Hi Fellow CISSPs!
Please may I have your thoughts, in short order (C-level request) regarding best practices for USB drives?
I would like to hear from at least three colleagues.
1) What is your organisation's policy towards the use of USB sticks/drives?
2) Do you disable USB functionality on company-provided devices? (If not, why not...need to know as I expect push-back if go *that* route.)
3) Would you be willing to share a redacted copy of your policy with me to help me draft my own?
Thanks in advance for any assistance/direction!
Derek
@d46j48fx wrote:Hi Fellow CISSPs!
Please may I have your thoughts, in short order (C-level request) regarding best practices for USB drives?
I would like to hear from at least three colleagues.
1) What is your organisation's policy towards the use of USB sticks/drives?
2) Do you disable USB functionality on company-provided devices? (If not, why not...need to know as I expect push-back if go *that* route.)
3) Would you be willing to share a redacted copy of your policy with me to help me draft my own?
Thanks in advance for any assistance/direction!
Derek
At a Fortune 500 company that I worked for, we disabled the drives on the PC or simply did not supply them. Unfortunately most users will complain/whine/etc. but when we showed management some of the risks/threats associated with these devices, it quickly became corporate policy.
Some users (mostly IT type folk) were allowed but there were rules around their usage and of course, penalties.
If you are unable to convince management to disable the devices, at a minimum disable "autorun" so that the user must knowingly do something.
Others?
Regards
d
1) Locked down on all corporate endpoints. Removable media are not used with endpoints, except for exceptional cases of large data transfers where data is copied by IT on iStorage hardware encrypted drives
2) Locked down on endpoints to prevent data loss and introduction of malware
3) Can't do that, however you could look at various regulators sites and gudiance from PCI DSS, NIST, ISO, CoBIT etc and piece the ratioanle together fairly easily.
The key thing is to have:
a) a time limited exception process, usually required by a few business partners, with someone senior in your organisation signing off on the risk of transfer
b) Arrangements in place to track and sanitise any media after use
c) Documented options for transferring data; be these encrypted email, SFTP, FTPs, One Drive, S3 or whatever that are easier to use than removable media.
If you make doing the right thing easier for staff, then there less likely to be cultural resistance. Sell the practicel benefits of your approach in terms of speed, convenience, timeliness etc, rather play on the bad things that could happen from a loss of removable media.
When I got to one place that I have worked at, there was no restriction on USB storage devices. I asked the CIO to consider blocking them and he agreed. What I did first was gather my metrics about usage, incidents, etc. I started providing the CIO some information about whenever we had a virus incident, if USB devices were involved. I also gathered statistics about usage and pointed out sensitive file transfers, possible PII violations, etc. Then the CIO made the decision to start blocking them.
There were people that said we should warn the users first and I said no. Here is why I said we should turn on blocking WITHOUT notifying the end users. It is a psychological issue. Sometimes people fear the loss of using something they rarely ever used more than the actual loss itself. People that have never or rarely used USB media devices all of a sudden will swear that they can't do their job without it. And some of them did after we put the block in place, but a majority of the end users didn't notice until they decided to stick a USB device in and couldn't use it.
We did it, but also implemented a process to request either a limited time exception (2 weeks) or to be put on the permanent exception list. People like investigators, officers, senior management, emergency management team members, etc.. that used them in their normal course of business were added to the exemption list. When people requested the temporary exception they had to list the business reason, what data they were going to be moving, etc. I gathered all of these reasons and presented them to upper management to show why we needed to be blocking the use of USB media. People were storing all kinds of PII and company sensitive info on these devices. They were also doing things like taking work home (without prior approval), using their home computers to do company work (against policy and best practices), storing client PII on it, etc.. These USB drives were not being tracked so if someone lost one or misplaced it, we would have a ticking PII time bomb just waiting to go off. I also showed the reduction of viruses through USB vectors to nearly zero after we instituted the policy.
Some of the key reasons to block or restrict USB usage:
1) You do not know what data is being transported into or OUT OF your network.
2) It is an attack vector into your network. You do not know where these USB devices have been before and what unprotected networks/computers they have touched, so your risk for virus/malware infections increases. I use an analogy of sticking in unknown USB devices to unsafe sex practices and senior management seems to get that parallel comparison. Dig up the info on the Stuxnet virus/worm/malware to see how a "virus" can move throughout several unconnected networks to eventually find it's target through the use of USB devices. Before we implemented the policy, up to 50% of our viruses we detected/blocked came in through USB drives or portable USB hard drives.
3) Since you do not know what is on these devices you have no idea what data has the potential to be lost or stolen. This can be a PII nightmare or invoke "breach" or "PII data loss" type privacy notification scenarios.
4) Since you do not control them, are you able to monitor them? What happens when someone loses or misplaces them? See # 3 above for implications.
5) Some USB devices, like e-cigarette chargers, have been known to come preloaded with malware. Encouraging unsafe USB habits (like being able to stick any cord/device with a USB end into the computer) (see #2 above for the implications) encourages users to continue to stick any USB into their computer without knowing the full ramifications of what that device is doing. By blocking the use of USB storage devices you cut down on the users habit of thinking they can stick any USB device into their WORK computer.
6) End users not understanding how devices work in general. They think they can hook up their phones to the computers because they are just going to "charge" them. They do not understand that the device may be doing a lot of other things such as collecting network information, trying to install software, trying to get on the Internet to update the device or programs on the device, if it can get an Internet connection, use that connection to transfer data, or already be infected from connecting to other insecure networks/computers, etc.
7) It is a known attack vector and common trick of hackers to either give away "free" USB devices or drop ones in the parking lot of the places they want to attack.
😎 We now have far less users to monitor when we perform our USB/Data transfer/Data exfiltration monitoring than we did before we turned on USB blocking. Previously we had over 5000 users, now we are down to less than 300.
9) Since we implemented the process where people have to request temporary access AND state their business reason for needed to be unblocked, we now have a legal remedy to give to HR and the legal depts. if we find out they are misusing it. A case in point, we had an employee request usage stating it was for official business. In reviewing her usage we discovered she was working part-time for a city council and doing their work on our company's network. We now had a case to prove she lied about her need for using it for official business only and were able to take the appropriate HR action against her.
Our plan was to eventually enforce the use of company issued encrypted thumb drives and block all others, but I didn't want to freak out everybody at once so I implemented small changes, with previous buy-in from the CIO, senior management and the other IT folks.
As a security consultant who works with a variety of clients, including those in the healthcare and financial realms, I review a lot of policies and assess their security programs.
Most organizations I deal with have in their Acceptable Use policies that use of any USB storage device is FORBIDDEN except for certain approved individuals or groups (usually IT, HR, and/or legal).
SOME orgs take the added step of using various systems to disable USB ports, again with exceptions for certain groups. Some also use DLP tools to monitor the movement of data within their network.
I have heard of, tho I think it sounds extreme, of orgs that physically disable the USB ports by filling with epoxy or the like. I wonder about that, what with laptops no longer having CD/DVD drives, so this would make reinstalling systems difficult if not impossible if the USB isn't available.
Thank you to each person who responded to my query!
I do not take it lightly that each one of you took time out of your day to provide me with the detailed responses received. I feel that I am now well-equipped to respond to C-level appropriately regarding this matter.
Thanks very much colleagues!
1) Corporate doesn't have a policy regarding USBs. We have written IT policies regarding their use. The IT policies were written to align with DFARS Clause 252.204-7012 specifically NIST SP 800-171.
2) We use Group Policy to disable USB devices class 'Removable Storage'. The policies also allow IT Administrators to encrypt USBs only for use in our organization and issue them to users. If the device is lost, stolen, or damaged, then hopefully protected by the encryption. Still we do receive push back.
3) I would have to get approval from Legal. However, you can get a template for NIST SP 800-171 Media Policy which is what we started with for our policy.
Regards