USB Devices have received a ton of focus over the past few years as THE device IT needs to be worried about. As a extremely mobile storage medium, USB devices can easily carry malicious code into an organization or sensitive corporate data out. Podslurping is a great example of the hype.
So IT reacts, locks down the USB ports by most likely disabling them (which XP and Vista allow natively), and thinks they're now safe. While true in context of USB devices, the organization is hardly safe.
Take my laptop for example - I have bluetooth built in which allows me (on a side note) to use a VERY cool bluetooth mouse from Newton Peripherals. But it also allows me to connect to a bluetooth enabled cell-phone and transfer files.
As a quick test, I paired a cell phone (a Samsung SPH-A900) to my laptop and transferred a file over to the cell phone - all in under about 3 minutes.
The cell phone I used has 64MB of flash memory - while hardly comparable to the 4GB and 8GB USB flash drives out today, you can still hold a ton of information exported to CSV... And with a cell phone holding the newly transferred data, it can be emailed out of the company or transferred to another device via bluetooth and then deleted from the phone with no trace it was ever copied should someone inspect the phone. This is VERY potent stuff!
This example of using bluetooth instead of USB is merely one of many access methods IT needs to consider. Consider the following additional methods for stealing corporate data or introducing malicious software from a standard desktop or laptop that are NOT currently being locked down:
- Firewire Drives (theft at the speed of light)
- Floppies (remember those!?!?!?)
- Infrared (it's not just for printing...)
- Modems (all you need is a phone jack...)
- Serial Port (e.g.: establish an ftp session to a laptop not allowed on the corporate net via serial cable)
- PC Card-based storage
- PC Card-based cell device to access the Internet (gmail, anyone?)
- WiFi devices (ad-hoc wireless can be your enemy)
Our customers use the USB & Port Security option within Desktop Authority to granularly secure all of the ports mentioned. With this option, each type of port can be locked down with those that are read-write (such as a CD-Burner) can be set to read-only which helps balance the implementation of security with the preservation of user productivity (e.g.: making a CD-Burner read-only so that a user can at least read CDs they need for their job, but cannot burn any information off to CD).
It's time for IT to wake up a bit and realize if they are going to truly secure their network from malicious software and/or data theft, they need a comprehensive security plan.
