Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Desktop Ports: Leakage or Lockdown

Enterprises struggle to enforce security policies on thumb drives and other portable storage media

Do you know what devices your users are plugging into their laptops and desktops right now? And if those activities aren't authorized, do you have a way to stop them?

If your answer is "no" to both questions, you're not alone. All over the Web, IT and security managers are struggling to keep USB drives, Firewire devices, and other portable storage from carrying sensitive data outside their secure perimeter and from bringing in viruses, Trojans, or other malware.

"Our policy is that sensitive data shouldn't go out of the building, and unauthorized media shouldn't come in. But that's policy, not technology," says Phil Kirsch, systems administrator for the Statistical Center for HIV/AIDS Research in Seattle. "There are no audits or other enforcement activities. I don't know that there is any practical way to enforce it. There are just too many forms of media someone could put data on."

"Every [user] has access to [removable storage devices] right now, and they can put anything they can get access to on them," agrees Sean Grady, IT security administrator for the Eastern Band Cherokee Nation. "We are very vulnerable to internal manual attacks. I have a policy, but I cannot enforce it."

Complaints such as these aren't isolated. Last week, Dark Reading columnist Steve Stasiukonis, vice president and founder of penetration testing firm Secure Network Technologies, described a test in which 20 USB thumb drives infected with a benign Trojan were dropped around the headquarters of a credit union. Fifteen of the drives found their way onto the company's desktops and into its corporate network. (See Social Engineering, the USB Way.)

Dozens of IT and security administrators wrote to Dark Reading and Stasiukonis to say that they are struggling to plug similar vulnerabilities in their enterprises.

The problem, in a nutshell, is that most IT organizations have no way to detect what physical media are plugged into their client machines, or what data might be imported or exported from those media. At the same time, the latest portable storage devices can hold gigabytes of data in a pocket-sized form factor at consumer-level prices, which means that huge amounts of data can be transported in or out before IT can do anything about it.

In response to this confluence of events, many enterprise IT organizations have adopted one of two diametrically-opposed policies: Either they disallow all portable storage devices, to the point of physically disabling USB ports, or they allow everything, because an unenforceable policy is worse than none at all.

"If you really want to prevent this sort of thing from happening, your best bet is to just disable it across the board," says Stasiukonis.

"We have no policy," says an IT administrator at a large university. "We have to allow everything."

Isn't there some middle ground here?

An emerging class of security vendors says there is. These companies -- mostly small startups with names like ControlGuard, PointSec, Reflex Magnetics, Safend, and Securewave -- have developed tools that can collect information from PC ports, informing IT about the devices they are receiving, locking out unauthorized media and, in some cases, enforcing encryption on all data that passes through those ports.

There are significant differences among these new "port control" or "endpoint security" products, but as a rule, they operate in a common model. The IT department equips each PC with a driver or agent application, costing anywhere from $10 to $50 per client, that's capable of monitoring the use of external interfaces, including USB, PCMCIA, CD/DVD burners, and other devices. Most of the vendors maintain an equipment library that can tell IT not only the type of device that's plugged into each port, but the make and model as well.

"We have a lot of customers who just use our product for that 'audit' function. They just want to know who's plugging something in, and what they're using," says David Raanan, general manager and chief marketing officer at ControlGuard. "Most of our customers find a lot of things they didn't know were being connected to their networks: thumb drives, iPods, even PlayStations."

Once they know what storage media users want to plug into their machines and why, IT administrators can use these emerging tools to create policies that can be enforced by the agent on the PC. For example, IT can disallow USB access for some groups of users while permitting it for others. Or it can allow access for all groups, but limit that access to business hours.

Virtually all of these products also offer a central console that enables administrators to manipulate permissions or monitor user activity in real time throughout the day. If a user plugs an unauthorized device into a PC port, the agent will disallow the device and send a message to the console to let IT know which user and which devices are involved.

Early users give positive reviews to the products. "We tried the policy of denying access to all [removable storage devices], but it just doesn't work," says Chris Duffy, CIO at Peirce College, which uses the ControlGuard product. "Now that we have a way to control removable storage and enforce the policy, we're actually doing the reverse: Encouraging students to carry removable devices from the lab back to their rooms, so they aren't limited by the availability of the lab machines."

Martin, Fletcher, a healthcare staffing firm and a user of Securewave's Sanctuary Device Control, likes the flexibility of USB port management. (See Healthcare Firm Secures USB.) "It allows me to give access to an executive or [other users] who legitimately need access for a certain period of time," says Fabi Gower, vice president of IS at the company. "I don’t have to tell a vice president of a department, 'Sorry, that’s just not allowed.'"

Several of the port control and endpoint security product makers have already established relationships with storage providers that embed their agents into the device drivers of the storage device itself. In this way, enterprises can mandate and enforce the use of certain portable devices that contain only specified access control and/or encryption capabilities. Securewave announced its vendor certification program just yesterday.

Experts and analysts had generally positive views of the emerging category of port control products, but they warned that the need for the technology is so fundamental that it will surely catch the eye of big players such as Microsoft, Symantec, and McAfee, which already offer endpoint security suites that don't include the port control function.

"In a market like this, some consolidation is inevitable," says Dennis Szerszen, vice president of marketing and corporate strategy at Securewave. "As with any niche product, you either spread out and offer more functionality, or you get absorbed."

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this story

  • ControlGuard Ltd.
  • McAfee Inc. (NYSE: MFE)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Pointsec Mobile Technologies
  • Reflex Magnetics
  • Safend Inc.
  • SecureWave S.A.
  • Symantec Corp. (Nasdaq: SYMC)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Virginia a Hot Spot For Cybersecurity Jobs
    Jai Vijayan, Contributing Writer,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-15
    An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
    PUBLISHED: 2019-10-15
    qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
    PUBLISHED: 2019-10-15
    In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
    PUBLISHED: 2019-10-15
    An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
    PUBLISHED: 2019-10-15
    In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.