Portable Data Storage Devices: Security Nightmare

Employees have the technology to rip off trade secrets right under your nose.

So I am astounded when I realize there are business professionals who still do not know these devices exist. In two separate cases I explained to attorneys that their clients' former employees had apparently copied large amounts of proprietary data to USB drives. The response: "What's a USB drive?" How much data are companies losing through USB drives unawares?

Stealth Drives
As if this is not frightening enough, USB drives now come in an array of form factors that make them even easier to carry and harder to detect. In 2003, Edge Tech Corp released the DiskGO! watch, a USB watch that keeps accurate time and is water resistant. It comes in 128MB and 256MB versions. The same company sells a USB pen. Last year, Victorinox, the manufacturer of the Swiss Army Knife, released the Swissmemory knife, a Swiss Army Knife that includes a USB drive.

So-called "lifestyle computing" devices-PDAs, cell phones, MP3 players, and digital cameras-aren't USB drives, but they can store a wide array of data. Most employees bring PDAs or cell phones to work unnoticed. And how are they connected to PCs for synchronization? Through the USB port! These are just another category of USB devices that threaten the security of corporate information.

It's not just the form factor that makes some devices invisible. Because USB drives can store such a large amount of information, people are now storing applications on them so that they can be used on any computer. The P.I. Protector Mobility Suite, a software product by imagine LAN Inc., provides a USB drive (or other portable device) with an e-mail application, an Internet browser and file synchronization capabilities between a computer and the device. This means the user can send and receive e-mail to anyone and visit any type of Web site without leaving a trace of his activities on the host computer. Does this concern anyone?

If you don't feel nervous yet, visit http://loosewire.typepad.com, where you can find a comprehensive directory of applications written for USB drives.

Bottom line, the USB port of a computer is the portal through which trade secrets are sucked out of a company.

Cut Them Off
How can an organization prevent data from leaving via USB? The easiest way is to fill all of the USB ports with plastic resin. When the resin dries, the ports will be unusable. Or you could disable the USB ports in the computer's BIOS. However, both these options will prevent the use of non-dangerous USB devices such as mice, keyboards and coffee mug warmers. Alternatively, you can modify the registry in Windows XP, Service Pack 2, to make USB data storage devices "read only." But modifying the registry of a computer is not for the faint of heart. A misstep during the process can make the computer unusable. If you are brave, the full steps can be found at www.msfn.org/board/index.php?showtopic=36396. Several other technical solutions can be found in the excellent article by Roberta Bragg, "8 Ways to Protect USB Usage," at http://tinyurl.com/7hxrt.

Other Portable Troublemakers
USB is not the only standard that provides the ability to connect portable data storage devices to PCs. FireWire is Apple Computer's version of the IEEE 1394 standard. It provides the ability to connect up to 63 devices to a system. Although FireWire capabilities don't come standard with every new computer, it is easy to add these capabilities to a system.

The main issue with FireWire is that once enabled, it allows users to connect external hard drives to their systems. External hard drives that are portable, have large capacities and are connected to computers on a corporate network amount to an incredible threat. When I say large capacity, I mean drives that can store as much as 250GB of data. It is now possible for employees in some companies to siphon off all the data on a network file server.

I recently visited a company with 250 employees. Each employee had full access to the all data on the file server. The total volume of data was only 212GB! It would fit on one external hard drive. Granted, the time it would take to copy 212GB of data would be significant; but it could be done after hours, or simply a little bit at a time.

How to Keep Your Data In House
The threat of portable data storage devices needs to be addressed at the enterprise level. Organizations can consider these options to defend against the threat.