USB Thumb Drives Are A Convenience, But Also A Major Threat

If you're like me, then you have a drawer full of USB thumb drives that you've collected from vendors over the years. Whenever I'm in a rush, I pop one out, copy some data to it, and transport it to its destination. Then what do I do? I usually leave it around like I do pens, sticky notes, and CD-ROM's. And while I encourage you to steal my sticky notes, I care a lot about protecting my thumb drives from theft. If you're not taking seriously the threat that removable devices pose to your network, now's the time to pay attention. Vendors and enterprise IT shops have certainly taken notice of the security risk that USB thumb drives pose. A ton of software and encryption solutions have been developed to address the problem. Further driving the need for solutions in this space are new regulatory standards for the exchange and protection of sensitive electronic information.

It's a well-known trick in the security auditing trade that dropping USB thumb drives in the parking lot of a company you want to crack is an easy way to infiltrate a network. Nine times out of 10, the unsuspecting employee will be curious about the contents of the thumb drive. Once plugged in, any viruses, malware, or scripts injected onto the drive are free to spread and compromise network security.

While viruses are right at the top of the list of reasons to disallow the use of USB thumb drives in the enterprise, data leakage is the top cause for concern for most. Fortunately, there are plenty of solutions to the problem out there, both cheap and expensive. If you're running XP, you can apply a registry hack to disable USB plug-and-play devices by brute force. That's certainly not a friendly solution, but it is a solution. Vista gives you a few more options in the way of USB device enforcement, but none rely on user credentials, which is where the more expensive enterprise offerings pickup.

ControlGuard, GuardianEdge, and Sanctuary Device Control from Lumension Security are three examples of enterprise solutions that provide protection from data leakage and malware from removable devices. More important for the security administrator, detailed logging, auditing, and regulatory compliance features are built into many of these offerings. End to end features that protect and report are enough to help CIO's sleep a little more soundly at night. And while these enterprise offerings aren'ot cheap, what's the cost of not having them?

Know of any highly effective, low-cost solutions in this space? Post a comment here and let me know about them.