Apple’s 160GB iPod Classic, introduced last September, is a music and movie lover’s dream machine. But for IT departments, it’s a security nightmare.
That’s because any employee can plug this pocket-sized USB storage device into their computer and use it to steal vast amounts of corporate information, including mailing lists, databases, financial records and confidential customer data.
Of course you don’t need an iPod to steal data: 4GB USB memory sticks are cheap and ubiquitous, or, for employees intent on stealing really large amounts of data, devices like Buffalo’s recently announced LinkStation Mini offer a terabyte of storage in a case that fits in the palm of the hand.
Locking Down USB Ports
A number of vendors have moved to address this problem with peripheral device control products that lock down USB and other ports. Most work with a configuration program running on a server and agents running on end user machines. A few years ago these solutions were relatively primitive, but they have now grown in sophistication to the extent that they can link with Active Directory and permit and deny users access to ports according to group policy. They can also restrict users to specific storage devices so that, for example, an iPod can’t be used to remove data, but a USB stick with suitable encryption can.
Introducing this type of software has the potential to be quite disruptive if employees routinely access USB ports to carry out their jobs, said Don Leatham, Director of Solutions and Strategy at Scottsdale, Arizona-based Lumension Security, which sells a product called Sanctuary Device Control.
“To overcome this, we offer the ability to go through a monitoring phase,” he said. “You can establish a policy, put agents on your machines and turn on monitor mode to see how the policy might disrupt your business if you implemented it. You get to see what sort of data is going out of your systems — and also what software, like malware, is coming in.”
Once the implications of implementing a particular security policy are understood, administrators are in a strong position to make changes, like providing individuals who need to use USB storage with encryption enabled devices, or creating new groups with greater privileges for those that really need them.
Regulatory requirements, such as those imposed by the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), mean that companies need not only to be able to protect customer data, but also to provide an audit trail whenever data is moved as proof of compliance. Products such as Sanctuary are able to provide this by logging when data is moved (or an attempt is made to do so) using USB, floppy or CD/DVD drives. A complete copy of the data that is moved, and a note of who was responsible, can also be stored in the log.
The need for basic data security was what motivated South Western Federal Credit Union to install Sanctuary, according to Miriam Neal, the bank’s vice president of Information Systems. “We were aware that there was a potential security problem, and when another financial institution had a hard disk stolen, we began thinking about how many PCs we had that were not locked down,” she said. “We realized that someone could quite easily steal a great deal of data with a high-capacity USB drive.”
Neal installed Sanctuary on about 80 PCs and servers, including 8 PCs in a branch office that would otherwise be difficult to monitor. “We wanted to lock down all of our PCs for all of our employees,” says Neal. “But we wanted to allow our admins to use the USB drives and CD drives for software installation, and, of course, the CEO needed unrestricted access. This was all easy to do using Active Directory,” she said.
The cost of implementing this type of security is about $60 per desktop, although substantial volume discounts are offered, according to Leatham. Neal believes it makes sound financial sense. “How much does it cost when private information is compromised?” she asked. “We have 17,000 members, so that could cost us a lot of money if we lost data. At the very least, we would have to notify all our members and pay for credit record checks.”
Controlling data leakage was also a potential problem for Meriwest Credit Union, which has computers at twenty remote sites, according to Tom Doan, the credit union’s Windows administrator.
“Any of our users could potentially have dragged and dropped data onto a USB stick from one these sites and we wouldn’t have known about it,” said Doan. “As a credit union, in order to be compliant from an IT standpoint, we had to have control over USB devices and floppy or DVD drives, so we had to implement something.”
Doan chose UK-based Centennial Software’s DeviceWall, which works in a similar fashion to Sanctuary. “We have 300 XP machines, and now we can audit exactly who is bringing what data out of the organization,” he said. “We have a compliance committee, and if any employee needs access to anything beyond their C drive, they have to request it to the committee. If it is approved, then it is very easy for us to configure the software to provide that access.”
Clearly any employee permitted to store data on a USB drive runs the risk of losing the device, which is why many organizations require all such data to be encrypted. One way that device control software can help to ensure that this policy is applied is by only allowing USB devices that include encryption to be approved for use; other USB devices will be rejected by the system.
An Open Source Option
Any USB drive can be turned in to a secure storage device by installing an open source application called TrueCrypt. This creates an encrypted volume in the drive, which can only be accessed using a password. The drivers necessary to mount the encrypted volume can be stored on an unencrypted portion of the drive, making it completely portable.
One drawback to a TrueCrypt volume is that if the password is easily guessable, then the contents of the encrypted volume could be brute-forced. More importantly, TrueCrypt has no provision for key retrieval, so the potential for data to be lost when employees forget their passwords is high (assuming that they haven’t written the password down on the device, defeating the purpose of encryption completely). Troubles like these are one reason that encryption key management has become a growth market in enterprises.
Perhaps the last word in USB security is offered by a company called IronKey, which produces an enterprise system based around their near indestructible IronKey USB drives, which include hardware encryption. Administrators can use special administrative IronKeys to issue employees end user drives that have public keys burned in to them. End users are then able to back up the (encrypted) contents of their IronKeys to hard drives, and can also retrieve their password if they forget it as long as they have the IronKey in their possession. As a finishing touch, IronKeys are hardwired to self-destruct if the wrong password is entered more than a set number of times (usually ten), so that if the IronKey does get lost, the chances of brute forcing the key is effectively eliminated.
There’s no doubt that portable storage devices like iPods present a serious security risk to most organizations, and failing to mitigate this risk is likely to leave many companies in breach of regulatory requirements. It’s a brave (or rash) CIO who ignores the risk when many effective solutions to help overcome it are available.