RE: Flash Drive Policy

["Hill, Pete" <Pete.Hill () sit-up tv>]

Jon,

We use a program called Devicelock to lock down our users ability to
attach USB devices.

Even as local admins it is not possible to disable the software (runs as
a service) and no usb device can be used unless expressly set up in the
software.

http://www.devicelock.com/

Whilst I agree with you in principle that there is no place for USB
drives in the workplace, the nature of a business (as well as the
technology in a business) will determine whether they are a "must" or
"must not" have item.   For example, all of the pc's here use usb
keyboards and mice.   

Pete

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jon Kibler
Sent: 12 October 2008 14:39
To: Steve Armstrong
Cc: Steven Bonici; security-basics () securityfocus com
Subject: Re: Flash Drive Policy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Armstrong wrote:
> I mus ttake issue with your 2nd point as I believe the 'head in the 
> sand' approach to USB devices is so 1990's. USB is used in most 
> businesses and it will continue to increase with the demise of open 
> network shares on Corp lans (aka the swap share) and the introduction 
> of desktops to the Corp environment without ps/2 interfaces.
>
> I agree that policy and appropriate software can reduce the risk from 
> USB devices but that is not our call (security advisors) it's the risk

> owners - who in my experieance are some of those asking  for them in 
> the first place.

Steve,

The problem I have is that most risk owners do not understand security
and the regulatory and business policies that drive them. That is why
security develops and deploys security policy. So, I would argue that it
IS the place of security to set policy for USB devices.

Regarding network shares, a lot of organizations are moving to all
network based storage, and either thin clients or no data stored on
local desktops. In such an environment, sharing data simply becomes a
matter of setting the correct access permissions. Collaboration software
suites (sharepoint, zimbra, etc.) are also being used to accomplish such
sharing.

Then, at least here in the states, we have regulatory issues that come
into play when you look at removable media issues. When you have to have
full audits of "who did what to this data, how, when, and from where",
the use of USB or other removable media simply makes these types of
audit trails impossible. So, I stick with my original statement that
there is no place for USB or other removable media in the workplace.

Finally, you indicated that there is 'appropriate software' that can
reduce the risks associated with USB drives. Please give some examples!
I have not seen any type of USB management software that cannot be
easily defeated by the typical desktop user -- especially if they have
local admin rights (which I find over 95% of all corporate desktop users
have!). I have yet to find a USB management package that would prevent
an attack as simple as plugging in a USB hub and using it to share your
rodent and a USB drive.

So, bottom line... I have to disagree. I stick by my argument that you
should not allow any USB or other removable media in the workplace.

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjx/dkACgkQUVxQRc85QlMSWgCdH+a9Gl99xERqdoE4OvqTIYnS
V/oAoIrLRW0Mo7wT35t14gT8Sg41xzOr
=c8TG
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.


Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file 
attachments.  Check your e-mail security settings to determine how attachments are handled.


A number of bogus e-mails are currently circulating in the UK encouraging customers to visit fraudulent websites where 
personal or Internet security details are requested. Bid tv/Price-drop tv/Speed auction tv would never send e-mails 
that ask for confidential, personal security information or details regarding your account status.

The content of this e-mail does not constitute a contract and any matters discussed herein remain subject to contract.

The contents of this message and all attachments have been sent in confidence for the attention of the addressee only.  
If you are not the intended recipient you are kindly requested to preserve this confidentiality and to advise the 
sender immediately of the error in transmission.

"sit-up ltd, registered in England No: 03877786.
Registered Office: sit-up House, 179-181 The Vale, London W3 7RW.
sit-up ltd is wholly owned by a subsidiary of Virgin Media."