Articles Weblog Contact Biography Links


Memory keys a clear and present danger

USB devices, Financial Times, 01/06/2005



They're small, they're dangerous, they're undetectable - and they're being given out free at conferences. Welcome to the terrifying world of the USB memory drive.

The Universal Serial Bus or USB interface is now very close to universal. Virtually every PC has at least one of these little rectangular ports and millions of devices can connect to them without needing any authorisation or new software.

Removable USB memory devices, smaller than a cigarette lighter but with hundreds of megabytes of storage space, can be bought for as little as Pounds 10 (Dollars 18).

They're extremely handy, but unfortunately they make it easier to do mischief as well as good. Unscrupulous employees can use them to steal sensitive company data wholesale with little fear of being detected.

Memory drives are just one part of the problem. An iPod with a 60 gigabyte hard drive, for example, could store the entire customer database of a small organisation several times over.

Research company In-Stat estimates that a total of 706m USB devices were shipped in 2004, a number set to rise to 2.1bn by 2009.

Many companies feel they can ignore the problem, because they often have no idea what is being downloaded on to USB devices.

"Administrators have no visibility of what is happening on their networks," says Dor Skuler, vice-president at USB security company Safend. "But when they run our auditing tools, companies typically find an average of four different devices connected to each PC."

An increasing number of companies, however, are becoming aware of this threat, and are looking to do something about it.

There are several possible answers. The US military is said to have solved the problem it by filling USB ports with epoxy glue. Another approach is to ban USB memory devices from the office but that is a tough policy to enforce.

USB ports can also be blocked in various other ways, either by disabling them in the computer's most basic software system, the BIOS, or by disabling the Universal Plug and Play functionality within Windows which allows them to operate.

However, these are blunt tools, the digital equivalent of epoxy glue, which would disable many other useful features at the same time.

In a sign that it has woken up to this threat, Microsoft introduced a feature into the latest version of its Windows XP operating system, known as Service Pack 2. This allows a system administrator to set all removable memory devices to read-only mode.

For Fabi Gower, vice-president at Texas based medical staffing firm Martin, Fletcher, even this level of control wasn't nearly sufficient. "The USB ports are very difficult to disable," she says. "It is the easiest way to steal company data. It wasn't a problem, but I wanted to lock that door before somebody got through it."

About a year ago, her company adopted Sanctuary Device Control, from SecureWave, one of a number of software products which allow IT managers much more control over USB devices.

"I can now control which workstation and which user I want to give access to," she says. "I can even give an employee access for 10 minutes at 2pm on a particular day."

Several companies offer this kind of software - including Safend, SmartLine and Verdasys. Some of them can enforce the use of encryption on removable media, so data on lost or stolen devices can't be read by whoever finds it. Some also provide an audit trail so organisations can trace what was downloaded, when, and by whom.

The industries which are traditionally most concerned about security, such as banking and healthcare, have been eager early adopters, and many of these vendors boast lists of large financial institutions on their reference lists.

While they may have met Martin, Fletcher's needs, Jay Heiser, vice-president at research group Gartner, is not yet sure they are the answer.

"This is a very immature market. It's too early to tell whether the benefits these software products bring will be great enough to justify the effort and expense of implementing and managing them," he says.

Also, the invisible nature of the USB threat means that for many companies, other issues such as viruses and hackers have higher priority.






Copyright (c) Ben King MMVI