Hey Allan;
You raise some good points - and having a good policy and user training is
fundamental to security.
And you are totally right, people can E-mail files, put in USB hubs and if
you thought about it probably lots of other ways to circumvent even the best
intentioned security put in place. And I'm often amazed how many times I
see "knee jerk" reactions of companies or governments going from one extreme
to the next on policies or laws often only succeeding in punishing
legitimate usage.
Being in the financial sector, it can really be a bit of a different gig for
some security issues. Not just for privacy laws, but to help hinder
sophisticated theft and fraud attempts from taking place. And the ability
to bring programs in or take data out on a storage device that can be a few
GB in capacity is what makes us a little concerned.
I think everyone in security is painfully aware there is no silver bullet
for security, but locking down as much as we can seems to at least limit the
larger avenues of threats. And while we audit systems and know when
software or hardware is installed we'd rather prevent USB drives from coming
up to begin with for unauthorized users.
Steve
-----Original Message-----
From: Allan S [mailto:nullconnect@gmail.com]
Sent: March 3, 2005 4:55 PM
To: focus-ms@securityfocus.com
Subject: Re: Disabling USB mass storage
We've taken the step of disabling the USB controllers in device manager on
our clients' machines.
Not an ideal solution, as with everything coming on USB nowdays, we spend an
inordinate amount of time re-enabling these devices - which leaves them open
for use with USB drives.
While I'm on the subject. . . why all the FUD regarding USB drives?
We have a policy at my current job that prevents the use of USB drives.
This was a policy implemented around the same time that we deployed new
clients to our users. . . clients that came with CD burners and floppy
drives. . . which aren't disabled.
The result has become the archtypical example of users finding creative ways
around bad rules. One user went and purchased his own USB hub for use in
the one open port we gave him. Another user, more leery of breaking the
established rules, will email his briefings home to himself and puts them on
his flashdrive there - simply because he doesn't want to have deal with the
hassle of CDs while on road trips.
A google comes back with several hits regarding various options on how to
disable USB ports but is very thin on the rationale behind the act.
Even a search on securityfocus.com returns a lot of wheres and hows. . .
but is not so good on the whys.
The best I've been able to find is that some people were worried about the
efficiency of USB drives, putting forth the argument that the greater ease
of the technology comes with increased risks. Granted. . . but if high
efficiency leads to high risk why allow other effecient technologies as
well, technologies like email or the web? Or even CD burners. . .
or PDAs. . .
or floppy drives. . .
All of these have vulnerabilities that ultimately can only be addressed with
company and administrative policies. Policies that should also cover (or
can easily be adapted to) USB drives.
It may sound like my mind is made up on this - but it isn't - not
completely. I'm just frustrated by having to _daily_ defend what is a very
unpopular policy. A typical exchange goes along the lines of: -We have
<pick one> CD burners / floppy drives / Iron clad NDAs /
security clearances but we can't use a thumbdrive?
Um. . . yeah. . . it's something that the security office pushed down.
-That's pretty stupid. Why? Um . . . not a clue.
-I mean I can use the CD / floppy / email / web / network printer / fax
machine / photocopier to get files / information out there. Yeah. . . well
. . it's not the only policy that we've got that hasn't really been thought
through.* (5-30 minutes of general ranting follows, depending on the
fortitude of the person and how fast I can do what needs to be done and
escape.
The above line is wonderful for getting the user to leave me alone and off
ranting against /them/ what inhabit security. It is, unfortunatly, not a
very team-oriented nor professional phrase. But it's an honest one).
This happens daily.
I kid you not.
Okay. To be honest I'd only just heard the fax machine argument today.
But. I would be appreciative if anyone could point me towards a good reason
for disabling USB drives, so that I can start defending this policy with
some form of conviction.
Or am I correct in my belief that this emperor is buck naked?
Now - if you'll excuse me - I have a DVD burner to install for a user.
Allan Seyberth
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Please note that Internet email is not always private, secure or reliable.
The sender accepts no liability for any damages caused by any virus
inadvertently transmitted with this email. Any opinion expressed in this
email is solely that of the author, unless clearly indicated otherwise.
This email, and any attachments, may contain confidential and/or proprietary
information that is intended only for use by the addressee. If you are not
the intended recipient, any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited. If you received this email in
error, please delete the email and advise the sender of the delivery error.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
