Security professionals use a wide variety of tools to protect a company's digital assets and proprietary information. Intrusion detection systems, network monitoring tools, CCTV and access control systems, employee background checks-these steps cost businesses thousands of dollars each year. And although they are necessary, they are simply not enough. Proprietary information and trade secrets are still being stolen and disseminated by employees on a daily basis.
The biggest threat to a company's data is its own employees. In the August 2003 issue of ST&D I wrote an article entitled, "Theft of Trade Secrets: Can You Stop It?" in which I stated that the theft of trade secrets is an epidemic infecting the business community. I received quite a few comments from people who thought I was overstating the problem.
But I did not come up with this idea for the sake of an article. It stems from my experiences in computer forensics, where the majority of cases I work involve employees who take information from their employers to use as a bargaining chip to gain employment with a competitor or to start a competing business. Employees steal information they are allowed to access as part of their daily job responsibilities, often by copying it to portable data storage devices. This simple step bypasses all the security mechanisms put in place by their employers.
The Beginning of Portable Storage
What are portable data storage devices? Perhaps the best known is the venerable floppy disk, which many believe will be relegated to museum shelves in the not-too-distant future. The floppy disk enables people to move 1.44MB of data from one place to another. That's not a lot of storage space, but it can easily accommodate word processing and spreadsheet files.
Additional well-known portable data storage devices include Zip® disks, CDs and DVDs. These can store large amounts of information, but they can be cumbersome and require special drives in order to copy and record data. They are also somewhat indiscreet; that is, people notice if during your last week of employment you do nothing but burn CDs.
It's much easier to use a USB flash drive.
Enter the USB
Also known as jump drives, thumb drives, keychain drives or simply USB drives, USB flash drives are portable data storage devices that use flash memory and have a small form factor. All new computers now come with at least one USB (universal serial bus) port, and the devices are plug and play with newer operating systems.
This means a user can connect one of these drives to a corporate computer and immediately drag and drop data onto the device. It appears to the operating system as another hard drive. No additional software or hardware is necessary. The devices have no moving parts and require no technical expertise to use.
USB drives are about the size of a tube of lipstick or a lighter, so they're incredibly easy to transport. More important, they can store an incredible amount of information. A USB flash drive was recently announced that can store 8GB of data. This device can store more data than 5,500 floppy disks! Granted, the price of a USB drive of this size is too high for most people-you can buy a laptop computer for less than the cost of one of these devices-but one that is half the size, 4GB, can be purchased for less than $150. That's a reasonable price to pay if it will get you information that can be worth thousands of dollars. Smaller USB drives have become so inexpensive that many companies are now giving them away as gifts at trade shows.
How Prevalent Are They?
According to the USB Flash Drive Alliance, somewhere between 67 million and 120 million USB drives will be shipped during 2005. Many schools now require students to have them in order to transport projects between home and school. In a public hearing in Dallas, TX, in January, Chuck Beach, director of corporate litigation for Exxon Mobile, stated that his company will eventually have 100,000 of the devices in use firm-wide.