Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

How do you prevent USB memory stick data thefts?

by
18th Aug 2006
Save content
Have you found this content useful? Use the button above to save it to your profile.

One of the hallmark crimes of the digital age involves the theft of billions of pounds' worth of intellectual property, but is hardly ever reported or prosecuted. It's what happens when data gets sucked on to a USB memory stick or another storage device and goes out the door.

Apple iPodThe advent of Apple's iPod (right) and other MP3 devices that can be configured to store other kinds of data has added to the nightmare, with people using the innocuous looking devices to "pod slurp" valuable corporate data.

It's an increasingly common occurrence, but what can you do about it? Having reason to suspect that a former employee may have copied details from a client database, financial services company financial controller Rob Derry came to the Any Answers page a few weeks ago to ask, "Does anyone now how to stop a PC from using a USB stick?"

USB sticks pose a serious danger, he commented, "And I want to be able to stop people just plugging them in and potentially copying large chunks of commercially sensitive information."

PricewaterhouseCoopers agrees. The firm's research for the DTI's 2006 Information Security Breaches survey found that 43% of UK businesses had nothing more than authorised use policies in place to prevent staff copying data on to personal storage USB memory sticks. A similar number (41%) had no policy at all and only 14% had controls in place to prevent such devices being attached to the company network.

In addition to his finance role, Derry is responsible for IT matters within his company and posted his query to research how he could minimise the risk of data thefts. Some lively contributions from AccountingWEB members established that technical solutions to this problem do exist - but they can be circumvented.

Richard Carey was first to respond with a recommendation to have a look at Reflex Disknet Pro. This system includes a removable media manager that allows the network administrator to control access to identified devices, to set them to read-only access, or only allow named devices to download encrypted data.

DeviceWall offers a similar service, but in a background briefing on USB lockdowns, it warned that a complete blockade can affect productivity.

Microsoft is conscious of the issue, and is including what it calls a BitLocker in Windows Vista that will allow companies to encrypt all of the data on their hard drives. For Windows XP users, Gavin Kelly posted links to a couple of Microsoft support guides covering How to disable the use of USB storage devices and Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers.

The first article is based around altering the registry keys for storage devices that can set them to "write protect". But it's important not to get too obsessed about the USB threat: data can also leave the mail via emails, CD-Rs; floppy disks or via the PC's various data ports: serial, parallel, Wi-Fi, Bluetooth or infrared.

Chris Papps responded that group policies and registry settings are easy enough to get round and that some companies superglue their PCs' USB ports.

However, as Deborah Minifie pointed out, miscreants can also use a pencil or a PDA. Si Saunders commented, "I think that you have to accept that a rogue employee will always manage to get information out of the company if they really want to. Whether they seemingly work late and make photocopies or use email, floppy disk, USB key or whatever - if they are determined, this information will get out."

When the issue was put to information security expert Stewart Twynham of Bawden Quinn, he noted that Excel worksheets, Word documents and other "flat" database files were the most prone to being copied. The also usually hold the data that people leaving to start their own companies want.

"You can protect a small amount by putting in blockers, but the best way to protect data is take it off PCs and think about how to secure it on your network."

Most software applications and databases such as the one Rob Derry uses will include encryption or password protection options. "It sounds like they've saved a back-up to a freely accessible directory," Twynham commented on Derry's situation.

"If you make a back-up, make it inaccessible to ordinary users and make it as difficult as possible to restore. Online backing-up is good because you are not making extra copies available on your network."

Some applications use client software that reads and writes data files on the user's behalf, but does not allow them a complete view of the database, Twyham said. "They only get what the front-end gives them." One of the benefits of commercial applications is that the user may also need to run a version of the software to get at the data.

BDO Stoy Hayward's John Clough commented that for larger networks, it might be feasible to consider using Microsoft Terminal Server or Citrix with terminals to lock down the entire network.

Three weeks on, Derry is thankful for the advice, but is still looking for a practical solution to his USB security concern. "Judging by the content of the replies, it is quite difficult and almost pointless, as anyone with a bit of IT knowledge could probably get round it.

"If someone wants to use the data for their own gain they will do. You may suspect that this has happened but would you enforce it in law? That means taking your eye off the ball of running the company."

Si Saunders raised the big "soft" issue that plagues information security: "Probably the biggest threat is what is in the employees head - and this you'll never stop."

The solution, he suggested, "Is to employ genuine, honest people who are less likely to commit this sort of act, and then retain them. This means making them happy both in their job and financially. By reducing staff churn you greatly reduce the number of people with any desire to steal such information - what use is this information to someone with no interest in leaving the firm?

"This can be combined with good staff education to reduce the chance of accidental information leaks."

This diagnosis was echoed by Stewart Twynham. "Technology is only one part o this. Train staff to look out for these things - like the former employee ringing back to ask for a phone number. Training and education is about building an atmosphere where there is anelement of trust and untrustworthy people stand out."

But what do you do if, as Derry suspects, the data has already bolted? Very, very few data theft cases ever reach court, though the threat of prosecution or to withhold final payments can sometimes lead to out of court agreements not to use the information.

But, as Derry noted, "If the courts are required, the commercial damage would have been done before any judgement is made, let alone enforced.

"All you can do is work on the assumption that someone doing this can't do any damage because they can't do any better with the data than you can. Someone who might be doing this is probably working on their own and has no infrastructure behind them."

Related articles

  • Any Answers: Online backup services
  • Tags:

    Replies (0)

    Please login or register to join the discussion.

    There are currently no replies, be the first to post a reply.