When Data Goes Missing Will You Even Know?

Lam1969 writes "Jack Gold says IT shops may have a huge problem on their hands, and probably don't know even know about it. The problem is USB flash drives, which he predicts will probably reach 10 GB in capacity in three years, and the lack of policies to guide use of them by employees. From the article: 'With more and more employees using flash drives, smart phones with Secure Digital memory cards, portable hard drives, etc., the likelihood of companies actually knowing about all instances of data loss is declining rapidly. And as a result, the possibility of companies breaking laws, whether for data-loss disclosure or regulatory compliance, is growing dramatically.' Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."

We already hear about it

[TheAxeMaster]

The company that I work for recently had a laptop stolen. It had personnel information for a large large number of employees (greater than ten thousand) and may or may not have been properly protected. I think that qualifies as pretty serious data loss, and it didn't need a flash drive to happen.

Will it be more prevalent? Maybe. But it already happens. Now, the question is, is there a program that can encrypt/decrypt an entire (relatively) small drive with some sort of key system or something? I think that will be the most logical step to protect small drives like these.

Uh, you can turn off USB drive access in Windows..

[EvilMagnus]

It's been present ever since Windows 2000 - if a company is worried about data loss via USB drives and the like, it's possible to disable access to USB drives using regular Windows security templates.

What the article probably meant to say is that sloppy security practices, combined with increasing personal storage, increases the risk of unknown data loss.

You can lock down a Windows box just fine against casual and accidental leaks if you know what you're doing, and you have a corporate policy to enforce. You can even prevent deliberate attempts at data theft, if you really want to be a hardass.

Re:data has walked out the door before.

[xiphoris]

"It is highly likely that within the next year, we will see at least one publicized major case of unencrypted data loss from a portable device. Afterward, a lot of companies will ban such devices"

No need for "afterward". Most companies that are extremely interested in protecting data (such as a large .com in Seattle for which I have worked) have banned such devices for years. No media may be used to transport company data except that which is explicitly allowed. In addition, no computer wireless devices of any sort (keyboard, mouse) may be used on company machines for security reasons. I'm sure that there are a lot of other similar rules, too, and all for good reason.

It doesn't take a smart company to figure out that you don't want Billing.mdb on a floppy. USB is really no different. :)

not just USBs..

[dotpavan]

I remember a similar article here discussing the usage of portable gadgets at workplace, like iPod, camera cell phones, etc and many stated that their workplace does not allow such gadgets in "certain" areas, and they had to actually check them out before entering the premises..

Since 3/4 of you aren't going to RTFA...

[mh101]

From reading the comments, it's obvious that most of the posters haven't RTFAed. But what's new - this is Slashdot after all...

So to clue you all in:

The article is not about people stealing sensitive data from their workplace using their USB drives. The article is about people losing data, because they've lost the USB drive they had it stored on.

Data loss (no backup) or data theft (stolen disk)?

[paultwang]

For the first problem (Data loss due to lost or corrupted disks), which seems to occupy the majority of the article, the solution is easy. Back up your data from your portable storage as soon as you can easily access the mainframe. How long does a differential/incremental backup take? 10 seconds? 2 minutes? A piece of data existing in the portable disk, the mainframe, and the backup tapes, is much harder to be lost.

For the second problem (Data theft due to lost disks), encryption works well. To discourage data theft due to lost disks, a simple, easy-to-use on-the-fly encryption on the portable storage device can help tremendously. The solution has to be simple because if it is a few mouse clicks too many, employees will try to circumvent the hassle.

Re:U.S. Military Rules.

[Hunter-Killer]

While I can't claim to be an InfoSec expert, I do work in the military (Army). I hope you're not inferring that flash drives are taboo because they might get lost. If this is true then CDs, floppy disks, and even paper printouts should be banned as well. This is not the case.

For MSE at least, we maintain the concept of least privilege. Simply put, everything has a classification level, from unclassified/FOUO, confidential, secret, top secret, and up. You do not mix and match equipment with varying security levels. If a laptop is rated unclassified, it will not go on the SIPRNET (secure network). In addition, a device carrying sensitive information is classified at the highest level of the information (i.e., a CD-R burnt with a Secret and Unclassified documents is now rated Secret, and will be handled as such.)This is how we protect data: determine the security rating, ensure that the boundary safeguards are respected, and treat all data in accordance with preexisting regulations.

From my experience, flash drives are the most viable portable media aside from paper. When my unit deployed to Iraq in 2003, we discovered that: 1) floppy disks were rendered unreadable by heat/dust within two months, and that CDROM drives usually died after 6-9 months of exposure. The second time we deployed, key leaders (and friends of the supply sergeant :))were issued flash drives. We had a few go bad, but the majority were damaged by abuse (donning body armor was main culprit). Storage is cheap, and we had a secure network to transfer files. (sneakernet discouraged) Our biggest problem was the people interpreting the data. :)

Re:A little epoxy will fix that right up.

[TallMatthew]

rm -rf /lib/modules/2.6.n/kernel/drivers/usb/storage should do it.

Oh, right. Windows.

Encryption

[raptorjb007]

There is always encryption programs that can be used if implimented properly. Truecrypt(http://www.truecrypt.org/ [truecrypt.org]) axcrypt, bitht from sourcefordge. Plus I am quite sure there are a few commercial alternatives that offer support as well. Point is, its not USB drives that are the problem, its the lack of a proper usage policy to control how they are used. Requiring all USB drives to be fully encrypted and/or haveing all data they contained backed up elseware would be a good start. Its all about policy and educating your employees on your companies acceptable use policy for such devices.

Re:NSA policy

[HardCase]

I worked on a data analysis project in the Navy. The computer system was a couple of VAX minicomputers in a cluster with terminals throughout the building. There were six Sun Sparcstations (yeah, it was a few years back) with no floppy drives. The building was divided into two sections - low security and high security. If you brought a briefcase, backpack, anything like that, it stayed in the low security area. All that you brought into the high security area was yourself. Anything else that you needed, the Navy got for you. And if it wasn't a consumable, it was tracked. The only way that anything left that secure area was in a burn bag or packaged and tracked.

We only had a staff of about 20, so it was relatively easy to manage.

Oh, and the building was an old torpedo training facility. Solid concrete walls, but the roof was designed so that if there was an explosion, it would all go straight up. So it wasn't exactly safe to walk on - there was always the danger of falling through. Right into the secure area. Go figure.

-h-