- TalkBack 27 of 28:
- Next »
- « Previous
- Thread View
- Flat View
- My six step guide to solve the USB madness problem
-
Whether we like it or not USB Music and Memory devices are here to stay. As security professionals we naturally need to deal with any new technology that starts to proliferate, seemingly uncontrolled in our organization. Depending on an outright ban is not a good option. Instead we should deal with the problem by creating an awareness program for our employees addressing the risks and set a policy for USB device use within the organization. The next step is to provide alternative secure USB technology for our employees to perform the tasks for which they were using their own insecure devices. The secure solution we choose to deploy must be possible to centrally manage so that the organization remains in control and can enforce the policy and perform day-to-day support tasks such as password resets.
We can just look at the history to understand how we need to address the problem. Today, would you for example allow a personal Laptop to be used on the corporate network and risk getting a virus and to mix private and corporate data? Of cause not, you would say, our policy does not allow it! Would you allow personal PDAs to be connected to your work computers? Not today, you might say, but go back two years and many organizations did not have a policy in place for PDAs and allowed personal PDAs to be used until the support burden of supporting all possible different devices and the threat level of lost or stolen devices (read information) became too big. The PDAs did more often than not contain sensitive corporate information without protection (since the device was owned by the individual). Another important question to ask is, who actually owns the corporate data stored on an employees device in case of a dismissal or layoff? For the PDAs it became natural next step to standardize on a few supported types of devices to minimize support, devices is now purchased by the company to address the question of who own the data stored on the device and to make it possible to deploy software for central management and security on the devices including policy enforcement. The USB storage devices are no exception; they are just the next thing we need to protect.
As a general rule, any company proprietary information must always be stored on devices in control (owned) by the organization and preferably be centrally managed. Furthermore, as a general rule the organizations data should be stored encrypted in order to comply with current legislation and to make sure your organizations is protected if a device gets lost or stolen.
It is easy to easy to understand the problems and the solutions in general but what practical approach can we take when it comes to actually finding a practical solution?
The solution to these problems is really the same as the evolution for the PDAs as discussed above. State a usage policy, own and centrally manage the USB devices you decide protect your data. Deploy technology that will prohibit usage of not approved devices and will centrally manage the approved devices.
The six steps guide of what you can do today to solve the USB madness problem
1. Create a policy stating that corporate information is only allowed to be stored encrypted and only on company owned USB devices
2. Create an awareness program and train the employees in the risks and how to deal with them
3. Create a policy stating that only company approved USB devices are allowed for transferring and transporting corporate data
4. Distribute approved USB devices that stores corporate information encrypted
5. Deploy software that prohibits use of other USB memory devices than the approved devices.
6. Use a solution that is centrally managed and allows for audit logs and password resets
Kurt Lennartsson, CISSP
CTO
RedCannon Security, Inc - Posted by: kule Posted on: 10/13/04 You are currently: a Guest | Members login | Terms of Use
What do you think?
SponsoredWhite Papers, Webcasts, and Downloads
- The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
- Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now
- VMware Infrastructure: A Guide to Bottom-Line Benefits VMware Frustrated by the costs of maintain ever larger data centers?or building ... Download Now
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- Learn more about tools to grow your business
-
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
- Save time with the UPS Business Essentials Guide
- Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
-
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
- Learn more about the free, six-month trial offer>>
Enterprise Applications
- Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
- New Online Dashboard
-
- Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline
-
