USB storage devices are a convenient mechanism for users to store data locally or transport data from one system to another. USB storage devices may include memory sticks, portable hard disks, smartphones, cameras, media players, and even auxiliary displays.
Historically some USB storage devices have contained autorun executable malicious code. If an employee can be enticed to insert a USB device containing such code a system may become compromised unless other controls are in place. Even if autorun has been disabled, employees may be enticed to execute malicious code stored on USB storage devices.
Removable storage media, including USB storage, also creates a mechanism for data to be exfiltrated from a company.
SystemExperts recommends implementing controls to limit the use of USB storage devices. Windows 7 users should be prevented from running executables from USB storage devices unless there is a specific business justification for an individual to run such executables.
SystemExperts recommends that all employees should be prevented from wiring to USB storage devices unless there is a specific business requirement for an employee to have this ability. This control is one means of limiting the leakage, or loss of control, of data. Some companies may choose to impose this control only on employees working in specific geographic regions.
Many corporate policies make it clear that employees have a responsibility to protect corporate and customer data and information from unauthorized access, disclosure, generation, destruction, modification or transmission. Unfortunately, USB storage devices present a risk to companies once data is written to such a device, a company can rarely control its subsequent access, transport, or transmission to other parties, accidentally or otherwise. Unfortunately, many companies provide no technological controls to limit the access to USB storage devices.
Few companies desire to prevent all use of USB ports since many employees use these ports for keyboards, mice, or other HID capabilities.
Many third party tools on Windows exist to provide control over the use of USB ports for storage. Some provide the ability to control who can use USB storage and some enforce the use of encryption when storing data on USB devices. In some cases, the use of encryption provides a level of control over the subsequent access to the data. Such tools include products from Code Green, McAfee, TrueCrypt, and Lumension.
Microsoft also provides various options. These include encryption using “BitLocker to Go,” and various AD GPOs or registry settings controlling Removable Storage Access, or even preventing the installation of some device drivers.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.