When Data Goes Missing Will You Even Know?

Lam1969 writes "Jack Gold says IT shops may have a huge problem on their hands, and probably don't know even know about it. The problem is USB flash drives, which he predicts will probably reach 10 GB in capacity in three years, and the lack of policies to guide use of them by employees. From the article: 'With more and more employees using flash drives, smart phones with Secure Digital memory cards, portable hard drives, etc., the likelihood of companies actually knowing about all instances of data loss is declining rapidly. And as a result, the possibility of companies breaking laws, whether for data-loss disclosure or regulatory compliance, is growing dramatically.' Gold predicts 'at least one publicized major case of unencrypted data loss from a portable device' in the next year, which will result in many companies banning these kinds of devices."

Re:data has walked out the door before.

[Anonymous Coward]

My company already has a policy banning them. Using a USB drive at work w/o permission will get your ass fired.

A little epoxy will fix that right up.

[LurkerXXX]

I know of several companies which have filled in all the USB/firewire ports on most of the computers with epoxy. Only people who actually have a real need for devices using those ports have working USB/firewire (there are no floppies or CD/DVD burners in 'regular' staff machines either)

Encryption

[nolife]

Of course getting the users to actually use encryption is another story...

TrueCrypt [truecrypt.org] works pretty good for these situations and it comes with an open source license [truecrypt.org]. The forums contain a lot of tips and tricks for using the application in odd ball situations.

Not affiliated at all, just a satisfied user.

Re:Obligatory Re:data has walked out the door befo

[1u3hr]

The first few posts on Slashdot are so mind numbing.

Well, the whole topic is. "People can steal data with USB drives!" News? Ten years ago I was stealing data with floppies. Copied a whole mailing list. (Didn't use the parts I wasn't supposed to, it just simplified things to have the whole thing.) Most "secret" data is basically text, you can fit hundreds of pages onto a floppy.

Anyway, it's impossible to prevent people bringing in floppies, let alone USB dongles. If it bothers you, just open the cases and disconnect any USB sockets. (Use AT keyboards and mice, still easy to get.)

auditing

[BrynM]

Auditing of a filesystem is the best way to go here, IMHO. Drives are getting bigger, so capacity for log storage grows too. Currently you can set most filesystems that have granular security to audit file access, writing, creation and deletion. Perhaps there is some way to adit target actions ("copied to removable drive X", "opened by Microsoft Word") that will be developed eventually. Personally, I log access to important files as a matter of habit (mostly with NTFS). I've also found that the bigwig execs love it when you tell them you can see who tried to look in their directory.

The real issue leading to confused reporters

[MikShapi]

Is the issue called trust. Specifically, towards people on the inside of your organization.

It all boils down to "Do you trust your employees"?

There are businesses that do, and there are those that don't.

Those that do work on the assumption an employee will not do anything to harm the business intentionally - take a file he is exposed to during work and transfer it somewhere outside the organization.

Hence, it will not take all measures required to prevent him from doing so.

A business that does worry about such things will - What you carry will be checked at the door. Your PC will be locked (the case, physically locked). No Floppy, CD-R, USB, no means to connect media you bring from home. Internet access will be so restricted you wouldn't even be able to encapsulate an SSH tunnel over DNS packets you kindly ask your DNS server/proxy to send for you. And so forth.

Pointing at a business where everyone has web access and a dell sitting on his desk with 2 USB ports looking at him and saying "Hey, this guy can copy a confidential word document on the USB key" is hardly news, doesn't bother anyone in the first type of organization, and usually a non-issue in the second (which would have taken excessive measures to prevent exactly this kind of thing).

Nothing to see here, move along.

Re:A little epoxy will fix that right up.

[hazem]

Of course, many motherboards have a USB connection where you can plug a slot-based set of USB outlets. If you're already opening the case, that's all you need.

And USB, I think, is only 4 wires... if the plug is epoxied, just open the case and hotwire your own outlet.

Somone else already mentioned installing a 2nd harddrive to copy data. And one could also install a $20 USB/Firewire card in one of the PCI slots.

That leaves filling the whole computer with epoxy. Great, you've turned your PC into a commodore 64. I hope you don't have to fix it!

People just have to accept that if a person has physical access to the machine, they can compromise it.

Re:data has walked out the door before. DRM it!!!

[Whiteox]

There will always be that kind of insecurity with any kind of device, whether it's a disk or a USB drive etc etc.
But why not DRM all data?
If you think clearly about it, DRMing all data will prevent (as much as possible) the use of the data, but not the theft or loss of it.

Simple really.............. :)

To executives, concerned about this: guess what?

[Alex Belits]

For a company to function, many employees of the company have to have access to the company's data. All of them, if they are inclined to do so, can copy it. Heck, many of them can sabotage it, and destroy the company.

Guess what the company can do about it? It can stop treating the employees as shit. Especially stop pretending that the company is some amorphous entity that makes its owners/shareholders entitled to profit, and can impose idiotic demands and shitty conditions and pitiful pay on everyone else in it. Employees do their work, this is why they have access to company's things. Nothing, ever, happened in a company without some employees making it happen, so if any of you wonder, why people can destroy your precious company, keep it in minds -- THIS IS BECAUSE THOSE PEOPLE ARE THE COMPANY.

There is nothing wrong with avoiding overbroad access where it isn't necessary for things to work, however there is no way to make any company "secure" from the very people whose only responsibility is to keep things running. Don't piss them off, and remember that you didn't become Presidents, CEOs and VPs by understanding how to operate anything that makes your company what it is. Every time you eat your lunch, think how many people you have abused today, and what will happen if any of them will press a few buttons.

Re:A little epoxy will fix that right up.

[jimicus]

Not that we had anything that critical or sensitive where I worked, but I always found it silly to bar someone from bringing in their laptop.

There is logic in it, if you think about it from a "corporate IT putting out a blanket rule" perspective.

That rule that applies to you also applies to Sharon, a blonde hairdresser by trade who's just taken a second job in the bank to supplement her income.

Sharon has a laptop of her own, and wants to bring it on so she can get on the Internet in her lunch hour - after all, she's not allowed to use company computers for personal web surfing.

Unlike yourself, Sharon's never heard of virus scanning (well, she has, but she was checked by her doctor when she started seeing her new boyfriend, so that's all right). She thinks spyware is the name of the next James Bond film.

Now the bank has a number of business critical systems running Windows. Perhaps unsurprisingly, Auto Update is disabled. This is because, despite Microsoft's best efforts, such updates occasionally break things. Instead, updates are trialled on a test network and then, following a change control procedure, are applied. This procedure takes a while, so at any one time most of the critical Windows systems can be a good few weeks behind on patches. This rises when testing reveals problems, and it rises even further when the system in question was built and maintained by an outside company - their update, assuming they provide one in a reasonable timescale, is subject to the same test requirements and change control as a Microsoft update.

Meanwhile, Sharon's PC, which is swimming in spyware, trojans and viruses, is merrily scanning the network for vulnerabilities.

I don't think I need to spell out the rest...

So, disable the USB port

[Zerbey]

We had a client at one of my previous jobs who explicity banned USB jump drives from the workstations they would be using. So, after a few seconds of head scratching on how to do this I:

* Disconnected the USB ports and,
* Disabled them in the OS and,
* Removed the USB flash device .inf file that Windows provides and,
* Padlocked the case shut.

It takes a few moments per machine and should be part of the standard build for any business that cares about their data.