Published on August 1st, 2018 | by Kevin McTiernan
Does Banning USB Drives Really Stop Data Loss?
In May of this year, IBM Announced to employees that they would be “prohibiting data transfer to all portable storage devices.” This was a practice in certain parts of IBM that was extended company-wide. The reasons given for the ban are to prevent “the possible financial and reputational damage from misplaced, lost or misused removable portable storage.” But the question is, does this mean that data loss will stop?
The US Military put a similar ban in place (for a different reason) in 2008 after Agent.BTZ. If you’re not familiar with what transpired, a USB flash drive was left in a DoD facility parking lot the Middle East. The drive was picked up and put into a laptop connected to United States Central Command and the laptop became infected with Agent.BTZ. From there, it moved laterally to other systems in the SIPR (secret) and NIPR (sensitive/unclassified) networks. It was considered the “worst breach of U.S. military computers in history”. The US Military spent 14 months eradicating the worm. And to prevent it in the future, the DoD issued a ban on all removable storage in an operation called, “Operation Buckshot Yankee”. That ban remained in place for 15 months until a policy regarding use of such media was established. Part of that policy was to limit who could use such devices (system administrators) and a requirement that the only devices used be those purchased by the Department of Defense.
In 2010, PFC Manning started a process to steal and leak sensitive US Embassy cables and US intelligence information. Manning got around the USB ban by creating a CD-RW of a Lady Gaga album, deleting the music once at her desk and filling the CD with sensitive information. Once offsite with the CD in hand, the data was later transferred to Wikileaks. The miss here was the ban did not apply to optical media. In 2013, Edward Snowden, an NSA contractor used a USB drive to steal an estimated 1.7 Million documents detailing the most sensitive intelligence gathering methods and trade-craft used by the US Government. As a system administrator, Snowden was one of the exceptions granted to the 2008 ban on removable storage. While Manning’s leaks were an embarrassment, Snowden’s leaks had a material impact on US national intel and defense and had serious impacts on US partners.
The lessons here is, a solution to one problem may unknowingly create another. If you have or will take similar actions, consider this scenario: a well-intended employee with a tight deadline finds that the way he/she is authorized to move data from A to B will take far too long. What may happen next? They may attach your sensitive information to an email message or upload to a free cloud service. Now your sensitive information is on the Internet and outside of your control. Your obvious questions once discovered might be, how tight are the storage service’s security procedures; how hardened is your employee’s password; which persons have access to the storage service account; where was that file opened and is it cleared from that computer’s cache; has it been copied anywhere else; and, are you sure it has been deleted completely? Chances are that you did not see the movement of your data to the cloud and the odds are that you won’t know about it until you’re being asked for comment from a reporter and asked to visit the CEO. What can you do to gain that visibility and find those actions?
Insider Threat Detection
SS8 Insider Threat Detection (ITD) monitors every byte from every flow on your network at key aggregation points, providing visibility to all communications on your network. ITD detects suspicious behaviors, such as data hoarding or off-hour usage and malicious insiders moving around on or moving data off your network, all in real time. Every event is stored in our Security Analytics engine to provide years of hi-fidelity history and recursive analytics as new behaviors are found. Capture and forensics tools help your team investigate behaviors and secure evidence. The Intuitive search and visualizations provide your investigators with the insight to act. SS8’s nearly twenty-year legacy in the law enforcement and intelligence space is reflected in the optimized workflows and analytics in SS8 ITD.
Does blocking of portable storage actually stop leaks?
Coming back to the original question, does blocking of portable storage actually stop leaks? As a singular act, I would say the answer is no. And, the leaks we read about weekly demonstrates this far too well. No ban is absolute – waivers will need to be granted. In those waivers, the risks form. Where the waivers aren’t granted, your employees (well-meaning or malicious) will turn to alternatives to removable or cloud storage. To spot this activity, you need visibility. You need SS8 Insider Threat Detection.
Kevin is responsible for leading the vision, design, and delivery of SS8’s government solutions, including the Xcipio compliance portfolio. His deep knowledge of the telecommunications and network security industries spans 20 years, with extensive experience in the areas of cyber security, network forensics, big data, fraud detection, and network monitoring.