For the average corporate or home PC user, the initialism "USB" refers to a computer port that makes it very easy to connect devices directly to a machine. With this connection, a person can transfer or copy information to and from a computer with little trouble.
But for security administrators and corporate executives, USB--short for Universal Serial Bus--is taking on an entirely new meaning: ultimate security breakdown.
Most organizations don’t realize that USB and Firewire ports offer an unbelievably easy and accessible way to take sensitive information outside of the enterprise--and this naivete could cost them dearly.
If you look at the new corporate desktop releases from top makers Dell, Hewlett-Packard and Gateway, a single system can easily have up to eight USB ports. But it's not the sheer number of ports--it's the default plug-and-play configurations of operating systems like Microsoft Windows XP that are the real problem. Current operating systems provide seamless support for USB devices, and for good reason--their users want to be able to load photos, sync their PDAs and transfer music to and from their music players with no hassle. But the resulting security problems are significant.
In industries such as financial services, government and health care, where sensitive information not only exists but is heavily regulated by privacy laws, there is monumental risk. And that's not to mention the finance and legal departments within every publicly traded company, where violations of material event-disclosure laws could result in serious penalties and fines, in addition to public- and investor-relations disasters.
So while organizations scramble to turn off the data spigot with no guarantee that software or PC manufacturers will do anything to stop default USB access, things are only going to get worse. Several trends will feed this security dilemma over the next 12 months, including:
Music players such as Apple Computer's iPods, digital cameras, PDAs and other gadgets will continue to see rapid adoption among consumers and business users. With no configuration at all, an employee can plug a USB keychain with a gigabyte of storage into the back of a corporate PC. Employees already bring digital cameras to work to download photos to serve as desktop wallpaper or screensavers. These devices are normally plugged into home computers with a fraction of the security of today’s enterprises, making it incredibly easy for someone, even unintentionally, to download a nasty virus or destructive code.
Malicious code meets device
Wireless LANs and laptop computers are the current hot vectors for malicious code infections, but the recent appearance of malicious code in portable and personal devices does not bode well for security administrators. Infected PDAs syncing to a corporate computer could result in a scenario where malicious code is passed from device to machine to corporate network. It's also conceivable that future malware will seek out portable media solely for the purpose of proliferation.
Storage device meets mouse
The convergence of different computer components and technology could present the ultimate dilemma for security personnel. Mice, keyboards and other components that are intrinsic to everyday computing, combined with storage capabilities, are a potential Swiss Army knife for data thieves and insiders or yet another threat vector for malicious code exploits.
Unfortunately, most security organizations are still drowning in their battle against malicious code and vulnerability patching, keeping the focus on perimeter security technologies, such as corporate firewalls, server antivirus strategies and content filtering at the gateway. While these measures are important and administrators must continue to lock things down at the network hub, the number of spokes is growing exponentially. Many organizations have hundreds or thousands of machines hooked up to the network at any given time. When you factor in the possibility that very soon there could be multiple devices per PC with unlimited access, it presents a very sobering reality for security personnel.
There are immediate steps that companies can take that will go a long way toward solving this problem, including a "white list" approach to block unsanctioned devices, applications and executable files from all corporate machines. Until these types of measures are implemented, USB devices will continue to be the weakness in perimeter security’s Maginot Line, allowing a relatively easy and tempting way for wayward insiders and malicious code writers to hurt government agencies and organizations.