Part 4 of 15: Control Removable Storage Media and Connected Devices
What Is It?
Long gone are the days when we created, stored, and used data only on one computer. We have a ton of options when it comes to removing data from a computer that doesn’t involve a wired or wireless network connection. Many of you remember having shelves full of floppy disks and odds are they’ve been replaced by drawers full of USB thumb drives and hard drives and other plug-in storage media. The common factor is there is likely a lot of data, current or outdated, scattered across these various types of media that may or may not exist anywhere else.
Whether at home or at work, I’d be willing to bet there are various pieces of media and devices that nobody is sure of what is on them. Let’s not concern ourselves with any type of commercial or consumer network attached storage or cloud-based storage such as DropBox, OneDrive, Box, and so on. Those are discussions for another day. Those also tend to be larger, bulkier solutions that don’t simply end up in a drawer or box and forgotten about, or get dropped on the floor or left in a restroom. Instead, let’s think about USB drives, CDs and DVDs, peripheral devices including smart phones and tablets, and connections that perhaps use Bluetooth, Wi-Fi, or 3G/4G.
We’re also not stating that these should be disabled; merely controlled. These technologies exist for a reason, so the last thing we want to do is hinder productivity. We understand there are environments where USBs are not allowed to be plugged in to computers or mobile devices must be turned off. I have worked in these types of places, but it doesn’t negate their existence or in some small way, their need.
Where Do I Start?
A quick question to ask is if your workplace has a removable media strategy. If it does, how current is it and what does it cover? Perhaps it’s time to review the policy to make sure it lines up with your current needs. What type of controls do you have in place to enforce the policy, such as blocking access to USB drives on servers or even workstations? Perhaps it’s a bit more physical in that computers have had their optical drives removed (but with many computers no longer coming with them, it’s less of a concern). Questions like this and many more may determine the active control of storage media, but what about the passive control?
How does your organisation control portable media? Pull open your desk drawer….do you have USB sticks or perhaps CDs or DVDs (probably without a label)? What about in your backpack or purse? Are there USB drives laying around on your desk in plain view? What about in your communications rooms? Left plugged into servers or workstations? I’m willing to bet you’ve found some. Does the organisation know about all of them? Do you know what is on them without having to plug them in first?
Full control of all removable media can be a monumental task, but first asking a few basic questions and taking stock of what is out there is a good place to begin. So, how do we find out what is on the media? If you’re thinking that you’ll just plug that USB stick in or pop that CD or DVD into a drive, you may want to pause for a second and then ask if you know where that media has been. If it’s yours and has never left your possession, you may be OK but if it’s new to you, you may need to test it in isolation. I usually have a laptop with no network connectivity just for this very purpose. It’s old school. It has an optical drive, USB ports, and I even have a USB floppy drive when those pop up now and then.
Devise a secure method for verifying your media and set about figuring out what is on all these random USB drives and CDs and DVDs. If you can verify the media is clean of threats, find out if the data is any good. Ideally, the data on this media should never be the only copy – imagine what happens if you lose the only copy of something or it becomes corrupt or unusable. Think back to the Essential Eight and daily backups of important data. If you no longer need the data, delete or destroy the media (and be wary that there are some good data recovery solutions out there. Personally, I like my claw hammer from Bunnings. Of course, if you have a trustworthy electronics and media recycling company, I’d suggest using them.
Once you have a handle on your data and media, perhaps think about how best to protect it going forward. There are some slick products from the leading security vendors that can really help including Data Loss Prevention (DLP) solutions. Adding some auditing and logging on top of things to stay informed about your data movements is also a good idea. Again, we’re not trying to hinder productivity, just protect your data when it comes to portable media.
If a competitor were to suddenly acquire all the loose and unmanaged storage media laying around your homes and offices, what would they find? What about a cyber-criminal?
How do I make It Work?
If you’re not sure where to begin, feel free to reach out and ask for help. Asking those questions around policy and management of media is a start. Next, figure out where your data is and how it gets there. USB drives. Optical media. Connected peripherals such as phones and tablets (don’t forget digital cameras and the like!) and how they’re connected, either using a peripheral cable or wirelessly. Do these devices contain a replica or master copy of data? Even pictures and videos (not just documents and programs) must be considered.
Set about consolidating your data, sorting, filtering, de-duplicating, whatever is needed to get a solid, trusted data set. Destroy, securely delete, or securely recycle old media. This should help you establish a baseline of control. Review your policies and see if another technical solution and set of control may help such as DLP. If the data especially critical, auditing and logging with reporting and alerting on data movement is a good supplement to your storage media strategy.
In the back of your mind always should be the question “What if” as it concerns the data on the storage media and what could happen to it if you lose it, if it becomes corrupted, or it ends up in the wrong hands.
Implementing technical controls regarding storage media such as blocking access to USB ports or optical drives, or connecting peripherals (cabled or wireless) can also be considered in environments where sensitive data is contained. Balance functionality with security and try to make as few exceptions as possible. Your executive may demand the ability to port around the financial reports on a USB stick, but only if risk is managed accordingly.
Bad things can and do happen to portable media and it’s not indestructible. I once had a laptop fall with a USB stick plugged in that broke off, leaving part of the stick in the drive. With only a single port that could not be used, no current network connection, and few options at the time, I had to be extra careful until I got a chance to connect to a network and back up my work then get the computer repaired (which comes with its own set of challenges in protecting your media). Always exercise care with portable media. Oh yes – magnets. They can be kryptonite to your data.
Ghosts in the Machine:
Using your media in public computers sound attractive enough, but be sure you don’t leave anything behind or connect to computers you don’t completely trust. Think of it like flu season and everything that is touched must be sanitised. People forget things and get distracted, so always account for human error.
The elephant in the room is the fact that portable media is an excellent way to transport malware and all kind of nefarious (there’s that work again) software and data. In addition to controlling your own storage media, be EXTREMELY vigilant when it comes to foreign media. I have encountered “charities” and other organisations on the street handing out USB sticks promoting their causes. I’ve also been to many events where a USB drive is given out for “free” to promote their product yet contains embedded software that cannot be formatted out. Time was that even CDs and DVDs were available with “free” programs full of adware and spyware.
You wouldn’t let your child arbitrarily pick up something off the ground and stick it in their mouth. Why would you do the same with storage media?
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock