Aijaz’s Blog

Dear Netizens,
Following is my 1st blog ever posted on internet.

Introduction and Purpose of Project Paper

Background
What is USB?
Security Aspects
Possible Solutions
Summary
References

While thinking over various areas within the ambit of Information Security, I think
the following paragraphs shall help you understand one of the most important
devices that have actually made our life
portable.

Once Alfred Nobel found that

whatever can be used for good
can also be used for evil.

The availability USB ports in

today’s workstations, laptops,
game consoles etc have provided
lots of opportunities but also has
opened new chapters on information
security. Unbelievably, the USB
based tiny practically un-noticeable
drives have reached the capacity of
8GB (MP3 and mobile video players have
already crossed the 100GB storage
capacity).

Information Technology has different

shapes and usages. More specifically it
comes in intangible shapes (skills,
knowledge, expertise, know-how ) and
tangible shapes (equipment,
machinery and tool) shapes. I will
focus over one tangible aspect
(device) of technology called Universal
Serial Bus based Personal Storage
Devices (PSDs).

The need and importance of more fast, accurate, nonvolatile storage media was
felt during various innovative periods. The ultimate birth and usage of key-sized
PSDs have solved that problem to a greater extent. Carrying all the features of
portability, accuracy, simplicity, speed and non-volatility, it can store information,
business proposals, accounts, client’s details, marketing plans and whatever u
think, they are being used for different purposes as listed below;
1 | Page
 1. Used for the huge storage purposes ( various data in text and
multimedia form)
2. Used for transporting large files to any remote location
3. Used for back-up files
4. Administrators used it as a portable toolkit that includes recovery
tools, drivers, system update and diagnostic utilities.
5. Used for the authentication and identification purposes
6. Used as a biometric device
While discussing the security issues involving the usage of PSDs for different
purposes, one thing is quite clear that they are pocket sized ultra portable storage
devices that can be instantly accessed from any PC with a USB port.

Here I feel it shall be beneficial for the readers if I first shall discuss in brief the
Corporate IT Security Infrastructure.

With the help of a properly designed and

implemented security policy, various
configurations were usually put into place to
protect the information and information assets
from both internal (employees, vendors,
suppliers etc ) and external (former
employees, hackers, crackers etc) threats and
risks. The network security can be protected
through the use of antivirus software, IDS
and firewalls. But as for as PSDs are concerned
they work like plug and play (PnP).

Any individual can plug any PSD and retrieve

confidential, sensitive and important data /
information from both standalone and network
supported workstation in just few seconds thus
opening new chapters on information systems
security threats.

What is USB: USB is a plug and play interface

between a computer and add-on devices. USB
helps to add new device with your computer
without using any adapter card or even
having turn to computer off. The BUS in USB was
developed by a consortium of Compaq,
IBM, DEC, Microsoft, NEC and the technology is
available without any charge for all computers,
devices and vendors. It usually supports a speed
of 12 mps. The subject speed therefore can easily accommodate a wide range of
text and multimedia based devices.

Risks and Threats: Various firewalls, antivirus software do not provide any
defense at the local end points from data theft etc. Following is the list of possible
risks and threats an organization can face from the PSDs.
 Aijaz’s Blog

Viruses: While reading various research papers on internet, I found that

during 1980s, floppy disks were the primary sector for spreading computer
viruses. During 1990s Bulletin Board Systems (BBS) became the primary
source for infection. With the innovation and usage of E-commerce and web-
based technologies after 1995, email became the major source used for to
spread viruses. Likewise, administrators were controlling all those threats by
installing antivirus software, IDS and firewalls. But the usage of UBS based
devices have bypassed almost all these security policy initiatives and
reminded us the nightmares of previous decades.

How one can spread and/or implant virus through PSDs: As stated
earlier that PSDs are fast and can hold large amount of data ranging from
10MB to 100 GB.

3 | Page
 Users can either bring with themselves the infected documents from home
or they can take home the document to an infected PC, use and update it
and bring it back to the corporate PC. As we know that antivirus software is
working reactively i.e. can only identify the viruses which have been
previously identified. PSDs can bring a new virus that would be nearly
impossible to be detected and prevented by the antivirus software.

Malicious Software: Besides viruses, the ability of PSDs to store and retrieve text
and multimedia based information would create new problems for the corporate
world to look after the malicious software
more carefully and aggressively. User can
bring in unauthorized software or data files
like shareware programs, software pranks, MP3
files, video clips, pornography etc that
would ultimately affect productivity and
increase the violation of corporate security
policy. Previously due to the limited storage
capacity of floppy disks, it was not possible to
visibly affect the productivity etc.
therefore any one use USB device to upload
potentially harmful software or viruses into
the company IT infrastructure.

Data Theft: There is a direct relationship

between the storage capacity and
the quantity and quality of data theft.
Heavy and portable media storage media
would increase the quality and quantity of
data theft from more than one
locations inside an organization. One can
easily figure out the total volume of data
that can be stolen from an organization on
a pen size storage device. For example,
Continuity Central explained that an
average word processing file is 3
pages in length and between 25K and 30K.
That means a 20MB MP3 player could hold
over 750,000 documents. Therefore
any one can bring the PSDs and download hundred megabytes of
proprietary information. More precisely, one can now easily move the
important files from office to home on PSDs, DVDs or other removable
media.

No Encryption: Nearly all the mobile storage device users do not use any
form of encryption algorithm to protect their data.

Data Loss: On the other side the portability and size of PSDs opens the new
doors of data loss that could fall into the wrong hands. Most of these devices
don’t have any satisfactory or nil built-in security features that could help to
protect the data. These devices loaded with important data / information can
easily be stolen and even borrowed. Therefore there storage is another issue
 Aijaz’s Blog

need to be discussed in detail.

Nearly invisible: The size of the PSDs is another security threat. No

biometric device can detect them and its nearly impossible to note their
movement to and from an organization. More precisely, a 5GB USB storage
device is less than the half of the size of Yo-Yo and features a real disk drive
spinning at 3600 rpm.

5 | Page
 Beyond everything: Different forms and shapes of USB supported devices
are increasing day by day and creating equal problems for the corporate
world. A fast changing scenario from plug and play to plug and steel now
has different faces to look after. For example USB ports accommodate
Cameras, modems, network interfaces, printers, adapters, audios, Bluetooth,
cables, CD-RW, data transfer, extenders, enclosures, forensic, telephones,
scanners etc.

Bulk endpoints (USB ports):

While looking at most of the hardware, we can see that most of these single
systems have up to eight USB ports or multiple entry points into an enterprise IT
network (but if one uses the USB distributors,
than he/she can create as many USB ports as
he/she wants) Built in feature of plug and play
configurations of famous and widely used
operating systems like Microsoft windows XP
has made the situation further aggravated and
almost all the Operating Systems provide a
native and seamless support for USB devices.
All the USB mass storage devices are supported
by usbstor.sys in Microsoft windows sever
2003, 2000 and XP software, which is
loaded using PnP hardware identifies
(HWID) matching in usbstor.inf.

Lightening Speed: The heavy

storage facility when comes with high
speed than information security
management would be like playing
tennis on the soccer ground. The
most recent revision of the USB 2.0
specification works at the speed of 480
Mbps. It should be clarified here that USB
speed mean the maximum speed of the
USB interface on a USB device or USB port
and this actually have nothing to do with
the USB device itself.

Audit Limitations: Most of

the corporate networks do not audit
what data a user copies to a local machine or attached device.

Physical Access Control: It would be really difficult to prevent the

employees bringing devices and media into the office. As discussed, they
can be easily missed in a pocket, briefcase therefore keeping these devices
out of the company is virtually impossible.

No group Policy Implementation: One cannot manage the PSDs via

group policy.

Customization: Small size, more customization look and built in features

 Aijaz’s Blog

have made the PSDs more undetectable in normal conditions. They are
being produced at the larger scale in the shape of pen, key chains, lighter,
mobile phone, cameras, MP3 etc.

Possible Solutions: Practically speaking, it’s nearly impossible to protect

the corporate data from all those USB based PSDs. The information and
information systems security is very dynamic field, opens new chapters on
new security threats and risks. Their success and failure largely depends
how it is managed?

7 | Page
While discussing the security aspects I would give due weightage to the
management and social engineering aspects of information systems security.

Proper Management: The role of administrator and higher management

always comes first followed by other administrative issues. Management
through IS policy formulation and implementation can successfully reduce
(minimize) the chances of all those threats and risks produced by PSDs.
More precisely what a corporation can and cannot enforce and protect
through the use of simple, usable and easily managed security solutions.
The breach of any privacy and human rights legislation would produce
enormous problems and difficulties for the corporations, which would result
into the loss of competitive advantage and productivity.

The practicability issues to stop employees from using USB based storage devices
would nearly be impossible. But a clear understanding can help in this regard. For
example, employees can be clearly instructed
(even can be written in their employment
contract) that the use of non-company devices to
their workstations and other peripherals is not
allowed. Briefly speaking, proper
management is concerned with
‘Educating the security personal’.

Social Engineering: This non

technical kind of intrusion is getting more
importance and attention from the
security policy makers. Employee’s
education and awareness plays more
solid role than simply configuring your
systems with certain restrictions and
limitations which can be easily
compromised. For example: security
features and configuration designed
and implemented in windows based
operating systems can be easily bypassed
by installing the LINUX operating systems
through a CD drive. The user than
excess all the files and download them on
USB based PSDs. Afterwards; he can
restore the previous windows
operating system by simply removing the
Linux CD and restarting the system.
Briefly speaking, social engineering is
concerned with ‘Educating your users’.

Logging the downloaded files: The most effective technical aspects

which will help to supervise the usage and movement of data files is if an
administrator log each and every amount of data files that a user downloads
from different sources. The access to log files should be properly controlled
and monitored.
 Aijaz’s Blog

Password protected: Well at a basic security level and to encourage the

usage of USB based memory sticks, it would be safe if the security policy
clearly defines and encourage the usage of passwords on storage media,
which are loaded with corporate data and information. Further, information
in encryption form would be more secure to be used and stored for longer
period of time on the USB based devices.

Third part software: Devicelock: It’s a software based solution that can
control USB device permissions. It actually enforces granular controls over a
broad range of host devices and ports.

Disable USB ports: At the most primary security level, one can disable or
restrict the usage of USB ports.

Summary:

One cannot deny the advantages and benefits associated with the USB based PSDs
but one thing is clear that it needs to be looked-after properly and given an equal
importance and space in the corporate security policy. While reading the various
related papers I found that the security over PSDs is more focused towards the
supervision and less on controls.

The availability of enormous storage

capacity in PSDs have not made them the
primary hard disk solutions but they are
being used in conjunction with the
primary storage devices. The portability, durability
and non-volatility, user friendly, cheap and
appeal have made them a near substitution to
laptops.

The subject transient storage devices are still

being used at a larger scale without the
backing of a proper standard protocol. The
IEEE is in the process of developing the protocol
for Authentication in Host Attachments of
Transient Storage Devices (P-1667), which
will define the methods for authenticating PSDs
when they are connected to host computers in
Corporate, Governments, and Academics etc.

Regarding the use of USB based PSDs for

logical and physical access purposes; I found
that come corporations are using these memory
sticks to store passwords and even fingerprints to
access the corporate information system and
strategic locations. Once entered into the USB
port, system will detect the password and allow
the access. Likewise a built-in finger print reader will allow the person to hold the

9 | Page
finger on the fingerprint pad followed by entering the memory stick in the USB port
for necessary physical and logical access.

A more detailed research on the risks and advantages associated with the USB
based PSDs being used in a specific industry and the associated policy and tools
employed to protect the lager corporate data, would provide more concrete proof
on these solid state storage devices

Thanking you

Aijaz Ahmed Shaikh

 Aijaz’s Blog

Ready References:

1. IEEE Standards Association:

http://standards.ieee.org/announcements/pr_p1667.html

2. Continuity Central:
http://www.continuitycentral.com/feature0184.htm

3. Linux and USB project:

http://www.linux-usb.org/

4. Microsoft Corporation:
http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

5. lab mice.com
http://labmice.techtarget.com/articles/usbflashdrives.htm

11 | P a g e