Securing Against USB Thumb Drives

A small survey of 370 IT professionals by IT security software and services firm Centennial Software confirms that those little USB-connected drives can be one of a CSO's biggest headaches.

Today, they come with tons of memory. Units with 128Mb are routinely given as tradeshow freebies, and the largest thumb drives, a.k.a. flash drives, are now available with 16 gigabytes of memory and cost just $170. At a size that's similar to a human thumb, they're incredibly portable and easily hidden. Larger storage commonly comes in the format of iPods, where the newest offering is a whopping 80Gb drive in a package small enough to be stashed in a front shirt pocket. Instant access via USB ports and the USB 2.0 data transfer rate of 480Mbps means document can go flying onto personal devices faster than you can say "security breach". And as data goes out, malware and viruses can as quickly come into the company network.

And that's the problem that Centennial Software's study touches upon. The vendor surveyed a number of IT managers at the 2007 Infosec event in London, and as you might have expected, those portable devices were a top security concern they shared.

Some 38 percent of those surveyed listed the portable drives as their No. 1 security concern, a number up from 26 percent last year. That's driving IT policies, with 62 percent now describing use of the flash drives in their acceptable use policies (an increase from 54 percent last year). Not surprisingly, 80 percent of companies surveyed don't have a way to stop unauthorized use of the devices.

Also from the survey: Some 8.6 percent of respondents have totally banned the drives, but 43.2 percent have no controls in place, and another 27.4 percent simply rely on managers' discretion.

Part of the challenge is the ubiquitous nature of these drives. They're not solely used for corporate espionage; in fact, they're more likely to be used to bring in files from clients or even to share MP3 files among coworkers. The survey even noted that roughly two-thirds of IT managers use USB flash drives on a daily basis -- further underscoring these devices' central role in today's corporate environment.

Of course, a number of solutions exist to control how these devices operate in a corporate environment, from blocking tools like Centennial's own DeviceWall solution to SecureWave's anti-USB tool or SmartLine's DeviceLock, to a manual function of disabling USB ports (which may not always be a practical solution). Some managers have even taken to putting glue into the USB ports (a physical solution to an IT security threat), but even others have called for an unpopular ban on the iPod from the corporate environment (Good luck with that one, folks!). The future perhaps, is a built-in functionality to operating systems that allows computer administrators to set up permissions and block USB ports easily. But for now, the solution seems to be either a tube of glue, selecting a third-party vendor, or just letting your USB ports run free.