Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Desktop Ports: Leakage or Lockdown

Enterprises struggle to enforce security policies on thumb drives and other portable storage media

Do you know what devices your users are plugging into their laptops and desktops right now? And if those activities aren't authorized, do you have a way to stop them?

If your answer is "no" to both questions, you're not alone. All over the Web, IT and security managers are struggling to keep USB drives, Firewire devices, and other portable storage from carrying sensitive data outside their secure perimeter and from bringing in viruses, Trojans, or other malware.

"Our policy is that sensitive data shouldn't go out of the building, and unauthorized media shouldn't come in. But that's policy, not technology," says Phil Kirsch, systems administrator for the Statistical Center for HIV/AIDS Research in Seattle. "There are no audits or other enforcement activities. I don't know that there is any practical way to enforce it. There are just too many forms of media someone could put data on."

"Every [user] has access to [removable storage devices] right now, and they can put anything they can get access to on them," agrees Sean Grady, IT security administrator for the Eastern Band Cherokee Nation. "We are very vulnerable to internal manual attacks. I have a policy, but I cannot enforce it."

Complaints such as these aren't isolated. Last week, Dark Reading columnist Steve Stasiukonis, vice president and founder of penetration testing firm Secure Network Technologies, described a test in which 20 USB thumb drives infected with a benign Trojan were dropped around the headquarters of a credit union. Fifteen of the drives found their way onto the company's desktops and into its corporate network. (See Social Engineering, the USB Way.)

Dozens of IT and security administrators wrote to Dark Reading and Stasiukonis to say that they are struggling to plug similar vulnerabilities in their enterprises.

The problem, in a nutshell, is that most IT organizations have no way to detect what physical media are plugged into their client machines, or what data might be imported or exported from those media. At the same time, the latest portable storage devices can hold gigabytes of data in a pocket-sized form factor at consumer-level prices, which means that huge amounts of data can be transported in or out before IT can do anything about it.

In response to this confluence of events, many enterprise IT organizations have adopted one of two diametrically-opposed policies: Either they disallow all portable storage devices, to the point of physically disabling USB ports, or they allow everything, because an unenforceable policy is worse than none at all.

"If you really want to prevent this sort of thing from happening, your best bet is to just disable it across the board," says Stasiukonis.

"We have no policy," says an IT administrator at a large university. "We have to allow everything."

Isn't there some middle ground here?

An emerging class of security vendors says there is. These companies -- mostly small startups with names like ControlGuard, PointSec, Reflex Magnetics, Safend, and Securewave -- have developed tools that can collect information from PC ports, informing IT about the devices they are receiving, locking out unauthorized media and, in some cases, enforcing encryption on all data that passes through those ports.

There are significant differences among these new "port control" or "endpoint security" products, but as a rule, they operate in a common model. The IT department equips each PC with a driver or agent application, costing anywhere from $10 to $50 per client, that's capable of monitoring the use of external interfaces, including USB, PCMCIA, CD/DVD burners, and other devices. Most of the vendors maintain an equipment library that can tell IT not only the type of device that's plugged into each port, but the make and model as well.

"We have a lot of customers who just use our product for that 'audit' function. They just want to know who's plugging something in, and what they're using," says David Raanan, general manager and chief marketing officer at ControlGuard. "Most of our customers find a lot of things they didn't know were being connected to their networks: thumb drives, iPods, even PlayStations."

Once they know what storage media users want to plug into their machines and why, IT administrators can use these emerging tools to create policies that can be enforced by the agent on the PC. For example, IT can disallow USB access for some groups of users while permitting it for others. Or it can allow access for all groups, but limit that access to business hours.

Virtually all of these products also offer a central console that enables administrators to manipulate permissions or monitor user activity in real time throughout the day. If a user plugs an unauthorized device into a PC port, the agent will disallow the device and send a message to the console to let IT know which user and which devices are involved.

Early users give positive reviews to the products. "We tried the policy of denying access to all [removable storage devices], but it just doesn't work," says Chris Duffy, CIO at Peirce College, which uses the ControlGuard product. "Now that we have a way to control removable storage and enforce the policy, we're actually doing the reverse: Encouraging students to carry removable devices from the lab back to their rooms, so they aren't limited by the availability of the lab machines."

Martin, Fletcher, a healthcare staffing firm and a user of Securewave's Sanctuary Device Control, likes the flexibility of USB port management. (See Healthcare Firm Secures USB.) "It allows me to give access to an executive or [other users] who legitimately need access for a certain period of time," says Fabi Gower, vice president of IS at the company. "I don’t have to tell a vice president of a department, 'Sorry, that’s just not allowed.'"

Several of the port control and endpoint security product makers have already established relationships with storage providers that embed their agents into the device drivers of the storage device itself. In this way, enterprises can mandate and enforce the use of certain portable devices that contain only specified access control and/or encryption capabilities. Securewave announced its vendor certification program just yesterday.

Experts and analysts had generally positive views of the emerging category of port control products, but they warned that the need for the technology is so fundamental that it will surely catch the eye of big players such as Microsoft, Symantec, and McAfee, which already offer endpoint security suites that don't include the port control function.

"In a market like this, some consolidation is inevitable," says Dennis Szerszen, vice president of marketing and corporate strategy at Securewave. "As with any niche product, you either spread out and offer more functionality, or you get absorbed."

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this story

  • ControlGuard Ltd.
  • McAfee Inc. (NYSE: MFE)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Pointsec Mobile Technologies
  • Reflex Magnetics
  • Safend Inc.
  • SecureWave S.A.
  • Symantec Corp. (Nasdaq: SYMC)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
    Robert Lemos, Contributing Writer,  2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-9342
    PUBLISHED: 2020-02-22
    The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
    CVE-2020-9338
    PUBLISHED: 2020-02-22
    SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
    CVE-2020-9339
    PUBLISHED: 2020-02-22
    SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
    CVE-2020-9340
    PUBLISHED: 2020-02-22
    fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
    CVE-2020-9341
    PUBLISHED: 2020-02-22
    CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.