0908 pod slurping
0908 pod slurping

Portable media devices are being used to lift corporate data, but there are tools to defend against this practice, reports Deb Radcliff.


Two years ago, the 17,000-member South Western Federal Credit Union (SWFCU) began hearing about internal data breaches among peer institutions and began to overhaul its data protection measures. The result is a locked down organization where critical data is blocked from being copied outside the protected boundaries – particularly through USB ports.

“I needed something that went beyond our employee-signed policy that would block users from trying to download data onto any type of media, including USB devices,” says Miriam Neal, vice president of information systems at SWFCU.

Insider threat has been rising steadily, making USB ports a tempting target for insiders and business partners looking to make a profit in a tough economy, say experts. This concern is especially acute given recent reports of iPods, flash drives and other portable media devices being used to pull data off endpoints without being noticed, a process called pod slurping or thumb sucking.

It's pretty easy to setup rules to block use of USB-connected devices with today's native system and endpoint security tools, says Chenxi Wang, principal analyst at Forrester Research. The trick is protecting against misuse without disabling the business by blocking all USB devices outright.

Insiders and partners compromised 562,500 records, whereas external attacks amounted to only 30,000 breached records, according to a four-year study of 500 breach investigations conducted by Verizon Business Services.

No statistics are available for how many of these records are leaking out of USB ports. However, an April survey conducted by thumb drive encryption vendor, San-Disk, shows that 77 percent of 100 end-users surveyed use USB storage devices for work-related purposes.

Forrester's Wang advises organizations to start with the low-hanging fruit, then work up to a full data protection policy.

In the short-term, start out with strict portable media device policies, she says. In the mid-term, put agents on desktops and databases to scan, classify and tag data that can or cannot leave the organization, she continues. In this way, control over all leak points can be achieved without hindering productivity.

“Blocking everything is easy,” adds Ben Rothke, senior security consultant with British Telecom. “The downside is you lose the convenience of adding extra business devices, such as printers and smart devices, when the business requires.”

Endpoint tools today are more fine-grained in what data types can be loaded, what users can load to USB storage devices, and what types of devices can plug into the USB port, Rothke continues. However, they require an organization to know their user base and their data usage better than they do now, he adds.

Start at the database by controlling and monitoring access, since the data must first be drawn from the database to the endpoint before it can pass through the USB port, says Phil Neray, vice president of Guardium, a database activity monitoring company. Set simple controls, such as manager sign-off on downloads of over 10 records, he adds.

“A lot of our customers have policies in place about what people are allowed to see and download and store on their local machines,” he says. “What's lacking is a way to automate that to any degree of granularity.”

Take that granularity to an Excel file, explains Nick Stamos, president of Verdasys, a data leak prevention (DLP) vendor. Most companies run Excel, he says, yet no analyst is going to write a custom application saying ‘you may view this row and column, but not this one,' he notes.

Endpoint controls in today's tools give organizations the ability to apply policies to file types, devices and/or user groups. Using file types, PDFs might be allowed onto portable devices, but not Viseo files, because engineering uses Viseo, which indicates intellectual property. A group policy might state that finance can't load to any USB storage devices, while marketing can because those employees need to take customer data on calls.

Pasadena Federal Credit Union (PFCU) takes a device-centric approach to USB port management. It installed TriGeo's USB Defender agents on the company's 52 workstations to block all storage device connections, with the exception of specific registered devices.

“We have six Federal Reserve Bank assessors needing unfettered access through their secure token devices, so we allow those tokens that are identified by their serial numbers,” says Mike McDanell, information security officer at the PFCU. “Also, our organization's top executives have smart phones, and we allow those executives to plug them in.”

The other important function that endpoint tools provide is reporting. For instance, TriGeo logged and reported when an iPod tried to plug into an internal computer after hours. McDanell looked at the video camera output during the time TriGeo reported the attempt, and witnessed a member of the night cleaning crew bringing in her teenage son. The video image showed the teenager plugging his iPod into a workstation, turning on the workstation, and giving up after he was challenged for a boot-level password. As a result, the cleaning crew was let go, McDanell explains, because of the potential risk to member data and accounts.

Instead of blocking or allowing specified devices, SWFCU is blocking all user groups, except the IT department, which needs access for system administration. Even their use is monitored.

To lock down and monitor USB usage on its 70 workstations and 13 perimeter devices, SWFCU uses Lumension's Sanctuary. If an unapproved user has need and sign-off to port or backup data through a USB device, the IT staff uses Lumension's management console to open up the port on a temporary basis, Neal explains.

Encryption is also extending to USB drives. This can be done through endpoint security, such as PGP End Point, which writes encryption to the drive from its software interface and doesn't limit what drives organizations use. Or, it could be done on the flash device itself, which is being done by companies such as SanDisk and Kanguru.

Encryption provides fine protection in the case of lost drives – such as in the case of the University of Nevada, which lost 16,000 student records on a misplaced USB drive in late 2007 – but it does nothing to prevent the authorized user from taking the encrypted drive to an unauthorized machine and decrypting the contents on an unprotected machine.

You need to be able to say that this USB or iPod can download this information and encrypt it, but that it can only be decrypted on an authorized machine, says Stamos of Verdasys.

“Data is only useful if it's being used,” he adds. “So you need to let it freely flow within the enterprise, while making sure it can never leave the enterprise by any means, including pod slurping and thumbsucking.”