Security Basics mailing list archives
Re: Flash Drive Policy
From: Jon Kibler <Jon.Kibler () aset com>
Date: Sun, 12 Oct 2008 09:38:34 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Armstrong wrote:
I mus ttake issue with your 2nd point as I believe the 'head in the sand' approach to USB devices is so 1990's. USB is used in most businesses and it will continue to increase with the demise of open network shares on Corp lans (aka the swap share) and the introduction of desktops to the Corp environment without ps/2 interfaces. I agree that policy and appropriate software can reduce the risk from USB devices but that is not our call (security advisors) it's the risk owners - who in my experieance are some of those asking for them in the first place.
Steve, The problem I have is that most risk owners do not understand security and the regulatory and business policies that drive them. That is why security develops and deploys security policy. So, I would argue that it IS the place of security to set policy for USB devices. Regarding network shares, a lot of organizations are moving to all network based storage, and either thin clients or no data stored on local desktops. In such an environment, sharing data simply becomes a matter of setting the correct access permissions. Collaboration software suites (sharepoint, zimbra, etc.) are also being used to accomplish such sharing. Then, at least here in the states, we have regulatory issues that come into play when you look at removable media issues. When you have to have full audits of "who did what to this data, how, when, and from where", the use of USB or other removable media simply makes these types of audit trails impossible. So, I stick with my original statement that there is no place for USB or other removable media in the workplace. Finally, you indicated that there is 'appropriate software' that can reduce the risks associated with USB drives. Please give some examples! I have not seen any type of USB management software that cannot be easily defeated by the typical desktop user -- especially if they have local admin rights (which I find over 95% of all corporate desktop users have!). I have yet to find a USB management package that would prevent an attack as simple as plugging in a USB hub and using it to share your rodent and a USB drive. So, bottom line... I have to disagree. I stick by my argument that you should not allow any USB or other removable media in the workplace. Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjx/dkACgkQUVxQRc85QlMSWgCdH+a9Gl99xERqdoE4OvqTIYnS V/oAoIrLRW0Mo7wT35t14gT8Sg41xzOr =c8TG -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Flash Drive Policy Steven Bonici (Oct 08)
- Re: Flash Drive Policy Jon Kibler (Oct 09)
- Re: Flash Drive Policy Jon Kibler (Oct 10)
- Re: Flash Drive Policy Steve Armstrong (Oct 14)
- Re: Flash Drive Policy Jon Kibler (Oct 14)
- RE: Flash Drive Policy Hill, Pete (Oct 14)
- RE: Flash Drive Policy Steve Armstrong (Oct 15)
- Re[2]: Flash Drive Policy Adam Pal (Oct 16)
- Re: Re[2]: Flash Drive Policy Lucas Lyon (Oct 17)
- Re: Flash Drive Policy Jon Kibler (Oct 10)
- Re: Flash Drive Policy Jon Kibler (Oct 09)
- RE: Flash Drive Policy Steven Bonici (Oct 09)
- Re: Flash Drive Policy ॐ aditya mukadam ॐ (Oct 10)