USB-stick... friends or foes ?

 
Author
Message
Super SysAider
63
 
I've noticed that there is a good portion of Sysaiders that believe in locking the USB ports. I think it is rather interesting, but understand the reason. USERS DON'T LIKE TO LISTEN WHEN WE SAY, "NOT EXTERNAL DEVICES" One of our policies says that nothing may be imported from an external source that has not been approved by the organization. Do you know how may times I remote into a computer and find a personal picture set as the desktop background? When we ask, "Where did that come from?" the typical responce is, "What do you mean?" Then a lecture about the security implications starts and we end up having to be the bad guys when we tell them to remove it from their computer. Most think that if they e-mail it to themselvs, then it is ok. That still counts as an unapproved external source. aaaarrrrgggghhhh It's enough to drive you mad. Only a small handfull of people are allowed to have such things, and they are the ones on top of the totem pole. We don't say anything to them. What's funny is that most of the higher ups prefer to lead by example and have the standard Windows provided backgrounds on their computers. I laugh and cry at the same time.
Genius is more often found in a cracked pot than in a whole one.
E. B. White
SysAid Wiz
915
 
Drako...
We haven't go that far... but users have this habit of trashing their own freedom by misusing it. It's not funny if you have Jessica Alba half naked in almost every screen (with different poses of course...) when you try to be professional in front of clients...

McBackett...
Wow... SysAid in an IT security company. So SysAid pass your criteria for a secure product ?
Super SysAider
68
 
Obelix wrote: McBackett... Wow... SysAid in an IT security company. So SysAid pass your criteria for a secure product ?


I will answer on the behalf of 'McBackett'.

Well Sysaid was implemented into our company before I took charge but to be honest they're heading in the right direction. Hopefully they can keep up the good work as well as the pace.

There is so much to ask for but is everyone actually using Sysaid to it's full potential? We're certainly not!

This message was edited 1 time. Last update was at Jul. 15, 2008 07:46 AM

"REEEEBOOOOOOOOOOOOOT!"
SysAid Wiz
583
 
We have no free USB drives. The company will only provide USB sticks to individuals such as myself who 1) have the authority to remove/copy data from the network 2)can check for viruses etc. Were someone to request the removal of data to a memory stick it would first have to be approved by their line manager then the stick would be given to us to make the copy so that we can track and keep a register of all movement of files from the network. After the time that the stick has been allocated or the previously agreed amount of time the file has been requested for we will also take the stick again to ensure removal of the file.

Half of this is a pointless exercise because they could simply copy the file to the home machine but hey-ho!

We are more careful that all sticks placed in the network and files travelling in/out are checked for viruses. The same as any CD's/DVD's that are sent out or received.
When the going gets tough, the tough get SysAid
SysAid Wiz
915
 
I have recently forced to extend this policy to the purchasing dept.

I told them my preference of peripherals is one that do not work with USB. So if we bought printers or scanners we go with pararel ports. Keyboards and mouse we go with ps2... so on.

I know it's nuts cause USB is more and more ubiqutous in nature but I caught a user unplugging a scanner from a pc so he can load "work files" from his personal USB stick to that pc !

Unbelievable...
Super SysAider
68
 
We have tight control policies within our environment where only certain authorised members can use ONE particular USB stick that is owned by the company and encrypted (with endpoint control policies applied also).

This ensures that if the USB stick gets in the hands of another individual then they will not be able to use the stick or 'steal/move' the data.
"REEEEBOOOOOOOOOOOOOT!"
SysAider
13
 
I am just blown away by how paranoid some IT departments are.

Myself, I have found in my many, many, many (too many) years in the field, that restricting things just makes the users try harder to find a way around it. Rather, I provide USB items like jump drives, and 10-20 minutes of instructions on how to use them, when to use them and so on. This has proven to be the best by far route, as I do not end up dealing with virus attacks, stolen/lost jumpdrives, or lost/stolen company data. The users are smarter about how they use them, and respect the "trust" put in them.

I have always fought against tying down networks and data transfers. It is to the detriment, not the benefit, of our users, and ultimately our security to treat people like children. Put a fence up, someone WILL climb it, put a gate in the fence that says "come on in, here are the rules" and they will use that and respect the rules posted.


*PS* We just started to beta test the SysAid product for our internal help desk, and so far ive found nothing but love for it. It is far superior to some of the oracle front ends, and leaps and bounds better than helpstar and its like.

SysAid Wiz
915
 
Define "many, many, many (too many) years"...
SysAider
13
 
Obelix wrote:Define "many, many, many (too many) years"...


Comming up on 25 years of server side, and desktop support, 5 of that done in network security with a major bank . Heck I date back to the days of fidonet and birdnet(thats pre internet BBS 'email' systems, very crude setup that ran on the university backbones and a 'cloud' of joined by modem bbs sites)...I am old

SysAid Wiz
915
 
And I'm happy for you...
*raise a cold cold mug of coke and smile*

This message was edited 1 time. Last update was at Sep. 04, 2008 10:41 AM

SysAider
13
 
Obelix wrote:And I'm happy for you...
*raise a cold cold mug of coke and smile*


I am curious, why do you lock down USB so tightly? Is it a company thing, or is there legal conserns (IE. DOD, DOJ, etc..) that control what you have to do?
SysAid Wiz
915
 
If you have to ask, sir... you'll never understand.
Which make a lot of sense knowing your philosophy.

I'm not being sarcastic or patronizing.
I believe you, cause 25 years ago... I'm still jumping of fences in my superman suit which brief stretch to my thighs.
*giggles*

I'ven't (did I just invented a new word ???) seen them all...
Won't try to claim I have.
*slight bow wider smile*
SysAider
2
 
techguy wrote:I wish windows had an out of the box group policy for permitting rights to the usb ports only for certain users on certain machines, then I wouldn't have to disable in the bios all the usb ports and password protect them to comply with data theft regulations.



Actually, you can set group policies to disallow executables to run on certain workstations. We lock down public workstations using this method.
The better way might be to only show the drives you want to be seen...there is a registry edit that can be used to hide drives.

This message was edited 2 times. Last update was at Oct. 07, 2008 08:50 AM

SysAider
40
 
We are a medical practice, and as some may know, HIPAA security is very very important. (Protecting patient information).

Locking out the USB ports is a GREAT idea, however, it seems computer mfgr's are trying to move to USB as a standard.
Currently our PC vendor has eliminated the normal mouse and keyboard ports on the PC. Everything comes USB now.
I'm sure we could, maybe for a little extra money, get our normal ports back, BUT, I can see down the road in the future everything being USB.

-------------------------------------
Julia - HCNW
-------------------------------------
SysAid Wiz
915
 
Indeed...
Newer motherboards now list USB stick as one of the media you can boot from. I don't know if I should cheer or grief.

We don't have such powerful gov policy down here but cases of people abusing this otherwise cool device are piling up.

Luckily anti malware vendors also see this dilema and already start the effort to tackle this problem. Some use application that tightly work with os that could give access only to specific USB, some produce custom USB sticks that work like dongle.

Some common sense like never EVER let user have local admin rights also help a lot.

If you got a gov policy to back you up can't you use that to "demand" the PC vendor to provide "policy compliant" hardware ?