USB - Ultimate Security Breakdown?

In March 2005 an apparent attempt by brazen cyber criminals to gather confidential data from the Japanese bank Sumitomo Mitsui thrust another variant of spyware - keyloggers - firmly into the public spotlight.

The plan was to steal £220m ($423m) from the London offices of the bank, with the gang believed to have infiltrated Sumitomo's computer system with keylogging software that would have enabled them to track every button pressed on computer keyboards.

The very real prospect of information theft continues to be the cause of great worry for IT chiefs across all industry sectors.

For retailers it might be customer information or contracts. For developers it may be source code. And of course, for financial services companies, the possibility of passwords, credit card details or other personal information being accessed by an unauthorized party is a nightmarish thought.

Organizations will always be handling a certain quantity of data that they want to keep away from prying eyes.

USB storage devices - whether memory sticks or the apparently innocent iPOD - represent a hugely effective means of discovering confidential information such as login names, passwords and answers to security questions that the public might use to gain access to online bank accounts, corporate systems and websites, or any other data stored on a computer system.

The National High-Tech Crime Unit has gone on record to describe USB devices as the 'Swiss army knife of the cyber criminal' and has warned businesses to be on their guard. Unfortunately the truth of the USB security threat has been distorted by the hype cycle as more and more security vendors jump onto an already overcrowded bandwagon.

With new security vulnerabilities appearing all the time and the misinformation campaign running at full force, IT administrators are constantly on their guard for the next big scare story.

Rather than adding a new security tool every time a new type of threat appears on the scene, enterprises should adopt a white-listing approach so that complex policy can be enforced in a simple and straightforward fashion.

The security tools market has become fragmented, with organizations frantically buying one product to chase viruses, another for spyware and yet another for intrusion prevention.

It would be wise to shift the focus away from the vector and pay close attention to the end-point by preventing all unauthorized executables or devices from running on the network.

This way it is possible to turn the world of blacklisting, patching and the constant updating of signatures on its head, with IT staff no longer being confronted with the hassle of having to second guess what the next security risk will be.

The popular reactive approach of security vendors serves only to perpetuate their own business model of updates and patches. Instead, an enterprise can be equipping itself to protect its networks from existing and future malware and USB device abuse, reducing total cost of ownership by managing IT security, support and human resources more effectively. 

White-listing or 'default deny' can be applied to both hardware and software to ensure that only the applications and devices that have been expressly allowed to run on the enterprise network can do so - all else that lies outside the IT chief's specifications will be physically barred.
 
'White-listing' is a far more versatile technique for control and administration that allows companies to nip security problems in the bud and assures them that they do not have to be constantly on the lookout for the next scare story.

Dennis Szerszen is VP of SecureWave (www.securewave.com), an endpoint security specialist.

February 2006

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.