Computer-Removable Media Quantifying and Managing the Threat

Computer Removable Media (CRM) has become ubiquitous in both the consumer electronic marketplace and the modern office. The threat of “information leakage” associated with these devices is tangible and demonstrable. Devices such as USB flash drives, digital music players, and smart phones are now seen as posing significant security threats, yet most security managers admit to not actively monitoring or preventing their uses. At the same time, most information security policies and practices do not directly address these new technologies, which are capable of storing and transporting large amounts of data in very small physical packages. Consider that when the first consumer flash drives appeared in 1999, their capacity was around 8MB. Today, a digital camera can easily store 4GB or more, and an iPod holds up to 80GB of data. On the immediate horizon are smaller, faster devices with even greater capacities.

Increased legal and regulatory requirements such as the Data Protection Act and the Payment Card Industry (PCI) Data Security Standard require organizations to exercise due care in safeguarding certain personal information. Comprehensive security measures have already been implemented by many financial institutions—in some cases, “locking down” the use of USBs without authorization and/or monitoring in a bid to mitigate this growing risk. Recent incidents such as the massive compromise of more than 45.6 million credit card numbers at TJX from July 2005 through January 2007 illustrate that this threat is quite real. TJX recorded a $118 million charge in its second-quarter financial report to cover costs related to the incident. TJX also said it expects to incur at least an additional $21 million related to the breach.

An effective security architecture incorporates a combination of technical and procedural elements to provide effective countermeasures to emerging threats posed by removable media. The rapid pace of technological change demands a security strategy that is both flexible and adaptable.



The following areas should be considered to mitigate the threat posed by CRM:

• Device Hardening: Implement baseline security configurations at the operating system or hardware level that restrict or prohibit the use of devices such as USB flash drives. Disabling the USB port(s) at either the physical or logical level can provide an additional layer of security. Many security software products in the rapidly evolving area of USB control can also provide very granular logical control over USB devices.
  
  
• Policies & Procedures: Manage the use of removable media and communicate the policy to all staff members. Policies and procedures should be part of the organization’s overall security policy and be aligned with appropriate Human Resources policies.
  
  
• Awareness: Employees who handle sensitive information should be made aware of the security implications of removable media. Creating a security-aware workforce will improve monitoring, oversight, and compliance at the grassroots level.
  
  
• Encryption: Consider implementing strong encryption for both data in motion and data at rest. Centrally administered schemes based on a Public Key Infrastructure and/or digital certificates provide enterprise-level key management, and integration has been proven to be effective in medium to large organizations. Smaller organizations can take advantage of a number of commercial packages to provide similar functionality.
  

Building an effective security program that considers emerging threats such as CRM requires a complete understanding of relevant legal and regulatory considerations affecting the industry and organization. Regulations such as HIPAA, Sarbanes-Oxley, and GLBA can serve to clearly delineate risk while at the same time providing guidance as to what steps must be taken to achieve compliance.

Technology’s rate of change will continue to present new control challenges. In an environment of increasing regulatory constraint, organizations must carefully assess and manage technology risk. However, the basic tenets of security and risk management—people, process, and technology—continue to be relevant as the foundation for managing current and future risks.

About the Author

John Rostern is the director of technology risk management for the Jefferson Wells New York-area offices. He has more than 25 years of experience in all aspects of information technology, including information security and IT audit. He can be reached at (212) 823-8600 or via email at john.rostern@jeffersonwells.com.

Jefferson Wells is a global provider of professional services in the areas of internal audit and controls, technology risk management, tax, and finance and accounting. It serves clients, including Fortune 500 and Global 1000 companies, from more than 50 offices across North America and Europe.