Wednesday, September 9, 2009

The Threat Behind the Firewall

I had a different name for this blog entry but just ‘Jump Drive’ is an awful blog title.  They go by many names; jump drive, USB drive, flash drive, memory stick and a few others, but removable media is a serious threat to IT organizations.  Graduating from floppy disks, as early as 2003 articles were warning against the possible threats introduced with these devices – 256Mb for $160 back then – and yet we still see some sort of incident reported almost once a week!  From consultants, to government employees, to Mortgage lenders, to the International Space Station, what used to be a giveaway staple at trade shows, these tiny less-than-two-inch drives can hit and hurt you in a multitude of ways. 

They can infect your Network.  Just last week, the London Council’s systems were infested with Conficker-D due to an employee sticking an infected USB drive into a work computer.  Not only were the systems shut down, including their VoIP, they were unable to process parking tickets, library fines, benefit claims and rent collections.  With system repairs added to that, their bill will eclipse £500,000 ($825,000 USD). 

They can deliver Malware.  As of 2008, 10.3% of malware was delivered by USB storage.  One of the biggest threats here is the AutoRun features on USB drives – just stick it in and the program launches.  One way to get your malware delivered is to just leave a bunch of infected, cool-looking USB drives in the parking lot of the potential victim.  Unsuspecting, curious employees see the drive and wonder, ‘ohh, what’s on this?’  Before they even open email, they’re shoving the unknown stick into their computer to find out.  Mission Accomplished.  It could even happen with your own, purchased jump drive.  Maybe you have some important files that you need while traveling or at a conference and you don’t have (or didn’t bring) your laptop.  No problem, just find the USB port on the public kiosk or partner computer and problem solved.  Not so fast.  Either one of those un-trusted computers could be infected themselves – passing the strain on to you – which eventually makes it’s way onto your unit/network when you simply re-insert it.  USB threats can also come from a reputable vendor with their product documentation. 

They can steal your Data.  With the size and speed of some of the newer USB drives, it’s become fairly easy to quickly copy entire folders or even entire hard drives to a USB stick.  While I don’t touch on it that often, corporate espionage is alive and well especially in today’s economy.  Often due to regulation, companies are now storing much more data than ever before but not protecting or restricting access to that data.  While the spy might be external, insider threats have grown and disgruntled employees have IT departments concerned.  According to a Cyber-Ark survey, “74% of the 200 information technology pros surveyed know how to circumvent security to access sensitive data, and 35% admitted doing so without permission.”  The increased use of personal devices in the workplace also makes it difficult to track where and when data goes.  Earlier this year, the Ponemon Institute found that 88% of data breaches were caused by employee based negligence.  Locking down devices, even within your own office, has become critical.

They can lose your Data.  By the sheer fact that they are small, inexpensive, and we probably have a few extras, losing one of these doesn’t seem like a big deal.  But when a $10 device holds millions of dollars worth of sensitive data, it becomes a big deal.  Just last week in the UK, The Home Office had to revise it’s numbers pertaining to a data loss.  An unencrypted USB stick went missing in 2008 by one of it’s consultants and the new estimate jumped by 250,000 records.  The memory stick is still lost.  A couple others include a worker who copied data (against policy) so they could work at home and lost the stick, which was unencrypted.  Luckily, this one was found since it contained sensitive data on children but the BBC also lost a stick last year that contained kids personal data.  And even 'Dear Deirdre' admitted to losing a memory stick containing the personal matters of her readers.  Ponemon also found that while encryption is used widely to protect data on VPN, file servers and databases, mainframe and USB flash drive encryption are the least deployed applications.

Geeze!  But those things are so useful!’  I hear you.  I’m not suggesting eliminating all removable media, like the DoD, but there are a few pointers when they are in use.

Understand the risks involved and communicate to users.  While you might not restrict the use of USB sticks, it might be a good idea to remind your users of the potential perils when using them.

Create a Policy around the use of jump drives.  Maybe only IT provided devices can be used, or only encrypted devices or none at all.  Maybe disable or lock down USB ports on laptops that are connecting remotely.  Disable USB (maybe via Group Policy) on any un-trusted (non-IT) computers requesting access to the network.  Make sure your policy also includes what areas/subnets/VLANs of the network the user can access so sensitive data is not inadvertently removed.

Encrypt the data.  If your users are able to access sensitive data and it’s likely to be copied (for whatever reason), encrypted USB devices are the way to go.  Heck, there are even fingerprint secured USB sticks on the market.

Educate your users.  Educating your crew on all the perils of data security, Data Loss Prevention, how to handle sensitive materials and the ramifications of not doing so, can help.

ps

No comments:

Post a Comment