BUSINESS: Thumbdrives pose a risk to companies

I have just finished reading a BBC article about large firms beginning to worry about employees stealing large volumes of sensitive data by using personal storage devices. Almost one-third of organisations say users are connecting up the devices to PCs without permission. There is also a worry of an employee slipping a virus or some other nasty onto the companies network.



I can understand a companies concern to keep there private data private. An all out ban on PSD's is out of the question. So it seems a better policing system needs to be put in place. I think if they special ordered thumbdrives with some kind of protection software embeded in the drive, they would be better off.



[edit on 6/13/05 by Kidfinger]

[edit on 6/13/05 by Kidfinger]

[edit on 6/13/05 by Kidfinger]

Most of their concerns are already there all that a company needs to do is configure their basic security strategies in order to prevent movement of confidential information on to a USB drive.
As for the possible introduction of viruses or worms into the corporate environment. All the IT department needs to do is first make sure that their security patches are up to date on all their systems.
Ensure that their antivirus programs are up to date and that they are running.

The computers at my office are all configured such that you can't use USB disks. Emailing files out is possible but you will be caught because emails go through the company server and are monitored by the IT department. Use of personal email is banned and the company logs and monitors employees' Internet usage, so again, they will know. Yep, my company has very tight cyber-sphincter.

originally posted by: wecomeinpeace
Yep, my company has very tight cyber-sphincter.

Unfortunately, there are a lot of companies whos sphincter is rather loose when data security is the issue. It is definately an IT issue, but virus software only catches what it knows is out there. If the virus isnt in the database, chances are it wont be detected.

Actually, the av software that antivirus companies sell to corporations are able to identify not only "known" viruses malware, but they are also able to identify suspicious files and computer activity.
I worked for one of the av companies for over 5 years and have seen a dramatic decrease over time in the number of times a company has been adversely affected by malware. Before with viruses such as I love You, Kriz, Funlove, Nimda, these viruses / worms would bring a company to it's kness in no time flat.
With the innovations that have been made for corporate desktop, server email, as well as perimeter defense, (some) av security software nad hardware can identify suspicious activity and automatically take actions to prevent the spread of the infections and thus reduce the severity of the spread.
An example, an email server that is running up - to- date av software, can be configured to take action if one system atarts sending out emails with the same subject line, same text (or lack of) in the body of the email, similar attachments in name or size. The email server can quarantine these emails and will not send them out to others. It can be configured to notify the email server's admin, etc. It can even be configured to automatically send amples of suspicious files to the av vendor for analysis.

I know that some av software looks for other stats then just the virus in the database. But usually it is through suspicious activity or certain file type association. Recently, more and more viruses are bing realeased in something other than a piff file. To the average person, an .exe file is just something that starts a program. Not only are these companies having to beef up security to deal with these new threats, but they are having to deal with employees knowledge (or lack of) of OS structure.

Ok, I got a no vote due to bias in the story. Could whomever cast this vote please explaine what is biased about it?

Originally posted by KidFinger
So it seems a better policing system needs to be put in place.

Seems like this is the default answer to many of our problems.......more cops, more security, and ultimately a camera in our own home to insure that there isn't so much as a doily sitting where it doesn't belong.

Sorry, but I can't accept that. And I believe that if a personal business has a problem with how its' information is stored, then that's how the problem should be addressed.......maybe some programming code that would make it less likely to transfer files of a sensitive nature.


just read wecomeinpeace's post.......lol......what he said.......
[edit on 13-6-2005 by MemoryShock]

[edit on 13-6-2005 by MemoryShock]

Sorry, but I can't accept that. And I believe that if a personal business has a problem with how its' information is stored, then that's how the problem should be addressed.......maybe some programming code that would make it less likely to transfer files of a sensitive nature.

I agree. As I said before, IMO the best option for them is to buy thumbdrives with embeded security software. It would be possible for IT to make only those PSD's with the embeded software to be recognized by the network.

Imho, its utterly stuppid to ban USB sticks and such when you can just disable the USB busses on the PC's themselves ... why ban something when your the one enabling the use of it when its easyer to disable the use of it then to enforce a ban.

Well designed corporate network PC's have just the few features enabled that are required to access the corporate data and worktools. The rest is all disabled.

Why is the focus on USB drives...when anybody can use the good old fashion floppy disk drive, zip drive or CD-R....?

Sound like a USB drive conspiracy to me!

Instead, businesses should worry more about making sure they have the latest and greatest anti-virus software and decent IT guys, etc. If they did this, wouldn't be an issue, even if an infection came from an employee's computer.

It's the employer's responsibility to determine the risk, and what steps to take to decide whether having employees work at home (often greatly reducing cost, even if salaried) is worth the risk. It's up to the employer to protect his network. Those that don't are screwing themselves.

I've given COUNTLESS hours of free work to companies because I enjoyed and believed in the company, and/or was able to take work home, etc. Without such drives, I'd be hard-pressed to do that. But, e-mailing the files has the same risk, actually, even more, now doesn't it???

I use these all the time, as a tool in IS. But I'm currently working on a system that a "management" user has caused to fail three times now. We can check system logs for when errors actually begin, and application logs under Windows 2000 show when a USB drive is installed.

Each time, system works well for a week or more, then is given to the user. within two days, an entry for a USB drive. And then errors commence. The user installs all sorts of "trail eraser" and file deletion programs and registry cleaners, so we aren't sure what's going on, but the user doesn't know enough to check everywhere.

And because he's in the untouchable holy land of Management, nothing will be done.

Like many user problems, it's "a management problem, not a technology problem". Find out what users are using them, and if it is a problem and has no bearing on the ability for users to do their job, make a policy and enforce it equally, with penalties as harsh as needed. Otherwise, play safe and spend thousands of man hours repairing problems, and bad hype when yet another customer database walks out and there's more identity theft.

Those concerns already exist. Most computers now have CD, if not DVD, writing capabilities, which can hold a lot more than a thumbdrive. Also, most viruses aren't huge, and a simple 3 1/4" floppy would work well as a transport device. If security isn't up to the level to protect against these two threats, thumbdrives simply allow people to do it more conveniently and quickly.

Most companies have security measures to protect against this kind of informational espionage. However, if someone gets past the security, there are still documents that person had to sign to get the job which makes them legally libel for any information they steal from the company. Banning all thumbdrives sounds like a reactionary response by some upper management dude upon discovering things which are already possible were also possible with thumbdrives, and that fellah started a movement. The threat's no larger than it had been.

Originally posted by wecomeinpeace
The computers at my office are all configured such that you can't use USB disks. Emailing files out is possible but you will be caught because emails go through the company server and are monitored by the IT department. Use of personal email is banned and the company logs and monitors employees' Internet usage, so again, they will know. Yep, my company has very tight cyber-sphincter.

Most companies aren't configured like this because the IT people themselves use USB disks to fix problems or access drivers immediately or whatever. For instance, if a newbie computer user makes such a total mess out of their settings that it would be easier to give them a new account, an IT guy would come to their computer, plug in the drive, copy the skeleton account over, then copy over their email files and voila - problem solved.

Personally, I downloaded a large volume of things I had collected on my work computer (joke email video type stuff) onto my iPod and brought it home. No sweat.

Zip

Originally posted by junglejake
Those concerns already exist. Most computers now have CD, if not DVD, writing capabilities, which can hold a lot more than a thumbdrive. Also, most viruses aren't huge, and a simple 3 1/4" floppy would work well as a transport device. If security isn't up to the level to protect against these two threats, thumbdrives simply allow people to do it more conveniently and quickly.

Most companies have security measures to protect against this kind of informational espionage.

A 60 gigabyte iPod (which is comparable to a thumbdrive in "plug and play" terms) can hold more than several DVDs worth of data. I have never had a corporate computer with a CD or DVD burner in my life. iPods use the FAT32 file system and are quite well suited to the purpose of information theft - remember, they are primarily music devices and are permitted in most business workplaces.

Sure, people sign confidentiality agreements and whatnot to protect proprietary databases, but the thing is, we're talking about THEFT here. It's a crime, no doubt.

The onus is on company management to do the following things:

1) Hire trustworthy people.

2) State the penalties for data theft clearly. (Termination, prosecution, etc.)

3) Scare people. Don't just monitor their activity, but make it KNOWN that you are monitoring their activity. Report to them the FIRST time something shows up in a log that shows they were doing something unauthorized, so they know you are serious.

The reason that things like this occur on a wide scale is because companies don't spend enough time monitoring users. The IT department ALWAYS has something better to do. Companies should employ, not just "security experts," in their IT departments, but at least one full-time employee monitor that does nothing but spot check suspicious users.

That is probably the best kind of deterrent available.

Zip