3

Using USB drives in the corporate environment is always the topic of security because viruses and malware can be introduced maliciously or unintentionally. For corporate environment, I am thinking to implement and enforce something like file sharing, similar to Google Drive or OneDrive, but is only used in the corporate environment for internal staff. E.g. implement a SharePoint file sharing facility and corporate security policy would state that they are not allowed to use USB drives in corporate issued laptops/desktops. At the same time we will turn off USB ports for all corporate issued devices. This should be a good way to thwart virus/malware introduced through USB drives.

However, this idea might not be wise if my senior management are giving presentations overseas and need thumbdrives to pass slides around, for e.g.

Have you had this type of environment? I would like to seek comments.

Pang Ser Lark
  • 1,929
  • 2
  • 16
  • 26
  • 2
    How were you thinking of connecting keyboards? – schroeder Oct 29 '15 at 02:29
  • @schroeder Some computers still have PS/2 ports, I think. – KnightOfNi Oct 29 '15 at 02:37
  • @schroeder, oops never think of that. Our keyboards are USB based. sigh – Pang Ser Lark Oct 29 '15 at 02:41
  • Maybe you should try disconnecting only the ports you don't need and gluing the things you do need connected in. That way it's very difficult to get a flash drive plugged in, but you still have the convenience of USB devices you need. – KnightOfNi Oct 29 '15 at 02:42
  • @KnightOfNi. thanks. In a way, that could have maintenance overhead. But it's a possible solution as well. – Pang Ser Lark Oct 29 '15 at 02:50
  • 1
    It's funny, at the other end of the spectrum you have people pursuing high-security with the exact opposite philosophy: sneaker nets with air gaps (ie. no network info sharing) with data traveling between machines on portable drives, disc media, and, of course, USB sticks. – mostlyinformed Oct 29 '15 at 21:39

4 Answers4

2

Theres a couple glitches in that system. While you could effectively get rid of USB malware, you're restricting yourself to the components inside of the machine. High security firms and military installations use usb to connect to CAC cards in order to lock their credentials outside of the machine.

If your company has solutions for all of their security concerns and has no sense of using hardware based authentication then I dont see a problem in it though.

codykochmann
  • 277
  • 1
  • 6
2

There's countless examples of where people need legitimate use of USB drives to conduct everyday business. Simply banning thumbdrives for all employees because of security will undoubtedly cost your business in lost productivity.

Security departments often make these kinds of sweeping decisions without doing any cost/benefit analysis. How often do machines get infected with malware from thumbdrives? USB drives are certainly a vector for infection, but how much?

You're also introducing another vector for infection. Google drive, or One Drive. What makes you think this is any less prone to spreading malware than USB drives? USB sticks can only infect one machine at any given time. A shared Google drive can infect anyone with access to it.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • Its just that with USB, the stick could get infected when passed around, when staff use it at home, then bring to workplace etc..With a shared location, its not that easy to get infected unless I have purposely put an infected file in that shared drive. – Pang Ser Lark Oct 29 '15 at 23:55
  • @PangSerLark Why can't malware infect Google Drive? – Steve Sether Oct 30 '15 at 13:28
  • Google drive scans files for viruses first,,,https://support.google.com/a/answer/172541?hl=en – Pang Ser Lark Oct 31 '15 at 03:54
  • 1
    @PangSerLark I've no doubt it does. So does anti-virus software. Why do you trust Google, and not anti-virus software on your PC? – Steve Sether Nov 01 '15 at 04:15
1

My suggestion is to lock driver installation to admins and or enforce device whitelisting. Transferring confidential and sensitive data outside the company needs to be to a server requiring authentication and encryption and should have a second form of authentication for new access attempts (different machine). This can be implemented using encrypted email providers that can hook in to your spam filter to allow automatic triggering of encryption depending on contents and many times can be completely transparent for companies that use the same platform.

1

Many people in security incorrectly arrive at the "block USB policy" in the enterprise. Security is about enabling the business to do their job while eliminating risk. Security teams often fail to realize that they work for the business... not against it. Nothing will stop the business from accomplishing what they need to do. So, for example, block USB drive... well the business needs to move the data so they will email those files through outside email services, or use some other means. While the block accomplished the short term goal of hey this is risky, it was just replaced by riskier behavior. This is a never ending battle when you take these approaches.... and you will not win. If you do, then you are likely impacting the bottom line of your companies at scales that you probably couldn't imagine.

Malware is also the least of your worries with USB, loss of the USB is the bigger risk and again blocking is not the correct approach. Use of transparent encryption would be better which would allow the USB fobs, but secure the data. Outside of this taking away fobs is minor, people can upload to phones, cameras, email data, use drop box, print, heck I can stick a second SATA drive in my PC copy data and pull the drive and most enterprises would not be alerted.

If you think about any request, assess the risk and then figure out how to address the risk while still allowing the function to go on. The knee jerk reaction is to cut it off, but that's the security world of the 90's. That mentality doesn't fly as well in 2015.

J Kula
  • 74
  • 2
  • In general, I agree with this answer. In specifics, is email riskier than thumb drives. I would have guessed the opposite, but I don't really know. – emory Oct 29 '15 at 21:10
  • @emory... how many times a day to you use a USB thumbdrive, vs how many emails a day do you send/receive? – J Kula Oct 30 '15 at 18:15
  • in a typical day the answer to both question is 0. I am not sure how that metric is relevant. – emory Nov 04 '15 at 17:10