Comments on: The Portable Risk of High Capacity USB Drives

By: Joe Frantize

Joe Frantize — Thu, 19 Jun 2008 17:34:33 +0000

Nice blog here. You are TOTALLY TOTALLY right. The convenience of a completely portable storage device is just so totally awesome, that’s it’s easy to overlook the negatives of getting your information stolen. Encryption people! You MUST encrypt your critical information. This means social security numbers, health data, bank data, etc. Anything that you just wouldn’t want floating around, should not be in clear text on your portable storage thingy… They are just so portable, that means they get lost and stolen all the time. Make the effort. Protect yourself. It’s not that hard with a few hours of orientation and the right software and you are there… Safe and sound.

By: Mark

Mark — Tue, 01 Apr 2008 15:43:35 +0000

Thanks for the article.

In our company we had some security incidents of stealing several hundreds megabytes of sensitive project data with high capacity usb sticks. Initially we disabled all usb ports but after some time we got rid of this idea.
As a final solution we implemented desktop authority from scriptlogic. By using it’s usb and ports security feature (link) we blocked all security harmful devices cd/dvd burners, PDAs and mp3 players.
With usb storage sticks we decided to do a little trick. We enabled only company issued usb drives with low capacity (just for sharing small documents, reports or presentations).
We were able to do this by putting serial numbers of such usb stciks to the special whitelist and by enabling the access to usb storage only for devices from this list.

By: Samsung Says Thin Is In - GigaOM

Samsung Says Thin Is In - GigaOM — Fri, 07 Mar 2008 02:03:30 +0000

[...] (that could store 120 hours of HD video or 320,000 images). In a laptop. Think about how much confidential data someone could store on it, only to have stolen out of their car. It boggles the mind. Share/Send Sphere Print [...]

By: Gijo Mathew

Gijo Mathew — Fri, 14 Dec 2007 20:15:53 +0000

Allan, risk is always understood at F1000 organizations, they certainly don’t run oblivious to the major risks they face. The problem is that it is usually documented in a bunch of spreadsheets and word documents on the intranet. The goal is to start enforcing some of those policies to minimize risk.
Implementation like security is layered. It can start with your riskiest areas and then add policy incrementally. Implementation time can be short using a phased methodology and a modular solution.

By: The Law of Mobility » Blog Archive » Managing the Danger: Week of 12/9/07

Tue, 11 Dec 2007 11:57:51 +0000

[...] High capacity USB drives [...]

By: links for 2007-12-10 « D e j a m e S e r

links for 2007-12-10 « D e j a m e S e r — Mon, 10 Dec 2007 15:28:39 +0000

[...] The Portable Risk of High Capacity USB Drives - GigaOM (tags: security) [...]

By: Minoru

Minoru — Fri, 07 Dec 2007 14:49:28 +0000

Allen,
1)Yes, We can accept only our special formatted USB and deny to use normal USB. This is perfect. All are software implemented solution no special hardware.
2)We have two certificates, one is domain and password if need it. Also administrator can set life time of data in the USB.
3)If you can use our Virtual Thin Client system with USB, contents of USB must backuped on the server anytime.
I can send you materials.

By: John B.

John B. — Fri, 07 Dec 2007 08:27:30 +0000

“Today, USB disk drives of up to 16 gigabytes in size are available.”

You must mean “flash” drives. Portable “disk” drives are now hitting 320GB (http://www.engadget.com/2007/12/03/western-digital-passport-portable-drive-hits-320gb/).

By: Las llaves USB, un riesgo de seguridad - Foro de MundoCombo

Las llaves USB, un riesgo de seguridad - Foro de MundoCombo — Fri, 07 Dec 2007 07:33:13 +0000

[...] esos riesgos, as� que tened cuidado con lo que almacen�is en estos peque�os dispositivos. vINQulos GigaOM Fuente: The Inquirer ES : Las llaves USB, un riesgo de seguridad ——- Es curioso ver como un [...]

By: Allan Leinwand

Allan Leinwand — Fri, 07 Dec 2007 04:58:46 +0000

@Jens - good move, but still not two-factor authentication. The time is coming when most organizations will require two-factor for everything.

@Gijo - thanks for the info. Who sets the corporate policy on what information can be stored on a USB drive and what can't? That sure seems like a cumbersome task - I imagine the implementation time and cost for a F1000 company maybe high.... Perhaps not as high as losing corporate confidential data, but high enough that I would guess such a project would take a long time to implement.

By: Gijo Mathew

Gijo Mathew — Thu, 06 Dec 2007 20:37:43 +0000

Allan, Good comments on the risk.
Here are some approaches on how organizations try to mitigate this risk:
1)Disable USB drive altogether (Not practical and useful for many organizations)
2)Encrypt the USB drive
3)Strong Authentication to access USB drive
In my mind it is not just about access to the contents on the drive but rather what gets placed on the drive in the first place! I don’t care if you encrypt and have strong authentication on your USB drive if what you are taking with you are thousands of SSN’s or patient information, or corporate intellectual property. I know most organizations wouldn’t want this information leaving the organization in any form. (Posted on a blog, emailed, or dropped on USB)
So the 4th approach:
4)Let corporate policy state what can go on a drive and enforce that at the endpoint.

DLP solutions with endpoint protection ability do just that. They ensure that the most critical information does not leave the organization, even if it is via a USB drive. Who cares if my family pictures are encrypted and can’t be accessed without strong authentication? The secret is in accurately detecting critical information and then deciding if it should be on a USB drive or not.
(link)

By: USB security: look to disk drives for inspiration « Storage Effect

USB security: look to disk drives for inspiration « Storage Effect — Thu, 06 Dec 2007 18:09:05 +0000

[...] Gigaom highlights the challenges with business security and the increase in size and use of USB drives for sensitive data. [...]

By: Jens Moller

Jens Moller — Thu, 06 Dec 2007 15:46:29 +0000

Have a look at TrueCrypt - Its free and allows you to run it totally on a USB Flash Drive - I use it with Portable Thunderbird (email client) and this allows me to use a 2 Gig flash drive for storing sensitive data as well as reading my email on any Windows or Linux PC that I have available to me.

I never allow my files to go unencrypted.

(link)

By: Allan Leinwand

Allan Leinwand — Thu, 06 Dec 2007 15:18:09 +0000

@Minoru - very interesting. Two possible issues though....

1) Does your environment allow me to buy a different USB disk drive and not use your unique protection software? While this method seems valid to password protect the USB drive with the software on it, what stops me from buying a very cheap drive and using it in your environment? Are your USB ports locked to deny access to other USB devices?

2) Your solution still lacks good two-factor authentication. Using a password (or network credentials in the domain) are still only one-factor.

@Tim - thanks and good luck :)

By: Tim Probst

Tim Probst — Thu, 06 Dec 2007 11:10:49 +0000

Although it has taken a while for companies to catch up with the threat of affordable portable storage devices, it seems to be at the top of everyone's list these days.

My employer just introduced a new hardware policy that disables USB hard drives and flash drives and disables the disk burning capabilities of our DVD drives. I can definitely understand the need for this policy, and I support it, but it does make it more difficult when my coworkers and I are out at client sites and need to quickly share large files. At this time, our only options are to email the files back and forth to each other or to connect to our network shares over VPN and wireless broadband cards. Both of these options are brutally slow. It seems to me that the better option is to encrypt the data on USB flash drives, and I am going to forward your post to our IT department in hopes that they'll find some way to allow us to use our USB drives again. Thanks!

By: Las llaves USB de gran almacenamiento, un riesgo de seguridad // menéame

Las llaves USB de gran almacenamiento, un riesgo de seguridad // menéame — Thu, 06 Dec 2007 10:46:35 +0000

[...] Las llaves USB de gran almacenamiento, un riesgo de seguridadgigaom.com/2007/12/05/the-portable-risk-of-high-capacity-usb… por yoursecurity hace pocos segundos [...]