USB: "Ultimate Security Breakdown"

By Dennis Szerszen

(Back to article)

To the average corporate or home PC user, a universal serial bus (USB) port is simply a means to connect handheld devices such as iPods, Blackberrys, digital cameras, cell phones and memory sticks directly to a desktop or laptop. Through this connection, users can transfer or copy information to and from their computers with little trouble.

To security administrators and corporate executives, the acronym USB is taking on an entirely new meaning: "Ultimate Security Breakdown."

This is because many organizations don't realize that USB and firewire ports offer an unbelievably easy and accessible way to take sensitive information outside of the enterprise: a naiveti that could cost them dearly.

If you look at the latest corporate desktop releases from top makers Dell, HP, and Gateway, a single system can easily have up to eight USB ports, or multiple entry points into an enterprise IT network. Even more troubling is the default plug-and-play configurations of operating systems like Microsoft Windows XP.

Current operating systems provide seamless support for USB devices, but for good reason: users want to be able to load photos, sync their personal digital assistants (PDAs) or transfer music to and from their MP3 players with no hassle. However, the resulting security problems are significant.

In industries such as financial services, government and healthcare where sensitive information not only exists, but is heavily regulated by privacy laws there is monumental risk.

Finance and legal departments within every publicly-traded company face serious penalties and fines as a result of violations of material event disclosure laws, not to mention public and investor-relations disasters.

So, while organizations scramble to turn off the data spigot with no guarantee that software or PC manufacturers will do anything to stop default USB access, things are only going to get worse.

Several trends will feed this security dilemma over the coming months, including:

Pop culture: Apple iPods, digital cameras, PDAs and other gadgets will continue to see rapid adoption among consumers and business users.

With no configuration at all, an employee can plug a USB keychain with a gigabyte of storage into the back of a corporate PC. Employees already bring digital cameras to work to download photos as desktop wallpaper or screensavers.

These devices are normally plugged into home computers with a fraction of the security of today's enterprises making it incredibly easy for someone, even unintentionally, to download a nasty virus or destructive code.

Malicious code meets device: Wireless LANs and laptop computers are the current hot vectors for malicious code infections, but the recent appearance of malicious code in portable and personal devices does not bode well for security administrators.

Infected PDAs synching to a corporate computer could conceivably offer a scenario where malcode is passed from device to machine to corporate network. It is also conceivable that future malware will seek out portable media solely for the purpose of proliferation.

Storage device meets mouse: The convergence of different computer components and technology could present the ultimate dilemma for security personnel.

Mice, keyboards and other components that are intrinsic to everyday computing -- combined with storage capabilities -- is the potential Swiss army knife for data thieves and insiders, or yet another threat vector for malicious code exploits.

Unfortunately, most security organizations are still drowning in their battle against malicious code and vulnerability patching, keeping the focus on perimeter security technologies such as corporate firewalls, server anti-virus and content filtering at the gateway.

While these measures are important and administrators must continue to lock things down at the network hub, the number of spokes is growing exponentially.

Many organizations have hundreds or thousands of machines hooked up to the network at any given time. When you factor in the possibility that very soon, there could be multiple devices per PC with unlimited access, it presents a very sobering reality for security personnel.

There are immediate steps that companies can take that will go a long way in solving this problem, including a "default/deny" approach to block unsanctioned devices, applications and executable files from all corporate machines.

A default/deny solution will not allow any device or application to work on any machine within the particular computing environment. IT administrators then work backwards to create a list of those devices and applications that are allowed on company machines, and everything else will be denied by default.

Until these types of measures are implemented, USB devices will continue to be a major weakness in perimeter security's Maginot Line, allowing a relatively easy and tempting way for insiders and malicious code writers to access and exploit enterprise networks.

By coupling a proper corporate policy with a sound solution, an enterprise's "Ultimate Security Breakdown" could become its "Unbreakable Security Barrier."

Dennis Szerszen, a former industry analyst, is currently vice president of business development for SecureWave, a maker of endpoint security software. E-mail Dennis at denniss@securewave.com.