USB is short for Universal Serial Bus, a standard interface that makes it easy to connect computers with a wide variety of devices. USB connections can be called the “Swiss Army Knife” of interfaces since they support many devices such as cameras, PDA’s, modems, keyboards, computer mice, network interfaces (including wireless), printers, and music players. In an effort to standardize and make devices "plug and play" compatible, nearly every computer operating system provides seamless support for USB devices. Many of these devices can be considered portable storage devices in that they are capable of downloading files as well as copying files onto the computer they are connected to. Add to that the universal quality of a USB port and not only is it easy to plug them into your own computer, but to your work computer, a friend's computer, or a computer at another sites such as a library or internet cafe.

The Issue

If you are the Security Officer in an industry where confidential data needs to be secured and business networks must be protected from virus' and malicious code, you may consider the term “USB” to be short for “Ultimate Security Breakdown.” With this easy "plug and play" compatibility comes easy opportunity for a security breach.
Of particular concern are the small flash drives, known by a variety of names such as jump drives, thumb drives, and key drives.  Their small size, large storage capacity, and ease of use present an opportunity for unsupervised visitors or unscrupulous employees to smuggle confidential data out of your organization with little chance of detection. One USB device company has recently announced a drive called “In the Pink,” which was designed to look like a lipstick tube. There are jump drives inside ball point pens and drives that fold out of pocket knives.
 Any portable storage device presents a significant security challenge for your organization. Besides downloading copies of confidential information, perhaps even more damaging is that  they are capable of copying over virus' and malicious software on to a computer workstation as well as on to your company network. USB drives represent a security risk like other forms of portable media even when they are used for legitimate purposes. They are able hold huge amounts of confidential data that could be lost or stolen should the device go missing.

Social Engineering:
A USB Example

In this review, a security consultant decided to use Social Engineering techniques to try to penetrate the network. Since all of the employees had been informed that a security review was being conducted, the consultant needed to try an unusual approach to gain entry.
He developed a malicious program called a Trojan and copied it to several USB drives. When the USB drive was plugged into a PC, the Trojan would automatically run without any action by the computer user. The Trojan would quietly collect passwords, user IDs and machine-specific information from the computer, and email the information back to the consultant.
The consultant then arrived early in the morning and placed these USB drives in the parking lot, on the sidewalk outside of the employee entrance, in the designated smoking area, and other areas where employees would be sure to find them. Before long, the drives were picked up by employees, including the executives that hired the consultant, plugged into their computers to see what was on them, and emailed the captured information to the consultant.

Best Practices

Since these USB ports are required for many essential and legitimate services they cannot usually be disabled. Your organization should establish a system of USB port access controls.

Policy. Enact a policy which prohibits the use of unauthorized removable media including USB flash drives. If USB drives are used in a legitimate business practice, a USB Drive that supports data encryption should be required.
Training. Users and administrators should be educated on the dangers of USB drives and the organizations policies prohibiting their use.
Password-protected screensavers. An unattended workstation that is locked cannot be used by a malicious visitor or co-worker to steal data. Implement password-protected screensavers throughout the enterprise with inactivity timeouts of 10 – 20 minutes. For system administrators or users that are located in areas where it would be relatively easy for a visitor to have a few minutes at a workstation, a shorter inactivity timeout of 5 minutes should be implemented.
Malicious software. Ensure that your anti-virus and anti-spyware software is configure to perform realtime scans of all files.
Disable write access. A feature available with Windows XP Service Pack 2 can prevent writing to all USB-connected block storage devices, including flash drives and CD burners. Note that this feature does not prevent reading from a USB device, nor does it allow you any granularity of control to allow some devices but disallow all others. Refer to the following Microsoft article for instructions on enabling this feature:  http://support.microsoft.com/kb/555441/en-us
Software solutions. There are a number of third party software solutions that allow greater control over the use of USB flash drives. Consider these products:

1. TriGeo USB-Defender™. This product provides event logging to identify forensic details of the USB devices that are mounted, including manufacturer, serial number and device type. When combined with TriGeo Security Information Management, unauthorized devices, unauthorized users or inappropriate use can result in ejection of the device and / or notification to administrators.
2. New Boundary Policy Commander™. This security management product monitors and enforces a wide range of security settings on Windows servers and workstations, including the use of USB devices.

How Assurity River Group can help with
INFORMATION SECURITY BEST PRACTICES

Security Risk Assessment.  Assurity River Group can help you review your security risks, including USB port access.
Policy Creation and Compliance.  Assurity River Group helps organizations draft effective information security policies and standards to ensure ongoing security compliance with all data privacy and security standards such as HIPAA and GLBA compliance.
Assurity River Group can:

1. Evaluate and assist with the implementation of USB port control applications.
2. Provide and implement Digital Persona finger print scanners
3. Provide Inexpensive email content filtering systems
4. Secure email servers on the network, and establish standards for email security auditing and alerts.

We have experience in implementing systems to enable employees to securely transmit encrypted documents.
Assurity River Group can also provide a number of remotely managed services to protect your computer systems from pervasive threats on the Internet.
Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.