Unless you’ve been sleeping under a rock for the past month or so, you must have heard about the National Security Agency (NSA) contractor that allegedly leaked data from the NSA regarding surveillance programs being conducted by the agency. Edward Snowden may be considered by some to be a hero, others to be a traitor, but what we can be sure of is that he was an authorized administrator who had access to confidential information, and he breached that trust. What you may have missed is how he did it.
According to the Los Angeles Times citing anonymous sources familiar with the official investigation, Snowden used a USB drive to remove the data from the NSA. Apparently he simply made a copy of files to which he had access, and then just walked them out the door. While the NSA, like so many corporations today, has a policy against using USB drives, authorized administrators can use them when necessary. We all know that there are many tools available for download that work from USB, admins might use a thumb drive to apply firmware updates or to install new drivers, and any one of hundreds of other valid reasons for an admin to use such a flash drive. Apparently the NSA needs a little more than just a written policy. But they are far from alone in this.
According to a study by the Ponemon Institute published about two years ago that surveyed over 700 IT pros, 70% of businesses that lost sensitive or confidential data could attribute that loss in at least some fashion to the use of USB flash drives. While more than half were attributed to malware introduced onto systems from flash drives, 45% of the incidents came from lost, stolen, or misappropriated devices. Of the same study, while about half of the respondents indicated that their company had a policy regarding USB flash drives, less than half of those who do have technical means to enforce policy.
USB flash drives have also been implicated in security incidents at two US power plants last year. ISC-CERT reported that in two separate incidents, a USB flash drive containing malware was connected to a computer within a power plant, which then spread to other systems. In the more extreme case, the plant restart was delayed by almost three weeks as a result of the malware infection.
Earlier this year, a USB flash drive containing NPI for some 6000 citizens in Utah was lost. While Social Security numbers were not included in the lost data, the State still needs to undertake measures to protect the affected individuals. This loss of data by a third party contractor comes on the heels of a previous breach that led to the resignation of the State’s CIO, and appears to portend serious legal issues for the contractor as the State plans to pursue “whatever financial or contractual remedies are available in order to ensure GHS [Gold Health Systems] is held accountable for this serious mistake.”
These anecdotes all have a common theme – USB flash drives are dangerous. While they are great tools in the right hands and used for the right purposes, the risks they present to critical systems and sensitive data cannot be ignored. A government’s secrets were made public. Critical infrastructure systems were compromised. Individuals’ personal information has been stolen. The risks outweigh the benefits of these devices, and permitting their unrestricted use is just too dangerous. Loss of data, serious downtime, legal actions, and loss of jobs are all common themes. Written policies are required, but do not go far enough to protect companies from the threats.
What companies need is endpoint security. There are a number of technical measures that endpoint security solutions can employ to protect businesses from the risks presented by USB flash drives, while still enabling their legitimate use. No one wants to completely ban them from any and all uses, considering how beneficial they can be. Endpoint security allows you to use USB drives, just in a safe and secure manner. Endpoint security solutions first and foremost can enforce encryption for all portable devices. That way, if a flash drive is ever lost or stolen, the data stored on the device is safe from prying eyes.
There’s far more to endpoint security than just encryption though. Endpoint security can log and audit all uses of portable media, and enforce data-loss prevention (DLP) measures that can scan data for things like Social Security numbers or credit card numbers to ensure that sensitive data is not moved to portable media, or that it can only be moved to secure media by authorized personnel. That way, just because a user can access the data on the network, they cannot transport that data away unless specifically allowed to do so. And if they are authorized, you have an audit log that tells you exactly what files were copied to the portable media.
Endpoint security can also provide real-time status monitoring of all the systems on your network, automatically enabling protection to new machines that join your domain.
Now that you are aware of, and no doubt very interested in, endpoint security, make sure you look at products that are compatible with all your operating systems, including Windows 8 and Server 2012, and that can apply policy based on your existing Active Directory so that you can leverage and protect your existing investments.
USB flash drives are extremely useful, valuable tools when used properly. Endpoint security solutions can help to make sure that your written policies around the safe and secure use of these devices is enforced technically to keep your data safe, and your company off the front page news. Endpoint security is the right way to secure your company against the threats USB flash drives present, while still enabling you to use them.