Coming back from vacation, I saw this recent article in the New York Times on the recent theft of classified military data.
In this case, the person simply bypassed the restrictions on USB ports and simply copied the data to a writeable CD/DVD drive. According to the report:
According to Pentagon officials and one former hacker who has communicated with Private Manning, he appears to have taken compact discs that can accept text, video and other data files into an intelligence center in the desert of eastern Iraq to copy and remove the classified information.
There are two takeaways for your organization from this story.
First, if you are relying solely on blocking USB flash drives to prevent the theft of sensitive data, your security controls are woefully inadequate. I’d call this type of coarse and crude control “security theatre” – security controls that look like you are doing something when in reality, the risk hasn’t really changed. The truly determined bad guy will easily find another way to get data off of the machine.
This is one of my major criticisms with the USB port control capabilities built into Windows 7. In this research note for clients Planning for the Security Features of Windows 7, I describe in detail the pros and cons of the 15 or so security capabilities built into Windows 7, including the USB port control capabilities. In this section of the research note, I state:
For organizations truly concerned with data loss prevention, there are many points of ingress and egress from a machine, in addition to USB-based devices, so USB device control alone is insufficient to achieve their broader data loss prevention goals.
Most notably, CD/DVD drives, but also wireless, Bluetooth, general packet radio service, third-generation modems, infrared, parallel ports, serial ports, Firewire and so on need to be controlled. Competitive offerings on the market provide general device control policy enforcement that handles most of these scenarios.
Second, there is a broader issue at work here. Suppose we go ahead and block all USB usage, all writeable CD/DVD usage, all bluetooth devices, etc etc. Simple binary “block everything” policies on all removable media end up interfering with the 99.9% of our workers that are trying to do the right thing and get their job done. The issue isn’t whether or not someone is allowed to use a USB port or writeable CD/DVD drive, the issue is whether or not the user is able to copy sensitive data off of the machine using any method. I stated this in a blog post months ago. The real issue is the loss of the sensitive information, not the use of the USB/CD/DVD capabilities of the machine. Blocking usage of these devices is a coarse, crude means to an end, but it is not the end itself.
The real issue to address is the loss of sensitive information. That’s the problem that content-aware DLP offerings are designed to address.