31

In my organization, a group policy exists that prevents users from writing data to a USB stick. This always seemed like a bit of a pointless PITA to me, just "one of those things...". I forget about it as often as not since I can download data from my thumb drive when I need to (I only remember it again when I try to take a file home).

Recently, my responsibilities were expanded to include participation in state & federal audits and I've noticed some form of the following the bullet point is usually a highly-promoted feature when asserting compliance:

  • Users cannot download sensitive data to a USB drive.

Is this actually an improvement to security on its own?

There are still a significant number of ways to extract data from the company domain (I've certainly used more than a few work-arounds simply for convenience.)

At first I thought it could maybe be argued that it prevents low-skilled, high-frequency attacks. But with the proliferation of personal fileshare tools (that may or may not need to be unblocked by company policy - e.g. a user has both a personal & corporate GitHub account) does this sort of policy still provide additional security? Or is it just a placebo for minimally literate auditors?

Anders
  • 64,406
  • 24
  • 178
  • 215
Peter Vandivier
  • 381
  • 3
  • 8
  • This is an opinion-based question, not suited to this forum. There are too many factors to consider before someone can declare whether it provides additional security. Whether your organisation operates in an industry that requires additonal precautions is also a consideration. – Little Code Jun 09 '16 at 17:22
  • note that if you send stolen data from work to an online service, they are much more likely to have an audit trail since you can't format a server like you can a desktop. – dandavis Jun 09 '16 at 18:46
  • @dandavis I considered that, but then you've still *lost the data* to the attacker. Nice to know *who* stole it, but if you're doing that much work, then the data was probably valuable enough that you would have preferred it not be stolen in the first place. – Peter Vandivier Jun 09 '16 at 18:49
  • 1
    of course they prefer it not to be stolen, but a lot of places have video recording overnight in addition to burgler alarms; for the same reason. Its far more difficult to stop web exfiltration than to monitor it.But there could be many motivations, i suggest you ask the folks who made the policy... – dandavis Jun 09 '16 at 18:54
  • Trololo - I have... several times ( every time I ask for an exemption, in fact... ) and the given reason is "Because reasons." We do have a number of surveillance and security measures regarding physical access; but it seems to me the USB lockdown itself doesn't add anything in terms of security - beyond of course reducing the likelihood of *accidental* loss as noted in [Iserni](http://security.stackexchange.com/users/11144/lserni)'s [answer below](http://security.stackexchange.com/a/126598/113967). Hence why I accepted the answer. – Peter Vandivier Jun 09 '16 at 18:59
  • As our [help/on-topic] states, "Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. [...] To get the most helpful answers you should tell us: what assets you are trying to protect who uses the asset you're trying to protect, and who you think might want to abuse it (and why) what steps you've already taken to protect that asset what risks you think you still need to mitigate" I encourage you to edit the question to provide additional context along these lines. – D.W. Jun 10 '16 at 01:58
  • @PeterVandivier "_but then you've still lost the data to the attacker. Nice to know who stole it_" On the other hand, if an individual knows that the company can find out who stole the data, it _may_ make them think twice before doing so: part of the point of an audit-trail is to scare people from appearing on them! – TripeHound Jun 10 '16 at 09:26
  • Note that even read-only access to a USB device is not sufficient to prevent data leakage. You could plug in a device with a logging filesystem, then make (a sequence of) requests for non-existent folders whose name happens to be a base64-encoded string of the data you wish to exfiltrate... – jl6 Jun 10 '16 at 21:29
  • Our GPO enforced bit locker on any attached usb drive. It works well to allow us freedom to move the drive about and also keeps the drive encrypted in the event it is lost. – Mike McMahon Jun 11 '16 at 03:37

5 Answers5

54

One of the main reasons behind the prohibition of writing data to USB drives (I had this explained to me once) is not to prevent employees from stealing sensitive information. If they wanted to do that, they would have no end of workarounds, up to printing QR codes on A4 sheets.

Rather, it is to prevent employees from saving sensitive information on USB drives in good faith, only to have those USB drives lost or stolen.

Often in such cases you'll find that it's OK to save data on specific encrypted thumb drives that can't be decrypted in case of theft or loss: e.g. biometric-lock drives(*) or encrypted file systems that will be "seen" as physical fixed hard drives instead of removable hard drives, thereby circumventing a "cannot write to removable drives" security policy.

Windows 7+ has explicit settings that enable treating BitLocked devices (possibly with corporate keys) differently from plain USB devices.

(In my case, that was Windows XP Pro SP3 some time ago, I had a USB key with a TrueCrypt volume on it, and I was allowed to take some work at home on it. I was under orders not to copy the files anywhere else and not to use the USB drive for any other purpose. This kind of precautions is clearly directed against accidental leaks, not intentional ones).

For the same reasons, some popular file sharing sites, or sites and apps that could allow file sharing, might be blocked by company firewalls. Again, not so much to stop espionage, but to prevent people from growing too careless (at least in the powers-that-be's opinion) with corporate information.

(*) Note

Biometric lock thumb drives and (especially) hard disks aren't necessarily secure - or even encrypted, or encrypted correctly. If the memory can be physically separated from the locking part (easy for most HDD enclosures, conceivable for many USB thumb drives) someone can try to read it directly, maybe just to "reclaim" the memory itself. After all, in case of failure the finder will have just lost some time. Once he or she has the hands on the readable memory, simple curiosity might be enough to take a peek and maybe even try and decrypt it before reformatting and repurposing. With luck, the device is vulnerable and just googling its make and model will allow someone to recover the necessary tools and/or knowledge.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • 2
    My favourite work around is send it to the sound card... audio coupled modem to phone FTW! I'd point out it also stops infections the other way from USB devices which should be just as valid of a concern, generally I recommend no USB at all (or thunderbolt and firewire which are way worse). – ewanm89 Jun 09 '16 at 22:33
  • 1
    Biometric-lock drives aren't encrypted though are they? Can't someone with the right tools bypass the controller and read the flash memory directly? – user541686 Jun 10 '16 at 05:19
  • Good point @Mehrdad. They often *are*, but not necessarily, and even then there might be issues about encryption implementation. Amending answer. – LSerni Jun 10 '16 at 07:37
  • @ewanm89 who needs a modem? Surely a smartphone's audio in could do it - even with a cable from the lineout port so your colleagues can't hear (or >20kHz air-gapped). Even if the smartphone only records and the demod part is done offsite. – Chris H Jun 10 '16 at 09:43
  • 1
    @ChrisH that still is a modem. You are modulating the signal on a sound wave and demodulating it at the other end. – ewanm89 Jun 10 '16 at 09:51
  • @ewanm89, true, my question was the wrong way round - I probably should have said "who needs a phone?". I'll blame the length of time since I last used a POTS modem. – Chris H Jun 10 '16 at 10:22
  • Depending on the physical security, it can make it harder for visitors to steal data. You can insert a usb and drag and drop a file folder faster than I can type this comment. You could do it while someone turns his back for a moment to take a cell call. If this situation is a concern, disallowing USB writing is not a cure-all but is worth doing. – Hugh Meyers Jun 10 '16 at 10:41
  • Also, there are AutoPlay attacks whereby just plugging in the key will start a hidden dumping app. – LSerni Jun 10 '16 at 15:08
  • I think this answer is spot-on, it's about accidentially losing the thumb drive, nothing else. As long as you can just start the iSCSI initiator, any concerns about employees stealing data is ridiculous. I've more than once restored data from my private backup because CIO was too fucking stupid trying to "fix" a mail alias issue, first deleting complete mailboxes (with two years worth of SD data) from the server and then deleting the local cache, too. They never get the migration to a new laptop right either, so better have your vital data on a drive they can't touch. – Damon Jun 10 '16 at 23:17
5

In addition to what Iserni has said, memory sticks these days can hold huge amounts of data.

Shifting 64GB of sensitive data to a cloud provider could take a long time, and may well trigger firewall rules set to look for excessive uploads. In any case, the uploads will be logged.

Downloading 64GB to a USB3 memory stick will be a lot quicker, and won't go near any company firewall. When the memory stick is full, it can just be slipped into a pocket. The company won't even know what's been done until the data is used against them or their customers.

Simon B
  • 884
  • 5
  • 7
  • I mean even a 128MB flash drive would have the same problem right? It's not like they discriminate based on the size. – user541686 Jun 10 '16 at 05:21
  • @Mehrdad the device drivers are universal, and don't expose the size, so to discriminate on size would mean modifying or somehow hacking the driver. Thus: block all USB mass storage. – Chris H Jun 10 '16 at 09:34
  • @Mehrdad Yes, even a 128M memory stick would still be enough to steal several documents. – Simon B Jun 10 '16 at 10:27
  • 1
    @Mehrdad The point here is that stealing data through network uploads is a lot more limited in the amount of data that can be stolen before raising suspicion compared to a USB drive. So by blocking USB drives you're effectively limiting the maximum amount of data that can be stolen in one go to the maximum upload size permitted by the firewall. – Micheal Johnson Jun 10 '16 at 10:42
  • 1
    @Mehrdad: Discriminating based on size would very rapidly get complicated, since your attacker/well-meaning idiot could show up with a pocketful of 128MB flash drives and a copy of `split`. Network monitoring tools can build up a picture over time, which would be a lot more effort to reproduce than just disabling the whole thing with a policy setting. – Steve Jessop Jun 10 '16 at 13:01
1

In many cases, such a policy is paired with the use of some form of censorware to block access to a known list of cloud storage providers and webmail sites, along with blocking the ports for ftp (and file transfer over IM).

Of course it's simple enough to roll your own workaround: I had an ftp server running on port 80 at home for a few days once; my hosting provider's webmail isn't widely known; and I'm sure there are off-the-shelf solutions to allow upload over http. As you say, corporate use of GitHub is a worry (though many employers are wary of it, and it can be unblocked on a per user basis to developers only, reducing the threat surface). Not every source of (even deliberate) data leakage is very sophisticated, and the accidental sources can be the lowest skilled people with logons.

Chris H
  • 4,185
  • 1
  • 16
  • 22
  • 1
    I had an acquaintance at one point who worked at a place that only allowed access to a few, whitelisted sites, but didn't block outgoing ping requests... So he wrote himself a proxy service that transferred the data via echo requests and responses so he could keep up on his online game accounts during slack times. – Perkins Jun 10 '16 at 17:04
  • Wikipedia as a pastebin (encrypt+base64 on a user page)? – Chris H Jun 10 '16 at 20:42
  • 1
    That would work for transferring data, but the latency would be rather high to try using its for a proxy protocol. – Perkins Jun 10 '16 at 22:53
1

Many large organisations have restrictions like this. I've been able to bypass every one that I've tested.

The intention is that users cannot extract data in bulk. It is understood that people can exflitrate small amounts of data by photgraphing their screen, or even just memorising it. But there's a difference between exflitrating a few details and stealing a 10gb database of personal data. I think this is a good intention, but it can never be done perfectly.

To do this securely, a good start is:

  • Block all local removable media: USB, CD writers, memory cards, firewire, eSATA, and maybe more.
  • Restrict network exflitration: This is usually done by blocking all web mail and file sharing services on the proxy. Also configuring laptops so when they're outside the organisation, all they will do is VPN back to base.

Usually I can bypass the network exfiltration by uploading files to my own web site. It's not known by the proxy as a file sharing site, so it gets through. Another technique is to connect an external organisation's laptop to the office network, and copy directly from the company computer to the external laptop - bypassing the proxy. Also, the corporate email system almost always allows a bypass, although the risk is reduced by file size limits and logging. Failing that, get administrator rights on the computer and disable the restrictions.

If the organisation has a Citrix-style remote working system - when you can connect from your home computer - very often this can be used to exfiltrate data. I remember one that blocked local drives, which was a good start, but allowed remote USB, so you could plug a USB stick into your home computer, and have it mount on the Citrix server - allowing you to steal data in bulk.

One of the problems with this setup is that people have legitimate needs for USB sticks, writable CDs, etc. The simple approach is to have a process where people with a business need are added to an exception list. A more advanced approach is Data Loss Prevention (DLP), which is a very interesting technology. Discussing that more is probably best for another question.

paj28
  • 32,736
  • 8
  • 92
  • 130
0

Let us not discount the impact of threat vectors that rely on USB for introduction to a network - ("StuxNet" anyone?) That said, is it "efficient" ? - IMHO , Yes, it requires little effort to stymie the masses who might sneaker secrets out the door. But, is it effective ? only for the unsophisticated masses. Clever local admins will still walk the secrets. In-network sensitive data encryption is far more effective.

Joe
  • 1
  • 2
    Actually, for the purposes of this question, we should discount it. The machines in question are specified as being able to read USB drives. – Chris H Jun 10 '16 at 20:40