Physical Security Considerations: Data Extraction
Do you have one of those USB pendrives? Maybe an MP3 player? How about a USB watch? Or a mobile phone with a USB port? And how many work on a computer with USB ports? Now, of those with your hands raised, how many work with data which could be considered confidential? Now, consider you’re an employer, you run a business working with various forms of sensitive, confidential, perhaps even classified information. Trade secrets, financial reports, medical records, personnel records… Take a look at the sea of people with their hands still raised. These are yet another security threat facing your business.
Indeed, most information security attacks on businesses are from within. Usually, disgruntled employees, or simply those offered money in exchange for information, who use their access to the network to plant trojans, viruses, worms, rootkits, or backdoors and to steal data.
If you have a fairly secure Internet setup, you’ve set up scanning on e-mail attachments, to stop viruses getting in, or sensitive data getting out. You’ve restricted access to remote FTP servers, you have passwords on every computer, so an intruder can’t gain access easily.
But have you considered the USB ports? An employee could easily attach a thumbdrive to a USB port and copy files across to it, and the usual network security policies do nothing to protect against this.
There are, of course, some ways you can prevent this kind of information leak. An obvious one is to simply lock the computers into a metal case. This is often done in schools to prevent children unplugging the mouse, or plugging in things they shouldn’t, and is a very effective way to prevent this kind of attack. Of course, it looks ugly, and may limit the productivity of staff if, for example, they rely on using CD-ROMs.
A second approach is to use system policies to prevent access to removable storage, and a third approach is to disable the USB hardware, in the hardware manager on Windows. This will prevent the thumbdrive being detected when it is plugged in.
Unfortunately, many modern computers also use USB mice, keyboards, and printers, so the third solution is not always the best. A combination of these three policies should help to prevent this kind of attack, but remember, a determined attacker will usually succeed, eventually. In that situation, the best you can hope for is to hold them off long enough to detect the attack and deal with it in a physical sense (terminating employment, pursuing legal means, etc…).