When Data Goes Missing Will You Even Know?

Lam1969 writes "Jack Gold says IT shops may have a huge problem on their hands, and probably don't know even know about it. The problem is USB flash drives, which he predicts will probably reach 10 GB in capacity in three years, and the lack of policies to guide use of them by employees. From the article: 'With more and more employees using flash drives, smart phones with Secure Digital memory cards, portable hard drives, etc., the likelihood of companies actually knowing about all instances of data loss is declining rapidly. And as a result, the possibility of companies breaking laws, whether for data-loss disclosure or regulatory compliance, is growing dramatically.' Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."

data has walked out the door before.

[yagu]

From the slashdot post:

The problem is USB flash drives

While there is truth to this, it is not a new truth and it is not the complete truth. It's one more mechanism for "losing" data but it's not the first and it won't be the last.

It's an effective mechanism for moving large volumes of data, but it's not the only mechanism.

Corporate espionage and theft has and will continue to exist. USB drives are just one more aspect. While there may be some "exposure" and scandal soon about some USB drive falling into the wrong hands I doubt it will surpass any of the recent scandals (lost tapes and customer data).

Unfortunately, I'm guessing the article is correct in its prediction: "It is highly likely that within the next year, we will see at least one publicized major case of unencrypted data loss from a portable device. Afterward, a lot of companies will ban such devices". That would be a knee jerk reaction and counter productive but I'm already seeing it on so many other levels, e.g.,

• restricted e-mail (filtered to death)
• blocked IM
• key logging

among many others. I still think the greatest exposures are social engineering... and the paranoia around security policies don't address that. Sigh

(And, besides, isn't the RIAA is working on a solution to apply DRM to USB drives too? ) ;-)

Wow!

[Bobdoer]

To think that malicious employees waited until flash drives to steal data! Dear god, what about paper printouts, hard drives, e-mail, and (dare I say it?) floppy disks?!?

Watch the log files!

[rcpitt]

When I see the fact that a USB storage device has been inserted into a workstation or server, I question what (and who) did what.

The log files don't lie!

Of course if you can't find them, then it doesn't matter, does it? Does WinXX create a log file of USB insertion - damned if I know!

Might not want to admit that...

[Red Flayer]

"I had to invade the owner's privacy to see what I could discover from the content of the files."

Wouldn't this be accessing files that you were not granted access to? Isn't this a crime in several US states, and is it really a good idea to admit to it in a column with your picture and name at the top?

Just curious if the 'Good Samaritan' is putting himself at risk (and if it was curiosity or a desire to return the property that was the motivation).

dumb approach.

[Vellmont]

Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."

Which will solve exactly nothing. What are you going to do, search everyone as they enter and leave the building? If you want to limit data theft, limit access to huge amount of data in the first place. That eliminates the risk to any new technology to get the data offsite.

Lost is the wrong word

[A nonymous Coward]

Geez. It isn't lost, it is copied. Maybe you don't want it copied, great, but it is not lost, not misplaced, not missing. Some people will quibble about it being stolen or pirated, but it is not lost.

Re:dumb approach.

[Descalzo]

So if they do end up banning these things, what will they use instead. We use them because they are so handy. What other good options do we have?

Re:We already hear about it

[networkBoy]

That is data loss (the notebook), assuming no backup. The idea of removing a _copy_ of the data is not loss, it is theft. A bit of distinction but important. I will notice data loss, not likely to notice the theft though.
-nB

What about laptops?

[Geekonomical]

Giving employees laptops is very normal now considering it helps them to work from home / while in travel.

Can't they move huge amounts of data with these things?

What else can you ban? Enforcing policy != banning stuff.

Re:It's not the theft they're worried about

[halcyon1234]

To think that malicious employees waited until flash drives to steal data! Dear god, what about paper printouts, hard drives, e-mail, and (dare I say it?) floppy disks?!?

It isn't the theft of data that TFA is really concerend about.

The real threat comes from actual LOST data. With portable storage media getting bigger and bigger, more and more data can be put on it. Including massive amounts of spread sheets and even databases. (I worked for one company that insisted on keeping a sensitive database on USB keys, to be sneaker-netted around to whoever needed it).

Top that off with more and more USB keys floating around the office. Sure, right now, not every employee has one. Or, at best, every employee has just one. But it is becoming more and more prevellant to have "unowned" keys. In other words, a company buys a crapload, and people just grab whichever key is available at the moment to use.

Soon, people will treat USB keys like they treat floppy disks; there'll be a big pile of them, and employees will just grab one as they need it.

Because of this causal attitude towards USB keys, it'll become near impossible to track all the data. Employee X copies Spread Sheet A onto a key, takes it home to work on it, brings it back, and tosses the key back in the pile. You now have an unaccounted for instance of that data. Each time an employee does that, you have more and more instances of data that are unaccounted for.

There's no guarentee that the employee will blank out the key. There's no way of tracking which data is on which key. So an employee might check out a key that has data on it that isn't theirs. There might be hundred of files on the key. Who knows. They don't. They won't care, either. They'll just copy thier files over, work on them, copy them back.

So, each key has tons of data on it. If someone were to ask the CFO "Show me all copies of Sensitive Spread Sheet 5", they couldn't.

Now, one employee checks out a key. They treat it just as casually as they would a floppy disk. They lose it somewhere. (Falls out of their pocket, gets left on the bus, etc). Now, a floppy disk might have just a tiny amount of information on it. A few documents. A couple spreadsheets. A USB key could have an entire database! Someone picks it up, and suddenly has the bank information for all the company's employees...

That's the big issue there. Not that employees will sneak data away on USB keys (though that is a concern, too), but that employees will be too casual with large amounts of data and quite literally LOSE it.

Re:A little epoxy will fix that right up.

[networkBoy]

Funny,
As a dev (and with tons of confidential and privlidged info on my computer) I am specifically instructed to take my notebook home every night. It is considered part of our business continuity plan. Not only that but this is a large multinational corp, not a mom and pop shop. That said, the drive is encrypted, and security policies are in place for communication back to the office when I'm away (2048 bit RSA VPN).

What it boils down to is this:
My employer knows that if I want to steal data I can do it. Even if it comes down to hand transcription of one memorized line of code per day. So they trust me and provide me a hardened notebook to do my work on. Even if it is lost the data will not be compromized till it's likely to be useless anyway.
-nB

Re:A little epoxy will fix that right up.

[mh101]

It's been a while since I've peeked into a PC's BIOS... Can't you disable USB in the BIOS setup? Or is that dependant on the particular BIOS? Then you can just set a password to prevent access to the BIOS setup menus.

Re:A little epoxy will fix that right up.

[spooky_nerd]

Better hope your computer isn't "legacy free" or a Mac. You won't have any place left to plug in your keyboard and mouse. Also, don't forget to plug up the parrallel port. I still have a ZIP drive!

Security through Stupidity

[Detritus]

Let's ban the automobile, 9 out of 10 bank robbers use them to escape from the scene of the crime.

Re:We already hear about it

[anagama]

I see it not so much as "loss" or "theft". Both terms imply that the data no longer exists where it is supposed to be. Loss means it's gone completely, theft that it has been taken in a "move" like scenario rather than merely copied. It seems a more appropriate term for this type of situation would imply the existence of the data in it's original location, and an unauthorized copy in an unknown location. This is much harder to detect because obviously, the original is still in tact -- absence of the data is a big clue something is amiss. Maybe the best term is simply "unathorized copy". In any case, the title mislead me -- I was thinking about HD corruption of small areas leaving me unaware that some of my data may go missing.

Devices

[gmuslera]

Ok, could be banned to bring an (very hard to see) USB drive... what about cell phones? banned too? PDAs? MP3/CD players? 10 years is a lot of time and even whatever will be used to carry what could be your "personal id" could potentially used to copy sensitive data i bet.

Also, the network is everything, there are not so much totally isolated computers with critical data, and most networks have some or several points of touch with internet, encripted traffic and then hard to trace what is happening with the information.

Re:The real issue leading to confused reporters

[gorim]

[Is the issue called trust. Specifically, towards people on the [inside of your organization.
[
[It all boils down to "Do you trust your employees"?
[
[There are businesses that do, and there are those that don't.

And then there are the smarter ones that recognize reality - that regardless of how much trust one gives, statistically speaking, someone will abuse that trust and walk off with data. The smarter businesses put appropriate mechanisms in place that both recognize and attempt appropriately minimize the occurance and resulting damage of these eventualities.

I think its called "trust without being stupid about it."

Re:data has walked out the door before.

[Forbman]

...and your computer doesn't have a CDRW/DVDRW on it of some form or another? You haven't secretly set up an ssh tunnel to an outside computer?

You religiously put all your sensitive docs into the to-be-shredded container instead of the usual recycle bin (but people will still inadvertently put critical info in the regular recycle bins from time to time)?

Too late!

[burne]

The Dutch 'Secret' Service (AIVD) recenlty lost a memorystick containing 'secret' documents:

in Dutch: http://www.webwereld.nl/articles/39418 [webwereld.nl]
from an Italian newspaper: ( http://www.intesatrade.it/IntesaTrade/News/Dettagl ioNotizieOggi/1,3243,2@1332658,00.html [intesatrade.it] )

The report comes a day after the Defense Ministry said it had lost a computer memory stick containing confidential Military Intelligence Agency data. In December, a Dutch district court sentenced a former AIVD translator to four and a half years imprisonment for passing on state secrets to alleged terrorists. Last year, a secret service employee left several CD-ROMs of confidential intelligence in the trunk of a rental car.

Company Data: theft , copy or backup?

[VincenzoRomano]

Nowadays it is almost impossible to avoid people from copying company data, also because it is becoming a spread practice to bring some work at home.
Not to mention the vast usage of laptops, especially among ICT workers.
Removable media with high capacity is only the "latest" technology to do this.
In the past we have used printers, floppy disks, email and web disks in order to bring data and documents home (or wherever else).
You can lock floppy drives, USB ports, bluetooth features and so on. You can filter web accesses and other publishing media and protocols.
But what about email and printers?
Are you really planning to make work harder and slower?
And I'm pretty sure that in some cases, especially in small companies, the private copy saved the day in more than one case!

Columnists Rehashing Old Scaremongering

[billstewart]

Ok, Jack Gold's put a slightly more useful spin on it by talking about accidentally lost data as opposed to deliberately stolen data, but it's still the same old hash with scaremongering about USBs.

• Briefcases get lost all the time, and briefcases have been large enough to contain sensitive information for decades now. Keychains also get lost on occasion, and especially for small businesses that's often enough to get in the building at night or steal a company truck.
• Yellow Sticky Notes with your IP address and VPN password fit in your pocket just fine, and DSL means that people can suck up your data even faster than when we used to use Yellow Sticky Notes to carry modem phone numbers and dialup passwords.
• Documents that are actually important are usually 1-100 pages long. You can store them on mashed-up dead trees if you avoid spilling coffee on them. Them newfangled USB thingies hold a lot of data, but back when we carried 3.5" floppy disks 20 miles through the snow uphill both ways , Microsoft Office wasn't as bloated, so a zipfile of The Secret Plans still usually fit in your pocket. That's not the same as carrying out the whole blueprints for your next chip in your pocket, but mini-CDs do pretty well - they're certainly enough to carry the HR personnel database home.
• DVDs and CDROMs fit pretty neatly into briefcases, and most newer PCs have at least a CD burner, so you can still carry the chip blueprints home.
• Laptops are easy to carry, and go missing all the time. The San Francisco Police aren't very good at recovering them even when they've got them in their evidence room and the thief in custody; your mileage may vary :-) And unlike keyrings and regular briefcases, laptops have obvious resale value so they're more attractive to thieves.
  
• RM-05 removable disk packs are a bit big to fit in your briefcase, but magtapes fit just fine, and before magtapes we had ASR-33 paper-tape, which works just fine for carrying the Numerical Control tape that tells the milling machine how to cut your submarine-propeller plans.
• Mainframes with Greenscreen 3270s are much less portable, but back when I worked for The Big Phone Company they were worried about people carrying computer printouts home, and they checked our briefcases on the way out the door of buildings that handled sensitive information.

But yes, within the next couple of years, somebody's going to have a USB keyring/wristwatch/Walkperson/iPod/Pseudopod/somet hing get lost or stolen with sensitive information on it, and the press probably will fly off the handle telling us they told us so, and that we need to take precautions we've never taken before with laptops or CDROMs or whatever, and that's probably going to include silly bureaucrat tricks instead of getting major operating systems to have convenient encrypted file system support (and remember, "major operating systems" includes the OS's for portable music players and not just the computers they plug into.

Re:Watch the log files!

[Jussi K. Kojootti]

"tamper proof SIM card

That'll work. Just like all the other consumer devices that were marketed as secure -- and were cracked in two days after release. If the key is in the device, it will be known.

Re:It's not the theft they're worried about

[killjoe]

"That's the big issue there. Not that employees will sneak data away on USB keys (though that is a concern, too), but that employees will be too casual with large amounts of data and quite literally LOSE it."

I don't see what the big deal is. Huge companies have had really really really important data stolen with no real effect or punishment. I mean things like social security numbers, credit cards, personal information, credit records etc. Do people even remember what happened with choicepoint? Does anybody even know who choicepoint is or what they do?

This is just bullshit. Nobody really cares all that much. There are no consequences to the corporation at all for losing data. Worst comes to worst somebody gets fired. Big whoop.

Re:The 3-second 5-cent - PERFECT!

[ScrewTivo]

Trying to "outlaw" and "enforce" usb devices is an option only for the dim whitted. I will probably use your suggestion.

I have heard all this before and business keeps on ticking....
1980's style - no floppy drives in computers
1970's - photo copiers lead to loss of sensitive data
1960's - Beware of employees with Kodak cameras
1950's - Don't through carbon paper into trash cans
That's as far back as I go...:)

A little epoxy will fix that right up forever

[digitaldc]

Wouldn't it just be easier to disable the USB via the BIOS or open up the case and disable or remove the USB?
Seems like physically ruining a device with Epoxy is a lazy way to disable something.

He's mixing two different things

[Ernesto Alvarez]

There are two different things mentioned in the article that I think make the article less than what it should have been.

The first one is data being compromised. There's a clear example when the author found a USB drive in an airport. (He could read it without problems). The second one is data loss, also mentioned. The author mixes both concepts when he compares the loss of a USB drive (assuming it's not backed up) with the loss of records by a big company (that would probably be compromise).

Even though they look like the same problem (if I put all my important data in a standard USB drive, if I lose it the data gets lost and compromised at the same time), they're not. These risks are mitigated with different methods. When you start taking steps against either data loss or compromise, it is shown that the author's definition of "data loss" is not that clear.

Imagine I had all my important data on a USB drive, encrypted (but without backups). If I lost said drive, I would be left without some important data, but it would have not been compromised.

The opposite would have happened if I had backups, but no encryption.

If both encryption and backups were available, if would be (under most circumstances) a non-issue (except for the loss of a USD 20 drive).

All of that assuming the drive owner is honest, and not using it to smuggle data out of a secured area.

The author seems to treat data as a physical object, which is not.

Thin Clients

[HighOrbit]

If a business division is working with especially sensitive data, perhaps they should not be working on PC's at all. That might be a job for a thin-client/dumb terminal with no drives or ports (other than ethernet, video, and ps-2 keyboard/mouse).

Sun has been pushing thin clients for years and some of their major selling points have been security both from the data sensitive aspect and security from the user-can't-break-it aspect.

Re:So, disable the USB port

[adolf]

Er. Uh.

How are you to use your USB printer?

Or:

Your USB keyboard and mouse?

PS/2 and parallel ports seem to be disappearing in a hurry. Your supposed fix for the USB key problem is, well, somewhat flawed if it makes the whole rest of the workstation unusable at the same time...