• United States




IBM and thumb drives: epoxy or beacons?

May 14, 20184 mins
Computers and PeripheralsData and Information SecurityNetwork Security

Banning thumb drives and removable media will not stop the loss of sensitive data files. Beacons that track the content of thumb drives is far more sensible to reduce data loss.

thumbs down crush squish hand with thumb
Credit: Thinkstock

IBM recently announced a startling company-wide policy for all of its employees that bans use of removable storage devices. It seems remarkable that this policy was announced in 2018. The Department of Defense (DoD) banned removable media more than a decade ago, in 2008. While DoD has functioned just fine without them, its data loss problem hasn’t gone away. I predict that IBM’s problem won’t disappear either.

Will the policy stop the loss of sensitive documents? Why did it take a commercial industry giant 10 years to get the message? I don’t expect it will solve the problem of data loss of corporate secrets overnight. There are just too many thumb drives all over the place. But, there is another way to think about solving the problem. 

What prompted the new IBM policy?

Removable storage devices pose two well-known security problems. Infected thumb drives can easily introduce malware into corporate networks in a blink of an eye, even with EDR capabilities onboard the target machine. There is a long history of how USB sticks provide a convenient threat vector. However, another problem is clearly more prominent.

The core message is that any organization is blind to its own document flows when thumb drives are allowed. Writing a document to a thumb drive blinds the network IDS and DLP systems from observing their exfiltration. Visibility and control is lost.  The policy intends to avoid both problems of malware injection and data loss, but its doubtful everyone will adhere to this policy. Convenience is just too hard to bypass.

Epoxy or Beacons?

DoD is an existence proof that the policy doesn’t quite make sense and that it failed to solve the problem of data loss. Government systems continued to lose a great deal of sensitive data via removable media, as widely reported in a number of new stories. One of the most recent of which involves an alleged illegal exfiltration of sensitive information apparently via removable media by a former Air Force veteran and NSA contractor.

But of course, thumb drives are not the only risk. A plethora of security architecture failures make exfiltration far easier via the cloud. Sensitive data from the US Army and NSA were discovered on the cloud just last year. How this classified data might have escaped isn’t clearly reported. Solving the thumb drive exfiltration problem has its merits, primarily by reducing unintended losses by non-malicious insiders. But it is not a failsafe solution. The cloud is still a far more convenient conduit for data loss.

Some have advised a number of “technical” ways to enforce the DoD policy on government systems, including BIOS setting configurations (not easy) and user behavior analytics (UBA) techniques (doubtful USB document writes are easily observable from a network log). If all else fails, the non-technical advice is to shoot epoxy into the USB ports on government machines, irrespective of the loss of maintenance contracts for the altered devices, and not to mention the costly maintenance nightmare. The epoxy solution will certainly solve the problem, although it could get a bit messy for flash drive ports. The technique may work, but there is a simpler and more effective solution. I’ve been writing about beacons recently, essentially GPS for your data, and your thumb drives. My advice is to beaconize all documents.

Beacons: GPS for your thumb drive

There is a very good chance data loss via thumb drives is preventable if you focus on tracking the data itself. The data can be tracked and protected with beacons when writing documents to a thumb drive.

A beaconized document signals when the document is rendered by its native application. The information is key to knowing if a document has been exfiltrated and opened outside of its security envelope. Intercepting documents written to thumb drives and injecting beacons into them—or even better, beaconizing all documents in the file system—provides a simple means of tracking sensitive documents no matter where they go and how they may escape. The beacons injected into documents will be conveniently carted away in a pocket or backpack, providing visibility on where the documents go.

So, until all thumb drives are finally eradicated (although they are just too convenient to be thrown away), or all IBM machines ooze globs of hardened epoxy from their USB ports, beacons can afford a level of protection and safety from data loss in a convenient and easy to use security mechanism. At least one can know where the thumb drive and its stored documents went. And surely IBM’s policy, doomed to fail, wouldn’t be necessary.


Salvatore Stolfo is a tenured Columbia University professor, teaching computer science since 1979. He is the co-founder and CTO of Allure Security, a DARPA-funded cybersecurity startup specializing in data protection and the prevention of data breaches.

Dr. Stolfo is a people-person. And that makes him unique in a field where folks focus on making machines. As professor of artificial intelligence at Columbia University, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Early in his career he realized that the best technology adapts to how humans work, not the other way around.

Dr. Stolfo has been granted over 75 patents and has published over 230 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining, computer security and intrusion detection systems. His research has been supported by numerous government agencies, including DARPA, NSF, ONR, NSA, CIA, IARPA, AFOSR, ARO, NIST, and DHS.

See his full academic bio at Columbia University for more background.

The opinions expressed in this blog are those of Salvatore Stolfo and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.