A SearchMidmarketSecurity.com reader asks our resident security expert Tom Chmielarski, "What Windows protection is available to control USB devices? We want to prevent unauthorized transfer of information to and from portable media."
This is a tricky topic -- USB storage media is practically unavoidable but also a huge risk. With the low cost of storage, it's trivial for someone to walk away with a terabyte of information. You can try to disable USB in Windows, but you're likely to disrupt a lot of legitimate use and cause your users to seek alternatives.
There are a plethora of products in the market that will help you control USB devices. These products will disable your USB ports, selectively enable them, and/or log what files are transferred to and from USB storage media. Many of these products are part of larger suites that will provide information or selective monitoring on email, instant messaging and Web use, if desired. Your legal department should approve the use of any such software, and verify that your logon banners indicate your corporate right to collect this data. Also, be aware that laws pertaining to monitoring any of this data may vary from state to state and country to country. The European Union has very strict privacy laws, and you'll want to ensure you don't violate them if you operate in the EU or employ any EU nationals.
I'll mention a few products that can assist with this type of problem; this is not a comprehensive list, and my listing of them is only to show some of the options and not to recommend these specific products.
We'll start with a user monitoring product from Raytheon Corp. (formerly Oakley Networks) called SureView; this product is installed on workstations and will monitor many facets of user activity, including what files are transferred to a USB device.
SpectorPro from SpecterSoft Corp. is another product similar to SureView; it collects information on user activity, including USB device use.
Moving from a security product pure-play to an all-around IT product, we have configuration management vendors like BigFix Inc. BigFix products attempt to manage software, inventory systems, and both report on and control which USB devices can be used. Several other configuration management vendors include varying levels of control or reporting. Rounding out the list, we have your standard desktop security vendors like Symantec Corp. and McAfee Inc.; both of these vendors offer products to control USB devices. Device control is part of Symantec Endpoint Protection, a platform for antivirus, firewall and HIDS.
Lastly, it's important to note that with the prevalence of laptops across the enterprise, it's often easy -- and normal -- to take a laptop containing sensitive data outside of the company's physical offices. This means the data on the hard drive can be easily copied in bulk, bypassing the operating system completely unless full disk encryption is used; this is a substantial risk if the computer is lost or stolen. Alternatively, malicious insiders can bring their laptop home and copy all the files they want over a network share. A malicious individual has many options to steal your data, and it makes little sense to spend a lot of money and effort to fix one method when others exist.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.
This was first published in May 2010