It seems like they are everywhere now — from the iPod in the coat pocket to the USB flash drive on the keychain.  They can store gigabytes of data and transfer it quickly and easily.  For these reasons they serve as extremely useful tools for users and administrators who want to transfer data between systems.  And that is exactly the reason they should be treated as a potential security breach on any firm’s network or standalone computers.

The chief concerns regarding potential problems with these devices are twofold.  First, the introduction of unauthorized software (at best a copy of WinZip or something rather benign; at worst an intentional or unintentional installation of a virus, trojan, etc.).  The second concern is the unauthorized removal of firm data from the corporate network.  In either case, both concerns are augmented by the fact that the devices themselves are relatively small and sometimes not easily recognized as a data storage device and many, if not most, organizations have no formal policy governing the use of such devices on their networks.  And to actually trigger one of the aforementioned scenarios is as easy as plugging the device into an available USB port on any computer.

The question then becomes, “How do we protect ourselves?”  Recently, this threat has been identified as a serious issue and many companies have taken steps to mitigate it in their environments.  The first step logically is to define a specific policy that provides guidelines for acceptable use (or prohibition of use) of portable storage devices on firm computers.  One must take into account that the portability of the devices can make them prone to theft or misplacement as well.  All of this would lead to the notion that the security policy should also incorporate elements of general security awareness.  Users may then think twice about putting confidential information on a portable storage device and leaving it unattended at their desk or in their coat pocket in the reception coat closet at opposing counsel’s office.

Policy, however, should be only one of multiple tiers of safeguards employed to protect against the misuse of portable media.  Restricting the devices themselves is another ounce of prevention that IT departments should consider in mitigating this threat.  In Windows environments, unfortunately, it was impossible to do this without third-party software — even in XP, until the recent SP2 release.  Microsoft has heard the call from organizations calling for a means within the OS to restrict portable storage, and has introduced a new registry subkey in SP2 that allows for the marking of USB devices as read-only.  There are third-party vendors that do ship group policy software that can restrict these types of devices network-wide as well.

In summary, this not-so-new threat is just coming to the forefront of many IT managers’ minds as something that can’t be back-burnered any longer.  With compliance legislation such as HIPAA, Sarbanes-Oxley and the like, it is something that firms cannot afford to ignore.  Fortunately, industry is coming around and advancements in software and operating systems finally seem to reflect this very real threat and are providing means to limit and control it in the network environment.

About our author . . .

Mark Fermin is Network Administrator of Kirkpatrick & Lockhart Nicholson Graham LLP.  Mark can be reached at mfermin@klng.com.