The Power Of The Internet – small

While I’m talking about the power of the Internet, it is also worth mentioning that while you can attack a whole country it is also very easy to pick up some tools on the web to test your own company’s security. One of my favourites to show how easy it is to get employees to inadvertently give away information is the USB Switchblade / HackSaw. So, here’s the plot: buy a few USB memory sticks, load up Switchblade (it does need a little configuration) and then leave them around the organization. For example, in the cafeteria, or perhaps on the reception desk. When you have done this, just sit back and wait for the results. In this case the results will come when someone picks up a USB key and plugs it into their system – the software then collects and reports back password hashes, LSA secrets and IP information. The whole process takes about 20 seconds… we can’t ignore the fact that these tools exist – because they do… and you can’t keep a secret for long, at least not when the internet is involved.

What now? Well, time to educate folks that picking up USB sticks (and CD ROMs) from un-trusted sources can be ‘dangerous’… and while you should update the relevant policies you can’t rely on them to stop people from doing silly things so this might be the time to put a solution in place to prevent unauthorized USB devices from stealing your data.

July 29, 2008 | Filed Under Information Policy, data-loss, security | Leave a Comment 

To USB Or Not To USB

A US agency announced that they were going to give USB drives to its employees in order to mitigate against the risk of data loss and eliminated the use of unsanctioned USB storage. The USB keys have encryption and are password protected - so it all looks good. However, they seem to have missed out on a number of important issues… unless they have additional software based management in place then there is nothing to stop people from using their own devices. USB keys are frequently mislaid (which is why data loss is an issue) however, most people have more than one - ‘just in case’. Not all data is equal (when it comes to data loss) and so there needs to be policy based on content. If the information is sensitive, then it should be encrypted, if it isn’t then perhaps it doesn’t need to be encrypted. USB keys are most often used for transferring benign information such as presentations - by encrypting it and making it harder to share, people will look to at other ways to transfer the information.

The idea of company issued USB flash drives is not a new one - but remember to think through what people actually use them for rather than assuming it is always for sensitive information.

March 26, 2008 | Filed Under IT equipment, data-loss, security | Leave a Comment