Preventing data leaks on USB ports: Pointsec device protector simply regulates access and data for any plug-and-play peripheral.Summary Regulating the electronic flow of information stored in digital format has never been so hard. Most organizations have attempted to reduce the risk of data leaks from servers and networks with firewall, intrusion prevention See IPS and IDS. , authentication and access controls. The mobility trend driving widespread use of laptops for remote and mobile computing Using a computing device while in transit. Mobile computing implies wireless transmission, but wireless transmission does not necessarily imply mobile computing. Fixed wireless applications use satellites, radio systems and lasers to transmit between permanent objects such as buildings has recently spurred the use of encryption solutions for protecting data on devices that are lost or stolen. But now, a new risk is sidestepping these controls--one that creates the opportunity for data to slip outside the protective net without detection. The culprit is any plug-and-play storage device attached to a stationary PC or laptop USB port A USB socket on a computer or peripheral device into which a USB cable is plugged. See USB. . The USB port enables use of many peripherals, including storage devices. Digital music players can host huge quantities of MP3 files--and hold files in any other format such as word processing word processing, use of a computer program or a dedicated hardware and software package to write, edit, format, and print a document. Text is most commonly entered using a keyboard similar to a typewriter's, although handwritten input (see pen-based computer) and , PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. , spreadsheet, database, photo or multimedia. USB memory See USB drive. sticks do the same thing, albeit without the capability to play back stored multimedia. Digital cameras can store files. So can cell phones, portable hard disks, personal digital assistants, and many other mobile devices. The danger stems from operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. that almost always recognize and authorize any USB-connected storage device the instant it is plugged into an enterprise endpoint. This Achilles heel Achilles heel Noun a small but fatal weakness [Achilles in Greek mythology was killed by an arrow in his unprotected heel] Achilles heel n → talón m de Aquiles effectively makes all endpoints susceptible to data leaks. Danger can also flow in the other direction when newly attached storage devices send virus-infected files or malicious applications onto the endpoint device--and potentially throughout the enterprise network. When data leaks out, the resulting glare of public exposure often triggers consumer outrage, regulatory scrutiny, or punishment by financial markets. Civil and criminal convictions also may occur for individuals responsible for conditions leading to a leak in organizations subject to laws such as HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , Gramm-Leach-Bliley, and Basel II Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations . The Pointsec strategy for securing enterprise-wide endpoints is called Data Leak Protection. The strategy addresses a variety of risks affecting enterprise endpoint security. This white paper explains how organizations can easily stop data leaks through storage devices attached to endpoint USB USB in full Universal Serial Bus Type of serial bus that allows peripheral devices (disks, modems, printers, digitizers, data gloves, etc.) to be easily connected to a computer. ports--or any other plug-and-play connection including Bluetooth, FireWire, WiFi, serial or parallel port. It describes parameters of the risk, and how a solution called Pointsec Device Protector simply controls access and data for external storage devices plugged into PCs. USB Ports are New Vector for Data Leaks Organizations are under big pressure to do a better job securing enterprise and personal data. A continuous flow of news stories show that data leaks are widespread. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the Privacy Rights Clearinghouse Privacy Rights Clearinghouse (PRC) is a project of the Utility Consumers' Action Network (UCAN), an American 501(c)(3) non-profit consumer advocacy organization. The Privacy Rights Clearinghouse is devoted to upholding the right to privacy and protecting consumers against identity , more than 100 million records containing private personal information have been lost or stolen since the massive leak from ChoicePoint in 2005 (1). Odds are the real number is higher due to reluctance by organizations to disclose data leaks or related problems with cyber security. The public scrutinies, embarrassment, financial and judicial penalties triggered by data leaks have stimulated steady efforts to strengthen security. Among the "most critical issues" are data protection, compliance, data leaks, viruses and worms, and access control, according to a recent survey by the Computer Security Institute and the Federal Bureau of Investigation's Computer Intrusion An incident of unauthorized access to data or an automated information system. Squad (2). In addressing these issues, enterprises have discovered a requirement to deploy different solutions that solve particular vulnerabilities at each layer of the networked information system. Some of the most common security technologies include firewall, antivirus and antispyware software, intrusion detection See IDS and IPS. and prevention, encryption, and access control and authentication. Enterprises are becoming aware of another significant vector for data leaks that evades control by traditional layered security Layered security is a new term used by information protection and online security vendors that describes the practice of leveraging several different point security solutions to protect the digital identities and information of consumer, enterprise or government environments. technologies: the innocuous USB port on endpoint devices. USB stands for Universal Serial Bus See USB. (hardware, standard) Universal Serial Bus - (USB) An external peripheral interface standard for communication between a computer and external peripherals over an inexpensive cable using biserial transmission. , an interface standard natively supported by popular operating systems such as Windows, Mac OS X, and Linux. The USB standard is intended to ease the interconnection of PCs and laptops with peripheral devices. Its hallmark is automatic recognition of any device that is plugged into a USB port without requiring a user to intervene with mouse clicks or keyboard commands Using the keyboard to navigate menus and buttons and select options. See Win Keyboard commands. . USB has become commonplace for keyboards, printers, televisions, home stereo equipment, video game consoles This is a list of video game consoles by the era they appeared in. Eras are named based on the dominant console type of the era (even though not all consoles of those eras are of the same type). Some eras are referred to based on how many bits a major console could process. , and storage-related devices. Unfortunately, the technology that has streamlined the operational cost of interconnection also has become a critical point requiring the attention of security administrators. The last category is a point of danger for data security because people constantly plug personal storage devices into their work PC to upload music, wallpaper images, or transmit digital photos over the Interact. Their intent may be innocent. But the ability to also siphon off Verb 1. siphon off - convey, draw off, or empty by or as if by a siphon siphon, syphon draw, take out - take liquid out of a container or well; "She drew water from the barrel" corporate data from an endpoint through the USB port onto a portable storage device places organizations at considerable risk of undetected data leaks and exposure to malicious files. How USB Exposes Endpoints to Leaks A standard corporate desktop PC may have up to eight USB ports. Some are required for peripherals such as a keyboard or security token See authentication token and EAS. reader, but there are usually one or more unused ports. By default, USB ports are "always on," ready to serve any USB-enabled device that is plugged into the endpoint computer. An enterprise may chose to disable USB via the Windows Group Policy and an ADM See add/drop multiplexer. (language) ADM - A picture query language, extension of Sequel2. ["An Image-Oriented Database System", Y. Takao et al, in Database Techniques for Pictorial Applications, A. Blaser ed, pp. 527-538]. template. Unfortunately, this capability does not provide administrators with granular control. It's all or nothing, so all USB ports on an endpoint are either available or not. And since most endpoints now require USB for mandatory peripherals, this control is practically useless. One alternative is physical restraint Physical restraint refers to the practice of rendering people helpless or keeping them in captivity by means such as handcuffs, shackles, straitjackets, ropes, straps, or other forms of physical restraint. of unused ports. A popular urban myth in IT circles involves the injection of epoxy glue Noun 1. epoxy glue - a thermosetting resin; used chiefly in strong adhesives and coatings and laminates epoxy, epoxy resin adhesive, adhesive agent, adhesive material - a substance that unites or bonds surfaces together into unused USB ports, but it's hard to imagine inflicting such permanent damage on expensive business equipment. Some vendors sell plug-in USB "locks" to physically secure unused ports. The physical blocking strategy will do little, however, to stop a user with malicious intent from simply unplugging an existing USB peripheral and inserting their unauthorized storage device in its place. EASE OF DATA MOVEMENT WITH USB STORAGE A typical device in this category is a USB flash drive See USB drive. , which stores digital files on NAND-type flash memory (see adjacent photo). The flash drive may also be called a "USB key (1) An alternate term for a flash memory-based USB drive. See USB drive. (2) A flash memory-based USB drive that is used to identify and authenticate a user. See authentication token. ," "pen drive," "thumb drive See USB drive. ," or "chip stick." When a flash drive is plugged into an endpoint's USB port, the endpoint computer's OS automatically recognizes the device, loads its device driver, and enables file transfers with Windows Explorer See Explorer. or similar applications. Some endpoints may allow execution of programs that are stored on a flash drive. Currently, storage capacity on a flash drive may be up to 16 gigabytes. Connections are implemented with a set of standards called the USB mass-storage device In early computers, magnetic tape was the mass storage device of choice, offering essentially unlimited storage of data cheaply but with significant data recovery times, as it generally required a computer operator to recover the relevant reel from a tape store. class. Designers did not intend for USB to serve as a primary bus for an endpoint's internal storage such as SCSI SCSI in full Small Computer System Interface Once common standard for connecting peripheral devices (disks, modems, printers, etc.) to small and medium-sized computers. SCSI has given way to faster standards, such as Firewire and USB. , but it can do a fair job for non-demanding applications. The USB standard supports three data rates: * Low Speed, 1.5 Mbit/s (187.5 kB/s); used for Human Interface Devices (mice, keyboards) * Full Speed, 12 Mbit/s (1.5 MB/s) * Hi-Speed, 480 Mbit/s (60 MB/s) The USB flash drive appears to a user exactly like another internal drive on the endpoint computer, so its plug-in capability and size make it ideal for sneaking out sensitive data from the enterprise. The flash drive is not the only USB device capable of swift and secret data theft. Users may employ any of the USB storage devices mentioned above for the same purpose. POD SLURPING AND OTHER TECHNIQUES Stealing data with USB storage does not require a long script. One simply plugs the USB storage device into a USB port, fires up Windows Explorer and drags target files onto the storage device. This action can be performed by a malicious insider, or even a well-meaning insider who is trying to do their job but is unaware of security policies that might otherwise prevent a data leak. One of the most popular USB storage devices is the iPod multimedia player from Apple Computer, Inc. Consequently, some people have coined "Pod Slurping" as a hip term for transferring files to a USB storage device. A synonymous term is "camsnuffiing," which applies to using a digital camera to photograph documents or objects and then transfer them to an unauthorized recipient. Likewise, "bluesnarfing" entails stealing data from a wireless device through a Bluetooth connection. Whatever the term, it's very easy to move digital files from an endpoint to a USB storage device. These transfers usually happen undetected by enterprise security controls. And once data has moved to a small storage device, it's usually easy to carry it outside the enterprise and on to nefarious use by unauthorized people. Pointsec Device Protector: A Simple Solution for USB Port Security Pointsec Device Protector is a simple software-based solution for enterprise-wide control of storage device access through USB and other I/O ports, and of the data flowing through those connections. It provides a policy-driven port security system to a system administrator for granular control of USB access to endpoints that denies all access (black list), provides read-only access or allows full authorized access (white list). The level of control is configurable by a security administrator, which is critical for striking the best balance between security and cost. In some enterprises, implementing a rigid security policy puts new strain on end user work patterns. Pointsec's objective is to offer a customized endpoint security solution that minimizes changes to end user behavior, while also addressing the most critical elements of your security policy. As a client-server solution, Device Protector implements with management software on a server and small-footprint client software installed on each enterprise endpoint. Black list and white list capability is enabled on clients with kernel mode filter drivers. Device Protector's Removable Media Manager enables unique identification of each device on the network using a digital signature. Client software can be silently deployed using any existing Microsoft Windows Installer (MSI MSI: see integrated circuit. (1) (MicroSoft Installer) See Windows Installer. (2) (Medium Scale Integration) Between 100 and 3,000 transistors on a chip. See SSI, LSI, VLSI and ULSI. ) or command line-compatible software distribution package. The Device Protector also provides a Deployment Server for distribution and management of the product. The solution integrates transparently with the existing network infrastructure. ENTERPRISE PORT CONTROL Device Protector supports both white list and black list control of removable media and I/O devices on any port (USB, FireWire, IDE, Bluetooth, etc.). The system administrator can centrally manage access to all devices both known and unknown. Using white list security, Device Protector can deny access to ALL devices except for those specifically permitted. Using black list security, it can grant access to all devices apart from explicitly un-trusted devices. Device control can be either on a global device-type basis, or as specific as a particular model and brand of device. Pointsec Device Protector provides the following modes of operation. All device access can be type-, model- or brand-specific. * No access * Read only access * Read only signed access * Full access * Full encrypted access (using the Encryption Policy Manager) * Full encrypted access with the ability to access data offline Device Management, Content Filtering and Optional EncryptionFiltering and Optional Encryption The Device Protector includes a unique media authorization system that digitally tags and authorizes devices based on content. A digital signature is written to each device to mark it as "authorized." The digital signature is automatically updated when storing information within the protected environment. If changes to the media are permitted outside of the organization (such as sharing data with a business partner), the device requires re-authorization before it can be used again within the protected environment. To further simplify user operation, content written to a plug-and-play storage device can be filtered by file names or types of files, such as Excel spreadsheets or PDF. By ensuring that only digitally signed devices can be accessed, Device Protector can also provide device-specific security rights for content. These fights prevent accidental or deliberate attempts to transfer protected files onto unauthorized portable storage devices. The solution also prevents transfer of files with malicious content from storage devices onto enterprise endpoints. Administrator-defined file types can be controlled on a user or group basis. New software packages can only be installed by trusted users and applications. It also can leverage an organization's investment in the full line of industry-leading Pointsec encryption solutions. This centrally-managed optional capability automatically encrypts files stored on external storage devices and decrypts them when they are accessed by an endpoint--without requiring extra action by end users. In this manner, an organization can fully protect access to data that passes outside its layered controls for network security. CENTRALIZED MANAGEMENT Management is performed using a familiar Microsoft Management Console A Windows NT/2000 feature that provides a common environment for running management software from Microsoft and third parties. Any type of administration service such as network management, antivirus management, disk management and authentication can be created as a Microsoft Management (MMC See MultiMediaCard and Microsoft Management Console. ) interface. Centralized auditing and alerts signal all attempted security breaches and device usage. Audit information is encrypted and filtered on clients before moving to the server at defined intervals. Email alerts can be configured for administrator-defined events. In many cases, just being able to track the flow of specific data files or types of plug-and-play devices used within the organization are sufficient to implement endpoint security policy with no further impact to user behavior. www.pointsec.com (1.) See chronology of data leaks at www.privacyrights.org/ar/ChronDataBreaches.htm (2.) 2006 CSI/FBI Computer Crime and Security Survey, at http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion