RE: USB and smart drives

["ken kousky" <kkousky () ip3inc com>]

Part of the issue is policy but the other half is having the technology to
audit and enforce. The policy is useless without the infrastructure so you
must have both.

KWK


-----Original Message-----
From: steve [mailto:securityfocus () delahunty com] 
Sent: Monday, March 08, 2004 2:18 PM
To: Mike; Benny Late; security-basics () lists securityfocus com
Subject: Re: USB and smart drives

How would this be different than any policy, or lack thereof, that covers
the use of floppy disk drives?  There are many similarities.  The difference
lies in the fact that these USB devices can copy larger quantities of data,
but some same issues apply as with floppy disks.  Due to the USB drive sizes
I think the root policy is the protection of corporate data, intellectual
property.  Should have a policy against copying data to USB drives if you
can get approval of that.


----- Original Message ----- 
From: "Mike" <mike () superiorholidayadventures ca>
To: "Benny Late" <lvmygop () hotmail com>;
<security-basics () lists securityfocus com>
Sent: Friday, March 05, 2004 8:26 AM
Subject: RE: USB and smart drives


> Has anyone implemented a policy or process to protect networks from
> viruses
> brought in by users with USB drives, that are not company issued so no
> passwords etc.
>
> I'm thinking that AV with on access and write to disc scans should
help,
> but
> I'd like to see some of the policies others have implemented.

Policy?  "Don't bring them in.  If you do, and the network becomes
infected you lose all computer priviledges."

But that shouldn't happen (network becomes infected) if:

Process?  Have some form of anti-virus installed on all client computers
and server.  Schedule regular daily virus updates.  Schedule weekly
virus sweeps.

If your anti-virus is good, and your definitions are current, you should
be able to stop virus outbreaks.  If not, then good luck to you! :)

Mike Fetherston

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------