Software Secures Against USB Slurpers

IT managers are waking up to a fresh threat to the safety of stored data -- portable storage.

With the growing popularity of USB memory sticks, iPods, MP3 players, and other portable storage devices, IT pros face the awful potential that mobile workers could steal or contaminate unguarded enterprise data stores.

A recent example: A U.K. news broadcast's investigation of data theft at call centers in India aired on Britain's Channel 4 last night. Apparently, criminals have set up a black market for personal financial data about mobile phone customers that's pilfered by Asian call center employees.

The report, which aired on a program called "Dispatches," deployed undercover reporters for nearly a year. The reporters filmed transactions in which bank account data on U.K. customers was sold for up to $55 per record.

"The program confirmed what we have been saying for a number of months, that data theft is rife within call centers across the U.K. and India, and that small USB sticks are one of the primary ways to get data out of the organization," said Matt Fisher, VP at Centennial Software, in a news release today.

Fisher's axe to grind is DeviceWall, released in 2005, a software package that offers centralized identification and policy-based control over USB-port devices.

And he's not alone. A growing roster of companies, including ControlGuard, GFI, GuardianEdge Technologies, Msystems, RedCannon Security, SecureWave, and Senforce, to name just a few, have picked the portable storage threat as their mission. Their wares secure data not only against theft via USB device, but also against the innocent end user who could serve as corporate entry-point for viruses, Trojans, podslurps, and other malware specifically designed to work with USB-connected gear.

While this kind of control could be implemented internally, the products bring protection to the next level. "We used use Active Directory and group policies, but those let you really just lock down ports," says John Sroka, CIO at Duane Morris LLP, a 600-lawyer firm with offices across the U.S. Sroka bought ControlGuard's Endpoint Access Manager to protect against information "leakage" via iPods, CDs, thumb drives, and the like. "This not only locks down ports, it gives us reports and the ability to watch for abnormal activity."

Most products on the market are software that load agents onto remote PCs, and then use Active Directory or other methods to enable or disable those PCs' use of USB-based devices. Most also issue a range of reports on usage trends and events, and some block viruses and malware. Some products also integrate with systems management software. ControlGuard's Endpoint Access Manager, for instance, can work with CA's Unicenter.

The market is still fairly small. Sroka says he didn't look very far to find ControlGuard. "We really didn't do much of a product comparison." And while not specifying how much he spent, he notes that it cost next to nothing to get the package up and running. Most of the policy-setup work was done in house.

Still, an investment in this kind of software isn't cheap. ControlGuard charges $10 to $25 per PC for its endpoint control software. Senforce charges about $70 per machine for its Endpoint Security Suite Theft Protection, though options are available that could bring costs down, such as a "quick start" package that enables buyers to protect up to 1,000 of the most strategic PCs within three to five days.

The number of suppliers of endpoint security for USB drives is apt to expand as the popularity of portable storage takes off. But there are some who think nothing will totally protect against threats from the USB port. Referring to the India call center scandal, Paul Howard, a cofounder of U.K.-based DisUK, which makes storage encryption appliances, asserts that not allowing any USB access is the only guarantee against exposure. "Don't put your neck on the block," he says. "There is no reason for operatives to have I/O access."

— Mary Jander, Site Editor, Byte and Switch