A job worth doing is worth doing well.
And when a job is worth doing well, it’s often worth going all-in.
A good example is how to quit smoking: you can try cutting down a bit in the hope of tapering off; you can try smoking milder cigarettes; you can try replacing your addiction to the nicotine in cigarettes with an addiction to the nicotine in something else; you can even carry on smoking but tell everyone, including yourself, that you didn’t inhale.
But quitting doesn’t admit of half measures, and the best and quickest way to do it is simply never to smoke again, from this day forward, for evermore.
Job done. (As in, “Easier said than.”)
By all accounts, IBM has decided to do just that – go cold turkey, that is – in dealing with the problem of lost data on removable storage devices.
Simply put: NO MORE USB DRIVES.
Instead of trying to manage the problem of who copied what to which USB stick from what computer using which type of encryption, word on the street is that IBM’s Chief Information Security Officer (CISO), Shamla Naidoo, has taken a much blunter approach, along the lines of, “If you want to move files around, use the network.”
It’s a bold approach, and in the modern cloud era, it’s not as outrageous as it might at first sound.
Many users are perfectly used to backing data up into the cloud, and even to having files such as photos automatically uploaded from one device and seamlessly synched with another.
But can an outright ban on something as widely used, and as useful, as USB sticks really work?
We asked our very own CISO, Ross McKerchar, what he thought:
Removable storage is a massive concern. While it’s a less common (but still real!) malware infection vector now, the biggest risk these days is data leakage.
To take a quick trip down memory lane: seven years ago we bought a stash of USB keys from a lost property auction as an experiment. 66% of them had malware on, and not a single one was encrypted.
With Europe’s GDPR kicking in at the end of this month, threatening much bigger fines for companies that don’t take proper care of their data, the timing of IBM’s new rule is hardly a surprise.
After all, if you don’t have a USB drive in the first place, you can’t lose it, so that’s one less way for data to show up in the wrong places.
But, as Ross warns:
Outright bans of any useful technology breed “shadow IT” [where users just do their own IT thing anyway]. Humans are highly creative and often find workarounds that are more risky than the thing being banned. Where possible, organisations will be more effective making the easy way the safe way.
Enforcing USB encryption across a company the size of IBM is probably very tricky, but for a company of average size, it’s a good way to mitigate the risk whilst allowing people to work in a way they’re comfortable with.
Providing sanctioned cloud sharing services as well, combined with the right controls add training, helps further because it can avoid the need to copy data onto USB drives in the first place. One handy thing about sharing rather than copying content is that it’s much easier to audit and ‘unshare’ if a mistake is made.
What’s a USB drive, anyway
One tricky challenge with an outright ban on USB drives is that there are many different sorts of removable storage – notably including devices that present themselves with two faces.
For example, I have a portable audio recorder that I use for podcasting: you can plug in into a laptop and use it as a high-quality microphone, or you can use it as a handheld standalone device and download the files from it later on.
You can see where this is going: when you connect the device via a USB cable, a menu pops up on the device where you choose which way the device will work, and one of those options makes it behave as a USB drive.
Do you ban the device because it’s a part-time USB drive? Do you take the extra steps needed to teach your device control software that it’s two subdevices, and that the audio-flavoured one is OK but the disk-flavoured one is not?
If you make me an exception to the rule, because I’m special on account of doing podcasts, how do you deal with the fallout from that, when everyone else decides they’re special, too?
(All they have to do is say they need to record meetings, or that they’re also into podcasting, or that they’ve got a similar issue with a camera that they use for work purposes.)
If you block everyone else, forcing them to change, but let me off the hook so that I really am special, what then?
As Ross warns:
Insider threats are a concern for all organisations. The first defence is a vigilant management team – employees intent on doing something malicious are often disenfranchised and frustrated.
What to do?
We can see why IBM, an enormous IT company that is itself a giant cloud provider, might want to replace USB drives with ubiquitous network storage, and why such an approach might not only work well, but also be largely obeyed by staff.
But if you have a small business, with a few employees who are sometimes in the office, sometimes at home, and sometimes on the road…
….the convenience of USB drives for temporary backup, or to have around to tide you over internet outages, is probably a baby that you don’t want to throw out with the bathwater.
Worse still, even if you try to ban USB drives outright to save IT effort, you may very well find that you have created yet more IT effort to make sure you sometimes detect but sometimes allow all the “edge cases” such as audio recorders, cameras, and so on.
So, here are some tips that avoid the need for an outright ban on anything:
- Encrypt all your USB devices. It’s a bit more work than just having a free-for-all, but if you routinely encrypt everything, you never have to worry whether there were any files you forgot about.
- Provide easy-to-use alternatives. If you want to wean your staff off USB storage, give them a cloud-based solution that they’ll want to use, and that’s easy to learn.
- Make everyone aware of the risks. Banning USBs won’t stop data leakage – data copied to the cloud has “gone somewhere else” too, after all – so make sure your staff know why it’s important to care about security.
- Check your logs. Whether you use USBs, cloud drives or both, be sure to check any logs you keep of who’s put what where. If you aren’t going to look at your logs, don’t bother keeping them – never collect any data without a purpose.
To finish off with some board-level advice from Ross:
Visibility in computer security is vital. By having reporting tools for content sharing, CISOs can help senior management understand the risks and benefits of allowing sharing methods, whether they’re USB drives or cloud services.
Richard W. Born
A (big) company may decide to ban USBs internally, but it should stay available for the general public. There are very good reasons for keeping backups offline privately (for example as a method to prevent successful ransomware attacs), that is, outside of networks, so it would be a big problems if the industry would rob us from that technology.
Simon Monai
Just to remember:
Offline and Private does nothing against ransomware attacks. As long as the drive is plugged in onto your computer, also your USB device will get encrypted. in case of a ransomware attack a powered down NAS is as effective as an unattached USB device, while the USB is much more hassle to handle.
G-Man
So now all those field IBM consultants that regularly share data with their clients quickly through USB thumb drives are screwed. Yeah IBM.
Keith Appleyard
I recall when having a face-to-face meeting in Paris with the Finance Ministry over a $102 million Value Added Tax dispute, neither party has access rights to each others servers. The ONLY way to exchange documents there & then in soft-copy was to pass a USB around the room.
Similarly, nearly 20 years ago, during one of the Excel virus scares, my employer blocked the exchange / download of Excel files. But at the time we were in the middle of European Monetary Union conversions, and every day the European Central Bank was issuing Excel files from each of the member states as Government Bonds and other Securities were being re-denominated into Euros. So after I kicked up a fuss, I was the only person out 75,000 employees who was allowed to download Excel files.
Roy
I assume here that you are talking about “accidental” leakage of information.
If, I as an employee want to sell company secrets or customer data to a third party then I could find an app (you have just created a new market for such apps) that would embed that data in something innocuous like a large image or sound file. Just like the microdot technology used by old time spies.
To prevent unauthorised use of USB ports then you would have to add physical chastity devices to every USB port on every device in the company. With quite a collection of physical keys to manage and control.
Mahhn
It’s not hard to disable USB storage with software, lots of apps for that. We block non approved devices, and I get alerts on unapproved connected devices. If it transfers through our Web filter or Email we see it. Those odd ports you want to transfer over, are locked down on the firewall. It’s not just getting fired you have to think about, it’s being on a black list as a thief, and possibly being legally bound to not use a computer. It’s just a pile of crap that is best avoided. IS there a way you could steal data, yeah. But I love a challenge and am always looking for you. Even if it’s taking a photo of your screen with your phone.
TonyG
So why not have a “removable media station” – just like you have networked printers. This can have serious limitations on what it can do, and the files can then be transferred over the network. If they are transferred to a staging post first, you can also use a firewall between the media station and the staging post that can do scanning on the traffic as it goes through.
In my view, some form of controlled system like this allows business requirements to be met – consider rural areas where networking is simply not good enough to support very large file transfer. If there is no means of doing it, then it is inevitable that some sort of parallel underground IT will spring up to get around the restriction and as you say, this will lead to new vulnerabilities.
TonyG
By the way, I once worked on a project where the amount of data was so great that most of it was transferred in a UPS truck full of high capacity disk drives. These are clearly “removable devices”.
Jeremy Roberts
Both Sophos and Windows gives options around the use of USB drives that can easily allow you to restrict their use. Unfortunately IBM decided a while back to move everyone over to Macs which I beleive don’t have this kind of control so easily or cheaply available. Though they did say that Macs were 3x cheaper to manage so they have quite a bit of savings they can use to cover teh cost of managing users and their USB sticks.
Noah
At the time of your comment at least, you were definitely still allowed to order a Lenovo. I was working there at the time, When you click on the lenovo option, it does complain on the site. saying “You sure you don’t want this piece of s*** macbook?” and then you enter in your justification that macbook’s are pieces of s***. and it lets you order it.
Anonymous
So I guess as a field tech, now we have to put the customers machine on our internal cloud to be able to copy logs and update firmware? That seems like an unlikely solution.
Anonymous
Im trying to figure out how to build IBM appliance firmware bootable USB for my clients. It is only via USB.
Anonymous
I work in a Fortune 50 company that has a similar policy against unauthorized external media. The company actually sells approved, safe to use, drives for work. There’s some very obvious security benefits to having such a strict policy.
James Bytes
They don’t have to worry about “shadow IT” because USB can be disabled in the bios
Paul Ducklin
But that means a ban on USB, not merely on ISB drives.
So, no USB keyboards or mice, no USB headsets or microphones, no USB printers or scanners, no USB network cards or Bluetooth adaptors, no charging your phone, and so on.
(My own laptop relies on USB-to-HDMI-out when I do presentations, and on USB-in to charge. In fact, it *only* has a USB port. OK, plus a headphone jack.)
Aron M
Hmmm… I was under impression device control feature of certain antivirus deals with this effectively. Or was I wrong?
Paul Ducklin
You are right – our very own products can provide you with both device and encryption control, e.g.
https://www.sophos.com/en-us/products/endpoint-antivirus.aspx
https://www.sophos.com/en-us/products/safeguard-encryption.aspx
For the average business, at least, I don’t think it’s too hard to allow USBs yet keep them secure… that’s what made it interesting to ponder why IBM seems to have approached the issue with the bluntest possible instrument.
As Ross suggested in the article, perhaps this sort of control just became too hard in an estate of IBM’s enormous size?
Scott Johnson
Maybe IBM should be working on Phoenix instead of this usb issue?
arerral
@Paul Ducklin – Not necessarily. Windows doesn’t just magically know what type of device is plugged into a USB port. Every USB device handshakes with Windows and identifies itself as a specific device. (HID, removable storage, removable hard drive…etc) You can configure Windows to only accept devices with approved internal serial numbers. Some endpoint protection software can also restrict USB use by device type so, someone plugs in a thumb drive, no go, someone plugs in a portable hard drive, good to go. Having said that, someone with enough technical knowledge, can change the device type that is presented to the OS when it is plugged in however, if you plugged in a thumbdrive that presented itself as a keyboard, you still would not be able to copy files to the device because the proper drivers would not be loaded. This is how penetration testing devices like “Rubber Duckys” work. It is a thumbdrive with a small computer on board, you plug it into a USB port and it presents itself as a HID (keyboard) and then opens a command prompt and runs (types) a script that is pre-loaded by the operator.
At the company I work for, all removable storage devices were excluded via endpoint protection software several years ago. It didn’t take long for the company to figure out that there were certain individuals that could not effectively do their job without this access so the policy was modified to allow documented trusted agents to have USB removable storage access. We also implemented BitLocker To Go on all workstations. Users can read unencrypted drives but, if someone with USB access copies a file to a thumbdrive, they have to password protect and encrypt the drive.
You can’t stop everything but you can raise the signal to noise ratio enough that when someone does do something out of the ordinary it is much easier to see.
Alfred
I work for IBM. On my MacBook I can use the USB ports to connect my mouse, my printer and even my USB memory keys, however all USB keys connect in read-only mode. That’s how they fixed this.
Stephen
I don’t see what the commotion is about. This article is talking about a USB ban as if it is a bad thing. Banning USB storage within an organisation is a great idea (for users). It eliminates – key word eliminates* the risk of usb infection. USB devices within any business are an unnecessary convenience or luxury. If your business cannot rely without it… then there should be a clear strict policy in place to allow Encrypted USB access to specific people with justification; and never leave it in the hands of users to encrypt their data. You will find they save things outside of the encrypted area. Just my opinion.