Dear Netizens,

Following is my 1st blog ever posted on internet.

Background
What is USB?
Security Aspects
Possible Solutions
Summary
References

While thinking over various areas within the ambit of Information Security, I think the
following paragraphs shall help you understand one of the most important devices that have
actually made our life portable.

Once Alfred Nobel found that whatever can be used for good can also be used for evil.

The availability USB ports in today’s workstations, laptops, game consoles etc have provided
lots of opportunities but also has opened new chapters on information security. Unbelievably,
the USB based tiny practically un-noticeable drives have reached the capacity of 8GB (MP3 and
mobile video players have already crossed the 100GB storage capacity).

Information Technology has different shapes and usages. More specifically it comes in
intangible shapes (skills, knowledge, expertise, know-how ) and tangible shapes (equipment,
machinery and tool) shapes. I will focus over one tangible aspect (device) of technology called
Universal Serial Bus based Personal Storage Devices (PSDs).

The need and importance of more fast, accurate, nonvolatile storage media was felt during
various innovative periods. The ultimate birth and usage of key-sized PSDs have solved that
problem to a greater extent. Carrying all the features of portability, accuracy, simplicity, speed
and non-volatility, it can store information, business proposals, accounts, client’s details,
marketing plans and whatever u think, they are being used for different purposes as listed
below;

1. Used for the huge storage purposes ( various data in text and multimedia form)
2. Used for transporting large files to any remote location
3. Used for back-up files
4. Administrators used it as a portable toolkit that includes recovery tools, drivers, system
update and diagnostic utilities.
5. Used for the authentication and identification purposes
6. Used as a biometric device

1|Page
While discussing the security issues involving the usage of PSDs for different
purposes, one thing is quite clear that they are pocket sized ultra portable storage
devices that can be instantly accessed from any PC with a USB port.

Here I feel it shall be beneficial for the readers if I first shall discuss in brief the Corporate IT
Security Infrastructure.

With the help of a properly designed and implemented security policy, various configurations
were usually put into place to protect the information and information assets from both
internal (employees, vendors, suppliers etc ) and external (former employees, hackers, crackers
etc) threats and risks. The network security can be protected through the use of antivirus
software, IDS and firewalls. But as for as PSDs are concerned they work like plug and play
(PnP).

Any individual can plug any PSD and retrieve confidential, sensitive and important data /
information from both standalone and network supported workstation in just few seconds
thus opening new chapters on information systems security threats.

What is USB: USB is a plug and play interface between a computer and add-on devices. USB
helps to add new device with your computer without using any adapter card or even having
turn to computer off. The BUS in USB was developed by a consortium of Compaq, IBM, DEC,
Microsoft, NEC and the technology is available without any charge for all computers, devices
and vendors. It usually supports a speed of 12 mps. The subject speed therefore can easily
accommodate a wide range of text and multimedia based devices.

Risks and Threats: Various firewalls, antivirus software do not provide any defense at the
local end points from data theft etc. Following is the list of possible risks and threats an
organization can face from the PSDs.

Viruses: While reading various research papers on internet, I found that during 1980s,
floppy disks were the primary sector for spreading computer viruses. During 1990s
Bulletin Board Systems (BBS) became the primary source for infection. With the
innovation and usage of E-commerce and web-based technologies after 1995, email
became the major source used for to spread viruses. Likewise, administrators were
controlling all those threats by installing antivirus software, IDS and firewalls. But the
usage of UBS based devices have bypassed almost all these security policy initiatives
and reminded us the nightmares of previous decades.

How one can spread and/or implant virus through PSDs: As stated earlier that PSDs
are fast and can hold large amount of data ranging from 10MB to 100 GB.

2|Page
Users can either bring with themselves the infected documents from home or they can
take home the document to an infected PC, use and update it and bring it back to the
corporate PC. As we know that antivirus software is working reactively i.e. can only
identify the viruses which have been previously identified. PSDs can bring a new virus
that would be nearly impossible to be detected and prevented by the antivirus
software.

Malicious Software: Besides viruses, the ability of PSDs to store and retrieve text and
multimedia based information would create new problems for the corporate world to
look after the malicious software more carefully and aggressively. User can bring in
unauthorized software or data files like shareware programs, software pranks, MP3
files, video clips, pornography etc that would ultimately affect productivity and
increase the violation of corporate security policy. Previously due to the limited storage
capacity of floppy disks, it was not possible to visibly affect the productivity etc.
therefore any one use USB device to upload potentially harmful software or viruses
into the company IT infrastructure.

Data Theft: There is a direct relationship between the storage capacity and the quantity
and quality of data theft. Heavy and portable media storage media would increase the
quality and quantity of data theft from more than one locations inside an organization.
One can easily figure out the total volume of data that can be stolen from an
organization on a pen size storage device. For example, Continuity Central explained
that an average word processing file is 3 pages in length and between 25K and 30K.
That means a 20MB MP3 player could hold over 750,000 documents. Therefore any one
can bring the PSDs and download hundred megabytes of proprietary information.
More precisely, one can now easily move the important files from office to home on
PSDs, DVDs or other removable media.

No Encryption: Nearly all the mobile storage device users do not use any form of
encryption algorithm to protect their data.

Data Loss: On the other side the portability and size of PSDs opens the new doors of
data loss that could fall into the wrong hands. Most of these devices don’t have any
satisfactory or nil built-in security features that could help to protect the data. These
devices loaded with important data / information can easily be stolen and even
borrowed. Therefore there storage is another issue need to be discussed in detail.

Nearly invisible: The size of the PSDs is another security threat. No biometric device
can detect them and its nearly impossible to note their movement to and from an
organization. More precisely, a 5GB USB storage device is less than the half of the size
of Yo-Yo and features a real disk drive spinning at 3600 rpm.

3|Page
Beyond everything: Different forms and shapes of USB supported devices are
increasing day by day and creating equal problems for the corporate world. A fast
changing scenario from plug and play to plug and steel now has different faces to look
after. For example USB ports accommodate Cameras, modems, network interfaces,
printers, adapters, audios, Bluetooth, cables, CD-RW, data transfer, extenders,
enclosures, forensic, telephones, scanners etc.

Bulk endpoints (USB ports): While looking at most of the hardware, we can see that
most of these single systems have up to eight USB ports or multiple entry points into an
enterprise IT network (but if one uses the USB distributors, than he/she can create as
many USB ports as he/she wants) Built in feature of plug and play configurations of
famous and widely used operating systems like Microsoft windows XP has made the
situation further aggravated and almost all the Operating Systems provide a native and
seamless support for USB devices. All the USB mass storage devices are supported by
usbstor.sys in Microsoft windows sever 2003, 2000 and XP software, which is loaded
using PnP hardware identifies (HWID) matching in usbstor.inf.

Lightening Speed: The heavy storage facility when comes with high speed than
information security management would be like playing tennis on the soccer ground.
The most recent revision of the USB 2.0 specification works at the speed of 480 Mbps. It
should be clarified here that USB speed mean the maximum speed of the USB interface
on a USB device or USB port and this actually have nothing to do with the USB device
itself.

Audit Limitations: Most of the corporate networks do not audit what data a user
copies to a local machine or attached device.

Physical Access Control: It would be really difficult to prevent the employees bringing
devices and media into the office. As discussed, they can be easily missed in a pocket,
briefcase therefore keeping these devices out of the company is virtually impossible.

No group Policy Implementation: One cannot manage the PSDs via group policy.

Customization: Small size, more customization look and built in features have made
the PSDs more undetectable in normal conditions. They are being produced at the
larger scale in the shape of pen, key chains, lighter, mobile phone, cameras, MP3 etc.

Possible Solutions: Practically speaking, it’s nearly impossible to protect the corporate
data from all those USB based PSDs. The information and information systems security
is very dynamic field, opens new chapters on new security threats and risks. Their
success and failure largely depends how it is managed?

4|Page
While discussing the security aspects I would give due weightage to the management and
social engineering aspects of information systems security.

Proper Management: The role of administrator and higher management always comes
first followed by other administrative issues. Management through IS policy
formulation and implementation can successfully reduce (minimize) the chances of all
those threats and risks produced by PSDs. More precisely what a corporation can and
cannot enforce and protect through the use of simple, usable and easily managed
security solutions. The breach of any privacy and human rights legislation would
produce enormous problems and difficulties for the corporations, which would result
into the loss of competitive advantage and productivity.

Social Engineering: This non technical kind of intrusion is getting more importance
and attention from the security policy makers. Employee’s education and awareness
plays more solid role than simply configuring your systems with certain restrictions
and limitations which can be easily compromised. For example: security features and
configuration designed and implemented in windows based operating systems can be
easily bypassed by installing the LINUX operating systems through a CD drive. The
user than excess all the files and download them on USB based PSDs. Afterwards; he
can restore the previous windows operating system by simply removing the Linux CD
and restarting the system. Briefly speaking, social engineering is concerned with
‘Educating your users’.

Logging the downloaded files: The most effective technical aspects which will help to
supervise the usage and movement of data files is if an administrator log each and
every amount of data files that a user downloads from different sources. The access to
log files should be properly controlled and monitored.

Password protected: Well at a basic security level and to encourage the usage of USB
based memory sticks, it would be safe if the security policy clearly defines and
encourage the usage of passwords on storage media, which are loaded with corporate
data and information. Further, information in encryption form would be more secure to
be used and stored for longer period of time on the USB based devices.

Third part software: Devicelock: It’s a software based solution that can control USB
device permissions. It actually enforces granular controls over a broad range of host
devices and ports.

Disable USB ports: At the most primary security level, one can disable or restrict the
usage of USB ports.

5|Page
Summary:

One cannot deny the advantages and benefits associated with the USB based PSDs but one
thing is clear that it needs to be looked-after properly and given an equal importance and
space in the corporate security policy. While reading the various related papers I found that
the security over PSDs is more focused towards the supervision and less on controls.

The availability of enormous storage capacity in PSDs have not made them the primary hard
disk solutions but they are being used in conjunction with the primary storage devices. The
portability, durability and non-volatility, user friendly, cheap and appeal have made them a
near substitution to laptops.

The subject transient storage devices are still being used at a larger scale without the backing of
a proper standard protocol. The IEEE is in the process of developing the protocol for
Authentication in Host Attachments of Transient Storage Devices (P-1667), which will define
the methods for authenticating PSDs when they are connected to host computers in Corporate,
Governments, and Academics etc.

Regarding the use of USB based PSDs for logical and physical access purposes; I found that
come corporations are using these memory sticks to store passwords and even fingerprints to
access the corporate information system and strategic locations. Once entered into the USB
port, system will detect the password and allow the access. Likewise a built-in finger print
reader will allow the person to hold the finger on the fingerprint pad followed by entering the
memory stick in the USB port for necessary physical and logical access.

A more detailed research on the risks and advantages associated with the USB based PSDs
being used in a specific industry and the associated policy and tools employed to protect the
lager corporate data, would provide more concrete proof on these solid state storage devices

Thanking you

Aijaz Ahmed Shaikh

6|Page
Ready References:

1. IEEE Standards Association:

http://standards.ieee.org/announcements/pr_p1667.html

2. Continuity Central:
http://www.continuitycentral.com/feature0184.htm

3. Linux and USB project:

http://www.linux-usb.org/

4. Microsoft Corporation:
http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

5. lab mice.com
http://labmice.techtarget.com/articles/usbflashdrives.htm

7|Page