USB Flash Disks: A modern day business curse?

gallery

What’s more, the scale of the vulnerability is quite staggering. According to research recently released by SanDisk, 77 per cent of IT executives and corporate end-users surveyed admitted to using a personal drive for work reasons. Worryingly, one in four said that the data they held on such flash drives would include customer records, and 15 per cent even held business plans on a USB disk. That’s the kind of reading that can easily send chills down the spine.

Action
So how are companies reacting to it? Simply by, in many cases, disabling USB ports on computers. It may sound draconian, but the USB port is a gateway for the user to bring external storage devices into a controlled network environment. Even though the odds of damage being done tend to be slim, it’s still a problem, and a very real vulnerability.

In some ways, it harks back to the days when network administrators banned floppy disks from being used on their systems, even to the point of removing the drives in the first place. Floppy disks were an unpredictable threat, and one that was often dealt with in a zero tolerance manner precisely for that reason, to the choruses of grumbles from employees who went home at 5pm on a Friday night, not to be seen again until 9am the following Monday.

Paranoid? Perhaps, but not without good reason. Because after all, so far we’ve simply discussed accidental damage, data loss or security compromises. What if a disgruntled employee was actively looking to use a USB drive to either cause deliberate damage, or to walk away with valuable data? If it’s the latter, imagine how much they could get away with were it a 30GB MP3 player that was hooked up, rather than 1GB flash drive. How many customer records would that cover?

Perhaps, with that in mind, zero tolerance is the only approach. It’s unsurprising that this strategy is being directed towards USB ports, given that even the most conscientious of employees seems to want to use them for everything from data transfer and plugging in their MP3 player, through to charging their mobile phone.

Ignorance is bliss
Perhaps the biggest problem of all, though, is that many network managers are ignoring it, or aren’t even aware of the risk.

This is playing a dangerous game. When you read stories such as that of the LiarVB-A worm, a piece of malware that actively hunts down removable drives and writes itself to them, then it has to set alarm bells blaring. The payload of LiarVB-A was harmless, as it was intended to spread information about HIV and AIDS, but the next worm that comes round could be the one to cause widespread network destruction.

Of course, all this aside, there is an upside to the flash disk, and used in the right way, with the right protection, it’s arguably the most convenient form of physically porting data around that’s ever existed.

But it’s also, equally arguably, the most uncontrolled way of shifting data around that’s currently available, and the sheer convenience of having so much storage on such a small device is blinding many to the inherent threats. For many, they simply leave too many doors open to even consider taking the risk of allowing them near a corporate PC.

Not for nothing are some organisations referring to the drives as ‘the enemy within’. And not for nothing are those who are ignoring the threat advised to address it sooner rather than later.

Email to a friend

Print this page