Portable storage devices are a threat to data confidentiality and this threat is not recognised in the majority of organisations. Vice president Eric Ouellet of research for security at Gartner Inc. in Stamford said in a recent article that as little as 10% of enterprises have policies that deal with removable storage devices. This low recognition is not due to inabilities of controlling the problem as there are solutions available. (Mearian, March 2006) Data confidentiality can be explained quite simply as the access of data by the predetermined authorized people or systems. Many organisations spend hundreds and sometimes hundreds of thousands of dollars on network and computer security and therefore data confidentiality. Innocently or intentionally guests, employees and visitors who have access to any workstation can breach and hence create a threat to data confidentiality quickly and furtively. Through the use of portable storage devices data confidentiality could be breached in an organisation in a number of ways these include physical theft of a storage device in order to retrieve data i.e. hard drive and copying the data with the aid of various devices such as a flash drive (Pfleeger, 2003)
Physical theft of storage devices would be the most obvious breach in data confidentiality. Since many of today’s systems are backed up onto portable storage devices themselves, physical theft of such as device creates a direct threat to any organisation. Encryption of portable storage devices makes stolen information and the device useless to thieves. This also ensures forensic retrieval is not carried out after a hard drive has been thrown out or lost/stolen.
Forensic retrieval can be used to retrieve data from magnetic media since data can potentially still be retrieved even if it is overwritten or formatted.
There are many portable storage devices available, the most popular being USB (Universal Serial Bus) drives or flash drives. Whilst there are different versions of flash drives which use different connection types such as firewire, this report will focus on the more common and universal USB connection. In today’s society increasing demand for ubiquitous computing, is causing devices to become smaller and have more memory capacity. With USB flash drives now around 10cm and smaller and capable of between 8MB (megabytes) and 64GB (gigabytes) storage. Retrieval of sensitive data would be extremely easy, assuming the attacker had unrestricted physical access as well as virtual access such as passwords and USB ports are not disabled. Through USB’s larger memory sizes, compared to older technologies such as floppy drives which only have 1.44MB storage, a potential theft is able to store copious amounts of data on such a device. Large databases of sensitive information such as hospital and government records could be copied on to these devices with ease. USB devices have a limited number of write erase cycles and write operations gradually slow as the device ages. Running applications from a flash drive, although viable, to breach data confidentiality is not the best option since running software or an operating system means undertaking a lot of read write cycles and a better option would be to use a portable hard drive, because of this policies need to be made to restrice the execution of software of external hard drives. (USB Flash Drive, Wikipedia 2006)
Not only could sensitive files be copied (assuming unrestricted access) other devices such as key loggers, which store key strokes inputted on a keyboard. Storage devices like these could be used to gain access to confidential data at a later date through logged passwords and access methods. Furthermore malware such as virus, spyware, adware could be loaded from the portable storage devices, either unintended or intentional which would lead to data attacks.
Other devices include CD/DVD burners and external hard drives. Although these devices are less portable since they are much larger making them harder to hide and a user could easily be caught breaching data confidentiality by a security administrator or staff member.
However one could argue that in order for organisations to go about there daily proceedings they would need CD/DVD burners, thumb drives and external hard drives. In this scenario utilising software such as Device Shield, software developed by Layton technology which allows the administrator to gain full control of every port, drive and individual devices, ensuring efficiency of the organisation is not compromised. Device Shield also captures history of actions attempting to access blocked devices/ports etc creating a tracing route if confidentiality is breached. Device Shield and similar software which is available could be used in conjunction with policies referring to portable storage devices to create a secure working environment. (Device Shield: Protection against the threat from within, 2006)
Robb, D. (October, 2006) Backups gone badly retrieved October 16, 2006 from http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=&articleId=266212&taxonomyId=019&intsrc=kc_li_story
Latamore, G. B. (October, 2006) How to Back Up your PDA retrieved October 16, 2006 from http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=&articleId=265905&taxonomyId=019&intsrc=kc_li_story
No author, (2006) Sanctuary device control retrieved October 16, 2006 from http://www.securewave.com/sanctuary_usb_endpoint_security_software.jsp?gclid=CNCKkNPa_4cCFUpkDgodhkDnFw
Bolan C. (2006) Hardware Security and Data Security, Edith Cowan University, retrieved October 15, 2006 from MYECU lecture slides
Mearian, L. (March, 2006) IT Managers See Portable Storage Device Security Risk retrieved October 14, 2006 from http://www.computerworld.com/hardwaretopics/storage/story/0,10801,109680,00.html
Pfleeger. C. P & Pfleeger, S.L. (2003) Security in Computing 3rd Ed, Upper Saddle River, New Jersey, Prentice Hall Professional Technical
No Author, (2006) Device Shield: Protection Against The Threat From Within retrieved October, 15, 2006 from http://www.deviceshield.com/pages/deviceshield.asp?crtag=google&gclid=CP7jntHa_4cCFUdtDgodTkbyHg
Wikipedia, (2006) USB Flash Drive retrieved October 16, 2006 from http://en.wikipedia.org/wiki/USB_Flash_Drive