Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Blocking USB Ports Isn’t the Right Answer

by Neil MacDonald  |  July 12, 2010  |  2 Comments

Coming back from vacation, I saw this recent article in the New York Times on the recent theft of classified military data.

In this case, the person simply bypassed the restrictions on USB ports and simply copied the data to a writeable CD/DVD drive. According to the report:

According to Pentagon officials and one former hacker who has communicated with Private Manning, he appears to have taken compact discs that can accept text, video and other data files into an intelligence center in the desert of eastern Iraq to copy and remove the classified information.

There are two takeaways for your organization from this story.

First, if you are relying solely on blocking USB flash drives to prevent the theft of sensitive data, your security controls are woefully inadequate. I’d call this type of coarse and crude control “security theatre” – security controls that look like you are doing something when in reality, the risk hasn’t really changed. The truly determined bad guy will easily find another way to get data off of the machine.

This is one of my major criticisms with the USB port control capabilities built into Windows 7. In this research note for clients Planning for the Security Features of Windows 7, I describe in detail the pros and cons of the 15 or so security capabilities built into Windows 7, including the USB port control capabilities. In this section of the research note, I state:

For organizations truly concerned with data loss prevention, there are many points of ingress and egress from a machine, in addition to USB-based devices, so USB device control alone is insufficient to achieve their broader data loss prevention goals.

Most notably, CD/DVD drives, but also wireless, Bluetooth, general packet radio service, third-generation modems, infrared, parallel ports, serial ports, Firewire and so on need to be controlled. Competitive offerings on the market provide general device control policy enforcement that handles most of these scenarios.

Second, there is a broader issue at work here. Suppose we go ahead and block all USB usage, all writeable CD/DVD usage, all bluetooth devices, etc etc. Simple binary “block everything” policies on all removable media end up interfering with the 99.9% of our workers that are trying to do the right thing and get their job done. The issue isn’t whether or not someone is allowed to use a USB port or writeable CD/DVD drive, the issue is whether or not the user is able to copy sensitive data off of the machine using any method. I stated this in a blog post months ago. The real issue is the loss of the sensitive information, not the use of the USB/CD/DVD capabilities of the machine. Blocking usage of these devices is a coarse, crude means to an end, but it is not the end itself.

The real issue to address is the loss of sensitive information. That’s the problem that content-aware DLP offerings are designed to address.

 

 

 

2 Comments »

Category: Information Security Windows 7     Tags: , , ,

2 responses so far ↓

  • 1 Gary Rogers   July 13, 2010 at 9:37 am

    Neil,
    Excellent blog and I completely agree. A key issue in security breaches is not necessarily the action of someone intent on doing harm. Too often the biggest breaches are the result of someone trying to do their job but whose IT systems have not properly provisioned to enable the secure transfer of information.

    USB flash drives are used to transfer data because that data is usually too large to transfer by email. Yet secure file transfer solutions exist and they integrate into content-aware DLP solutions. They are easy to use for the end-user, and provide the security and governance that a CISO requires.

    The use of USB flash drives is a sign that IT has failed to provision the proper solution for employees to get their jobs done. For the record, FTP is a terrible substitute. FTP = Failure to Provision.

    - Gary

  • 2 Neil MacDonald   July 15, 2010 at 10:37 pm

    @Gary –

    Yup. It’s interesting. When clients turn on DLP technologies for the first time the vasst majority of what they find are situations where sensitive data is being used in insecure ways by the 99.9% of people trying to the right thing. “I’ve always taken the extract from the SAP system into Excel and run my analysis and then emailed the spreadsheet”… or the secure transfer of files that you refer to.

    Rarely does information security really know how and where sensitive information is created and consumed throughout the organization. It’s a dark closet full of scary stuff that we’d probably rather not know about, but that we must know about and address.

    DLP turns on the flashlight. Be prepared.