Loss of massive amounts of critical data in one sweep. The network can be hacked through a mouse. Easy introduction of malware into the environment. Mechanism for a bad actor to remotely control your environment.
Are these items that could have an adverse effect on your organization?
Cyber security has become an important focus for companies in today’s environment. Large sums of money are spent each day to ensure that a company’s most vulnerable assets are secure. Companies are buying pieces of software/hardware, hiring new employees or procuring the assistance of consultants to accomplish this. The main theme of securing company environments is to protect valuable information from getting into the wrong hands.
Throughout my career, I have performed multiple audits, risk assessments and reviews of IT landscapes. An easy first step to keeping your company safe, and one that I often suggest to my clients, is to turn off the ability to connect mass storage devices via USB drives. This will prevent employees and other violators from removing large amounts of data from the company. In addition to sensitive information intentionally being transferred outside of the company, USB drives are small and are often misplaced or lost, and can easily end up in the wrong hands.
Conversations around this topic usually resemble the following:
Turning it off
There are many items I bring to attention during customer engagements that require large-scale process changes, budget increases, time commitments or the addition of FTEs to accomplish. Turning off the ability to connect a mass storage device via a USB drive is not one of them. Most companies have some sort of shared drive to store files. Instead of saving files to a USB stick or USB mass storage drive, how about using the solution already in place and encouraging employees to share the file path internally? By using the shared drive, data can be secured via roles and log files can track activity.
Turning off the ability to connect a mass storage device does not hinder the ability to use the USB drive as a charging port, or being able to use a wireless mouse. Configurations can be set to allow those activities, but still disallow data to be written to a mass storage device.
When USB is a must
I have heard the rebuttal of “We have applications that require a USB drive.” This is sometimes a true statement, but not common. A solution to this is to implement a process to address exceptions. This process should be similar to obtaining access to an application, requiring approvals from the manager and application owner. Once access is approved, the user would receive an encrypted USB stick that is passphrase-protected, providing the ability to continuously monitor the usage. Instead of 100% of employees having the ability to use mass storage devices on the company’s network, the threat landscape is reduced significantly.
When you allow the use of a USB mass storage device, you are allowing the potential for a virus to be introduced into your environment. Employees often use these devices on their home computers, which do not have the same protection as the company’s computers. To reduce these risks, configure your anti-virus software to require a scan of devices plugged into the USB port before it is usable. However, we recommend not allowing mass storage devices at all.
Managing the change with employees
When implementing this change, employees may be upset. Having been part of an organization that has successfully implemented this change, I can say from experience that the shock will subside quickly. Most people don’t like change, but if the reasons are explained and they know they can still charge their phones and use their favorite USB mouse, they may move on quickly.
I have also heard people say, “When we tell people this is coming, employees will connect a USB drive and take the data with them preemptively.” To that statement, consider the following:
- Create a policy stating why employees should not perform this function and the ramifications if they are caught.
- Companies need to start implementing this policy and why not now? At least this will stop people from negative actions in the future.
Push-back on this issue also can come from executives. If management is not able to get this quick win for all employees, try different areas of the company where highly sensitive information is stored, such as:
- HR data
- Merger and acquisition data
- Intellectual property
- Customer data
The list goes on, and what is important to one company will differ from the next.
It is also argued that one could email sensitive files to a personal email account. However, that is limited to a smaller amount of data at a time versus the scale a mass storage device allows. Programs to monitor for this type of activity should be in place as well.
Mass storage devices have become inexpensive and store more data than ever before. As I write this post, a quick search on Amazon shows an external hard drive with 5 TB of space for $119! That could store quite a bit of data, causing great damage.
So, what are you waiting for? Turn off the ability to connect mass storage devices via USB drives because everybody wins.