Front Lines is a guest viewpoint section offering perspectives on current issues and events from people working on the front lines of Canada's technology industry. Larry Hamid is chief technology officer at MXI Security, a provider of secure portable devices for the Global 5000 and government. He can be reached at lhamid@mxisecurity.com.
Tremendous advances have been made recently in the world of portable storage. Gigabytes of information can be easily moved around on a USB device that is small enough to clip onto a key chain. Portable USB flash drives and micro-drives can copy data at lightning speed and are part of a larger class of devices known as USB Mass Storage. Surprisingly, many MP3 players and digital cameras also fall under this class, which is why you see a drive letter appear in Windows explorer when you connect an iPod to a PC.
Unfortunately, advances in USB portable storage have also created increased security threats to corporations:
- USB is a medium that can carry computer viruses and is yet another entry point for malicious software.
- USB devices can carry portable software, which presents a problem in environments where desktop applications are tightly controlled and where there are concerns about the nature of personal applications run by employees.
- The sheer volume of proprietary information that could leave a company undetected through USB devices is an enormous exposure for corporations.
A U.S. security expert recently created a program for an iPod to illustrate these threats. Known as "pod slurping," it silently searches for files likely to contain business data and copies them to the device when the iPod is plugged in. It's an effective demonstration, but theft of intellectual property is a real problem. The U.S. Department of Justice estimated the cost of IP theft to enterprises in 2004 at $250-billion (U.S.).
Understandably, some organizations have disabled USB ports completely, either via the BIOS or by physically filling the USB connectors with a thick epoxy adhesive. While this removes the security threats, it also blocks beneficial uses of USB devices. Corporations should seek alternative solutions, because there is a new breed of security-focused USB mass storage devices known as "Portable Security Devices" that will change the security landscape for the enterprise.
Standard USB Security Measures
Most virus scanners will cover removable media when appropriately configured. so that the entry of viruses through USB can be controlled.
There are products that can monitor and control the use of USB ports, enabling organizations to determine which types of devices to allow and which to reject. For example, an administrator could allow one model of USB flash drive from a particular manufacturer and reject all others.
Besides the control of USB, monitoring the file activity of what is copied to and from a USB drive is equally important for corporations that must adhere to regulatory compliance initiatives such as Sarbanes-Oxley, HIPAA, and Graham-Leach-Bliley. Many USB monitoring solutions contain such auditing features.
A New Breed of Corporate USB Security
Portable Security Devices evolved from two origins; flash drives and security tokens. Flash drive vendors starting adding security enhancements, such as biometric authentication and encrypted storage, to their products in an attempt to differentiate themselves in a competitive and price sensitive market. On the other side, security token vendors have recognized the need for more speed, portability and capacity than what is available on a conventional smart card or token. The end result is a type of device that has the security of a smart card with the power and portability of a flash drive. These devices will likely have significant impact to the security industry.
