Few can imagine going back to a world without tools for mobility. The ability to access and process digital information with laptops and other handheld devices has forever changed our lives. The ubiquitous use of such devices, however, has suddenly created an Achilles' heel for data security. That danger springs from the innocuous USB port, and any other plug-in interface used to transfer files to and from external storage devices.
USB: A new vector for data leaks
The Universal Serial Bus (USB) port and cousins such as FireWire, IDE and Bluetooth offer plug-and-play connections to many peripherals, including storage devices. Any storage device plugged into a computer's USB port becomes an instant vector for data leakage outside an organization's usual security controls.
For example, digital music players can host huge quantities of MP3 files – and hold files in any other format such as word processing, PDF, spreadsheet, database, photo or multimedia. USB memory sticks do the same thing. Digital cameras also can store files. So can cell phones, portable hard disks and personal digital assistants.
Danger arises from operating systems that always recognize and authorize any USB-connected storage device the instant it is plugged into an enterprise endpoint. Danger can also flow in the other direction when newly attached storage devices send virus-infected files or malicious applications onto the endpoint device – and potentially throughout the enterprise network.
How USB exposes endpoints to leaks
All major operating systems support the USB interface standard. Its creators intended to ease the interconnection of PCs and laptops with peripheral devices. Its hallmark is automatic recognition of any device that is plugged into a USB port without requiring a user to intervene with mouse clicks or keyboard commands. USB has become commonplace for keyboards, printers, televisions, home stereo equipment, video game consoles and storage-related devices.
In the typical enterprise, employees and contractors frequently plug personal storage devices into their work PC to transfer document or music files, trade wallpaper images or transmit digital photos over faster broadband links to the internet. Their intent may be innocent. But the ability to also siphon off corporate data from an endpoint through the USB port onto an external storage device places organizations at considerable risk of undetected data leaks, and exposure to malicious files.
A flash drive can store up to 16 gigabytes of data. When plugged into a PC or laptop, the USB flash drive appears to a user exactly like another internal drive on the endpoint computer. This plug-in capability combined with its petite size make a flash drive ideal for sneaking out sensitive data from the enterprise. The flash drive is not the only USB device capable of swift and secret data theft. Users may employ any of the USB storage devices mentioned above for the same purpose.
Stealing data with USB storage does not require a long script. One simply plugs the USB storage device into a USB port, fires up Windows Explorer and drags target files onto the storage device. This action can be performed by a malicious insider, or even a well-meaning insider who is trying to do their job but is unaware of security policies that might otherwise prevent a data leak.
One of the most popular USB storage devices is the iPod multimedia player from Apple. Consequently, some people have coined "Pod Slurping" as a hip term for transferring files to a USB storage device.
A synonymous term is "camsnuffling," which applies to using a digital camera to photograph documents or objects and then transfer them to an unauthorized recipient. Likewise, "bluesnarfing" entails stealing data from a wireless device through a Bluetooth connection.
Whatever the term, it's very easy to move digital files from an endpoint to a USB storage device. These transfers are usually undetected by enterprise security controls.
Strategies for controlling USB data leaks
A standard corporate desktop PC may have up to eight USB ports. Some are required for peripherals such as a keyboard or security token reader, but there are usually one or more unused ports. By default, USB ports are "always on," ready to serve any USB-enabled device that is plugged into the endpoint computer.
An enterprise may chose to disable USB via the Windows Group Policy and an ADM template. Unfortunately, this capability does not provide administrators with granular control. It's all or nothing, so all USB ports on an endpoint are either available or not. And since most endpoints now require USB for mandatory peripherals, this control is practically useless.
One alternative is physical restraint of unused ports. A popular urban myth in IT circles involves the injection of epoxy glue into unused USB ports, but it's hard to imagine inflicting such permanent damage on expensive business equipment. Some vendors sell plug-in USB "locks" to physically secure unused ports. The physical blocking strategy will do little, however, to stop a user with malicious intent from simply unplugging an existing USB peripheral and inserting their unauthorized storage device in its place.
Using software to control USB ports makes better sense due to the overwhelming number of ports requiring control. Software can provide a centrally managed, policy-driven port security system to a system administrator for granular control of USB access to endpoints. Capabilities could deny all access (black list), provide read-only access or allow full authorized access (white list). It is important that these controls not impose significant changes to end user behavior.
Automated USB filtering capabilities can watch the inflow and outflow of files. Conceivably, an organization could automate policy for the copying of files from corporate devices through USB or other interfaces. It could also restrict transfer of files from external storage devices onto organization-owned devices. Filtering capabilities can also prevent the transfer of files with malicious content from storage devices onto enterprise endpoints.
Finally, software should provide centralized management, auditing and alerting. For purposes of compliance with privacy and security laws and regulations, software should also track and document the flow of specific data files or types of plug-and-play devices used within the organization – with no further impact to user behavior.
In summary, USB is data security's Achilles' heel because it is woven into the fabric of tools for mobility. The need for USB means it will be ubiquitous – and so will its ability to facilitate data leaks to attached storage devices and inflows of malicious files. Those risks will not disappear unless organizations implement specific software-based controls governing access and use of each and every USB port in the enterprise.
- Peter Larsson is CEO of Pointsec Mobile Technologies, Inc.
