bring unwanted or unauthorized programs onto the network.

4.) They are incredibly easy to lose!

The Great Enforcer

Knowing these threats exist, naturally the next question is,"What can a company do to prevent them from occurring?" Some companies have resorted to banning portable storage devices all together, while others have used glue guns to seal off their USB ports. Neither of these options is optimal, but something does need to be done. The following three steps can help a company protect its data from the thumbsucking threat:

Step One: Policy

The first step to maintaining protection is to establish clear policies for which devices are allowed and which are not. It's more effective to define and set policies rather than enforce blanket prohibitions. While some IT administrators may want to block portable storage devices completely, many organizations need more granular control over their USB ports. Using software, IT administrators can white-list specific devices, or make the devices read-only. They can also dictate which people or organizational roles can use portable storage devices, create exceptions to the rule, or permit USB access based on certain device serial numbers. This policy-based approach allows employees to use authorized portable storage devices without the threat of a malware attack or data breach.

Step Two: Enforcement

Once the policies are set, the next step is to actually enforce the security practices. It's not wise to set and forget policies or ultimately, users will find a way around the controls. IT organizations need an automated way to monitor the endpoints to make sure the set policies are being followed, and determine who is using these devices and which files have been transferred to them. In an age of increasing regulation and compliance, an enterprise must maintain an audit trail on user activity. With ongoing monitoring, this audit information can also help managers assess the risk if particular portable storage devices are lost or stolen.

Step Three: Encryption

Considering the primary goal is to protect data on these portable storage devices if they are lost or stolen, it is imperative to encrypt the data when it is written to these devices. While organizations need to ensure that all files copied to a storage device are encrypted, they also need to provide the ability for the data to be decrypted and shared with authorized parties. An automated policy-based approach to encryption adds another layer of security, without slowing down the business.

Keeping Secrets

Business is evolving with the mobile landscape - employees are working out of the office, on the road and from home. Portable storage devices can certainly enhance productivity in this mobile world, but it's crucial to recognize the potential security risks at hand. The best way to promote productivity and keep secrets safe is to define what employees can do with these devices, enforce corporate rules on usage, automatically encrypt information, and continuously monitor device use and transfers. These comprehensive, policy-based steps can help businesses protect themselves against the thumb-sucking threat.

Copyright © 2008 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!