Controlling USB storage devices

The long view of security strategies for your network.

The articles about proliferating USB data storage devices in a variety of shapes prompted a fair amount of e-mail, including a pointer from one reader who gave me the URL for a sampler of, ah, sushi-shaped USB disks. It is not entirely clear why anyone would want a sushi-shaped USB disk, but at least it is unlikely to be a serious threat to security.

The next time you see someone plugging a 128M-byte Uzura Natto or Futomaki into one of your computers, you will know they are up to no good: http://www.dynamism.com/sushidisk/index.shtml

Now on to more serious matters.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The articles about proliferating USB data storage devices in a variety of shapes prompted a fair amount of e-mail, including a pointer from one reader who gave me the URL for a sampler of, ah, sushi-shaped USB disks. It is not entirely clear why anyone would want a sushi-shaped USB disk, but at least it is unlikely to be a serious threat to security.

The next time you see someone plugging a 128M-byte Uzura Natto or Futomaki into one of your computers, you will know they are up to no good: http://www.dynamism.com/sushidisk/index.shtml

Now on to more serious matters.

There are three distinct approaches I’ve seen to protecting data against unauthorized copying to USB devices (or to any other storage device):

* Prevent the unauthorized devices from functioning at all.
* Prevent data from being copied to unauthorized devices.
* Encrypt all data so that unauthorized users can’t use the copied data.

The pointers below don’t claim to be exhaustive, and inclusion should not be interpreted as endorsement. I haven’t tried any of these products and I have no relationship with the vendors whatsoever.

* For corporate networks using Microsoft’s Active Directory, a company called FullArmor makes a product called IntelliPolicy; it was recently profiled in Network World by John Fontana. The article specifically quotes a system administrator who said, “We like the ability to lock out devices like USB ports on our sensitive machines. It prevents users from downloading information and disappearing with it.”
http://www.nwfusion.com/news/2004/1117armor.html

* Another tool that blocks access to USB devices is SecureWave Sanctuary Device Control. By default, the system sets up restrictive access control lists (ACL) blocking everyone from using all devices. Administrators then define changes in the ACLs to permit specific users or groups of users to access the devices and device types they justifiably need. The tool includes provisions for encrypting data moved to portable devices and a stand-alone decryption tool that can allow access to such data on a non-protected computer:
http://www.securewave.com/sanctuary_DC.jsp

* Reflex Disknet Pro software not only provides all kinds of device and port controls but also includes software for automatic encryption of all data transferred to any removable devices. Here too, the encrypted data can be recovered offsite using a special reader tool.
http://www.reflex-magnetics.com/products/disknetpro/

* Liquid Machines Enterprise Rights Management software encrypts corporate data and manages decryption keys on a specialized server. Authorized users simply run their office applications as usual while decryption and encryption go on below their level of awareness. Unauthorized users simply cannot decrypt protected information.
http://www.liquidmachines.com/

On a slightly different note, it is not at all clear how any of these products can cope with the rather nasty characteristics of the KeyGhost USB Keylogger, which, as far as I can see from reading the Web pages, may be completely invisible to the operating system: http://www.keyghost.com/USB-Keylogger.htm

This device can be stuck on to the end of the cable of any USB keyboard and will cheerfully record days of typing into its 128M-byte memory. Such keyloggers can provide a wealth of confidential data to an attacker, including user IDs and passwords as well as (no doubt tediously error-bespattered) text of original correspondence.

Hmm, time to check those keyboard cables, eh? And watch out for those high-capacity sushi.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.