ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Turn Off The USB Port

Turn Off The USB Port

Matt Kipp, CISA, MBA, Director of Risk, The Mako Group
| Posted at 3:05 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (6)

Matt KippLoss of massive amounts of critical data in one sweep. The network can be hacked through a mouse. Easy introduction of malware into the environment. Mechanism for a bad actor to remotely control your environment.

Are these items that could have an adverse effect on your organization?

Cyber security has become an important focus for companies in today’s environment. Large sums of money are spent each day to ensure that a company’s most vulnerable assets are secure. Companies are buying pieces of software/hardware, hiring new employees or procuring the assistance of consultants to accomplish this. The main theme of securing company environments is to protect valuable information from getting into the wrong hands.

Throughout my career, I have performed multiple audits, risk assessments and reviews of IT landscapes. An easy first step to keeping your company safe, and one that I often suggest to my clients, is to turn off the ability to connect mass storage devices via USB drives. This will prevent employees and other violators from removing large amounts of data from the company. In addition to sensitive information intentionally being transferred outside of the company, USB drives are small and are often misplaced or lost, and can easily end up in the wrong hands.

Conversations around this topic usually resemble the following:

Turning it off
There are many items I bring to attention during customer engagements that require large-scale process changes, budget increases, time commitments or the addition of FTEs to accomplish. Turning off the ability to connect a mass storage device via a USB drive is not one of them. Most companies have some sort of shared drive to store files. Instead of saving files to a USB stick or USB mass storage drive, how about using the solution already in place and encouraging employees to share the file path internally? By using the shared drive, data can be secured via roles and log files can track activity.

Turning off the ability to connect a mass storage device does not hinder the ability to use the USB drive as a charging port, or being able to use a wireless mouse. Configurations can be set to allow those activities, but still disallow data to be written to a mass storage device.

When USB is a must
I have heard the rebuttal of “We have applications that require a USB drive.” This is sometimes a true statement, but not common. A solution to this is to implement a process to address exceptions. This process should be similar to obtaining access to an application, requiring approvals from the manager and application owner. Once access is approved, the user would receive an encrypted USB stick that is passphrase-protected, providing the ability to continuously monitor the usage. Instead of 100% of employees having the ability to use mass storage devices on the company’s network, the threat landscape is reduced significantly.

When you allow the use of a USB mass storage device, you are allowing the potential for a virus to be introduced into your environment. Employees often use these devices on their home computers, which do not have the same protection as the company’s computers. To reduce these risks, configure your anti-virus software to require a scan of devices plugged into the USB port before it is usable. However, we recommend not allowing mass storage devices at all.

Managing the change with employees
When implementing this change, employees may be upset. Having been part of an organization that has successfully implemented this change, I can say from experience that the shock will subside quickly. Most people don’t like change, but if the reasons are explained and they know they can still charge their phones and use their favorite USB mouse, they may move on quickly.

I have also heard people say, “When we tell people this is coming, employees will connect a USB drive and take the data with them preemptively.” To that statement, consider the following:

  • Create a policy stating why employees should not perform this function and the ramifications if they are caught.
  • Companies need to start implementing this policy and why not now? At least this will stop people from negative actions in the future.

Push-back on this issue also can come from executives. If management is not able to get this quick win for all employees, try different areas of the company where highly sensitive information is stored, such as:

  • HR data
  • Merger and acquisition data
  • Intellectual property
  • Customer data

The list goes on, and what is important to one company will differ from the next.

It is also argued that one could email sensitive files to a personal email account. However, that is limited to a smaller amount of data at a time versus the scale a mass storage device allows. Programs to monitor for this type of activity should be in place as well.

Mass storage devices have become inexpensive and store more data than ever before. As I write this post, a quick search on Amazon shows an external hard drive with 5 TB of space for $119! That could store quite a bit of data, causing great damage.

So, what are you waiting for? Turn off the ability to connect mass storage devices via USB drives because everybody wins.

Comments

Excellent article.

Thanks for posting. SO TRUE!!
Jerry Webb at 9/29/2017 7:55 AM

Re: Turn Off The USB Port

In most of the Organizations its mostly the Sales and Marketing employees that need to move the data to share with third parties.
Organizations that require to exchange large amount of data can adopt a File Sharing technology which can either be a public Cloud or a private Cloud. These solutions can be encouraged as it allows data to be shared to Smartphones and Tabs as well which will be a motivation to employees.

Finally as you rightly said there is no means to secure USB Mass storage you better block that right away.
DIPEN487 at 10/2/2017 12:27 AM

Re: Turn Off The USB Port

In most of the Organizations its mostly the Sales and Marketing employees that need to move the data to share with third parties.
Organizations that require to exchange large amount of data can adopt a File Sharing technology which can either be a public Cloud or a private Cloud. These solutions can be encouraged as it allows data to be shared to Smartphones and Tabs as well which will be a motivation to employees.

Finally as you rightly said there is no means to secure USB Mass storage you better block that right away.
DIPEN487 at 10/2/2017 12:28 AM

Turn Off The USB Port

Its time BYOD to arise.
Muhamad948 at 10/2/2017 8:35 AM

the usb is not the issue

it's not the usb that is the issue. even malware can get onto the cloud.
Yong-Hoe689 at 10/7/2017 9:00 PM

The USB port problems

USB port can be also used for more seroius hacks.
One example is BadUSB Attack - turn your device with its OTG USB cable into a network interface when plugged into a target computer. Connecting the USB cable to a PC will force all traffic from that PC (Windows or Linux) through the attacker device, where the traffic can be MitM’d.
Another example is HID Attack - turn your device and its OTG USB cable into a pre-programmed keyboard, able to type any given commands or exebutable scripts.This attack generally works very well.
Mladen Prekrat at 10/17/2017 3:21 PM
You must be logged in and a member to post a comment to this blog.
Email