Security professionals use a wide variety of tools to protect a company's digital assets and proprietary information. Intrusion detection systems, network monitoring tools, CCTV and access control systems, employee background checks-these steps cost businesses thousands of dollars each year. And although they are necessary, they are simply not enough. Proprietary information and trade secrets are still being stolen and disseminated by employees on a daily basis.
The biggest threat to a company's data is its own employees. In the August 2003 issue of ST&D I wrote an article entitled, "Theft of Trade Secrets: Can You Stop It?" in which I stated that the theft of trade secrets is an epidemic infecting the business community. I received quite a few comments from people who thought I was overstating the problem.
But I did not come up with this idea for the sake of an article. It stems from my experiences in computer forensics, where the majority of cases I work involve employees who take information from their employers to use as a bargaining chip to gain employment with a competitor or to start a competing business. Employees steal information they are allowed to access as part of their daily job responsibilities, often by copying it to portable data storage devices. This simple step bypasses all the security mechanisms put in place by their employers.
The Beginning of Portable Storage
What are portable data storage devices? Perhaps the best known is the venerable floppy disk, which many believe will be relegated to museum shelves in the not-too-distant future. The floppy disk enables people to move 1.44MB of data from one place to another. That's not a lot of storage space, but it can easily accommodate word processing and spreadsheet files.
Additional well-known portable data storage devices include Zip® disks, CDs and DVDs. These can store large amounts of information, but they can be cumbersome and require special drives in order to copy and record data. They are also somewhat indiscreet; that is, people notice if during your last week of employment you do nothing but burn CDs.
It's much easier to use a USB flash drive.
Enter the USB
Also known as jump drives, thumb drives, keychain drives or simply USB drives, USB flash drives are portable data storage devices that use flash memory and have a small form factor. All new computers now come with at least one USB (universal serial bus) port, and the devices are plug and play with newer operating systems.
This means a user can connect one of these drives to a corporate computer and immediately drag and drop data onto the device. It appears to the operating system as another hard drive. No additional software or hardware is necessary. The devices have no moving parts and require no technical expertise to use.
USB drives are about the size of a tube of lipstick or a lighter, so they're incredibly easy to transport. More important, they can store an incredible amount of information. A USB flash drive was recently announced that can store 8GB of data. This device can store more data than 5,500 floppy disks! Granted, the price of a USB drive of this size is too high for most people-you can buy a laptop computer for less than the cost of one of these devices-but one that is half the size, 4GB, can be purchased for less than $150. That's a reasonable price to pay if it will get you information that can be worth thousands of dollars. Smaller USB drives have become so inexpensive that many companies are now giving them away as gifts at trade shows.
How Prevalent Are They?
According to the USB Flash Drive Alliance, somewhere between 67 million and 120 million USB drives will be shipped during 2005. Many schools now require students to have them in order to transport projects between home and school. In a public hearing in Dallas, TX, in January, Chuck Beach, director of corporate litigation for Exxon Mobile, stated that his company will eventually have 100,000 of the devices in use firm-wide.
So I am astounded when I realize there are business professionals who still do not know these devices exist. In two separate cases I explained to attorneys that their clients' former employees had apparently copied large amounts of proprietary data to USB drives. The response: "What's a USB drive?" How much data are companies losing through USB drives unawares?
As if this is not frightening enough, USB drives now come in an array of form factors that make them even easier to carry and harder to detect. In 2003, Edge Tech Corp released the DiskGO! watch, a USB watch that keeps accurate time and is water resistant. It comes in 128MB and 256MB versions. The same company sells a USB pen. Last year, Victorinox, the manufacturer of the Swiss Army Knife, released the Swissmemory knife, a Swiss Army Knife that includes a USB drive.
So-called "lifestyle computing" devices-PDAs, cell phones, MP3 players, and digital cameras-aren't USB drives, but they can store a wide array of data. Most employees bring PDAs or cell phones to work unnoticed. And how are they connected to PCs for synchronization? Through the USB port! These are just another category of USB devices that threaten the security of corporate information.
It's not just the form factor that makes some devices invisible. Because USB drives can store such a large amount of information, people are now storing applications on them so that they can be used on any computer. The P.I. Protector Mobility Suite, a software product by imagine LAN Inc., provides a USB drive (or other portable device) with an e-mail application, an Internet browser and file synchronization capabilities between a computer and the device. This means the user can send and receive e-mail to anyone and visit any type of Web site without leaving a trace of his activities on the host computer. Does this concern anyone?
If you don't feel nervous yet, visit http://loosewire.typepad.com, where you can find a comprehensive directory of applications written for USB drives.
Bottom line, the USB port of a computer is the portal through which trade secrets are sucked out of a company.
Cut Them Off
How can an organization prevent data from leaving via USB? The easiest way is to fill all of the USB ports with plastic resin. When the resin dries, the ports will be unusable. Or you could disable the USB ports in the computer's BIOS. However, both these options will prevent the use of non-dangerous USB devices such as mice, keyboards and coffee mug warmers. Alternatively, you can modify the registry in Windows XP, Service Pack 2, to make USB data storage devices "read only." But modifying the registry of a computer is not for the faint of heart. A misstep during the process can make the computer unusable. If you are brave, the full steps can be found at www.msfn.org/board/index.php?showtopic=36396. Several other technical solutions can be found in the excellent article by Roberta Bragg, "8 Ways to Protect USB Usage," at http://tinyurl.com/7hxrt.
Other Portable Troublemakers
USB is not the only standard that provides the ability to connect portable data storage devices to PCs. FireWire is Apple Computer's version of the IEEE 1394 standard. It provides the ability to connect up to 63 devices to a system. Although FireWire capabilities don't come standard with every new computer, it is easy to add these capabilities to a system.
The main issue with FireWire is that once enabled, it allows users to connect external hard drives to their systems. External hard drives that are portable, have large capacities and are connected to computers on a corporate network amount to an incredible threat. When I say large capacity, I mean drives that can store as much as 250GB of data. It is now possible for employees in some companies to siphon off all the data on a network file server.
I recently visited a company with 250 employees. Each employee had full access to the all data on the file server. The total volume of data was only 212GB! It would fit on one external hard drive. Granted, the time it would take to copy 212GB of data would be significant; but it could be done after hours, or simply a little bit at a time.
How to Keep Your Data In House
The threat of portable data storage devices needs to be addressed at the enterprise level. Organizations can consider these options to defend against the threat.
- Policies and Procedures. Organizations need to evaluate their needs and create policies that address what devices should and should not be connected to corporate systems. To be effective, these policies must be enforced.
File Rights Management. Organizations should provide access to only those files an employee needs to perform his or her job function. For example, a data entry clerk does not need access to marketing materials, design plans or merger and acquisition information. Keep in mind that if everyone in your organization has free access to all electronic data, it is very difficult to convince a judge and jury that you actually have trade secrets.
Digital Rights Management. Digital rights management takes file rights management one step further. While file rights management determines who has access to data, digital rights management controls what can be done with data by those authorized to access it.
The Information Rights Management capabilities built into Microsoft Office 2003 are an excellent illustration of this concept. Other products that provide the same functionality include
- Access Control Software. Access control software programs can control access to floppy drives, CD and DVD drives, and USB and FireWire devices. Some examples include
- DeviceWall from Centennial Software. Be sure to download their excellent white paper, "The Threat of Lifestyle Computing in the Enterprise."
- Sanctuary Device Control from SecureWave
- GFI LANGuard Portable Storage Control 2 from GFI Software
- DeviceLock from SmartLine Inc.
The threat of portable data storage devices is real and significant. It is time for businesses to defend against this threat, before their proprietary information ends up in the hands of a competitor.
John Mallery is a managing consultant for BKD, LLP, one of the 10 largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at firstname.lastname@example.org.