10

White Paper

DATA THEFT, DATA LOSS, AND THE INTRODUCTION OF UNWANTED OR MALICIOUS CONTENT: The real issues surrounding the management of USB removable media devices.

Content

Introducing the Latest TechnologyScope Context XP Migration USB removable media device adoption Expanding the possibilities If unprotected, be afraid, be very afraid...

The Insider Threat

In the PressBusiness examples to support ‘The Insider Threat’. “Social Engineering, the USB Way” “Stolen military data for sale in Afghanistan” “Mission Impossible at the Sumitomo Bank” Proactive Solutions

What measures have organisations put into place? Take back control Reflex Disknet Pro Value-added service

11 1 1 2 3 3

4-5

66 7 8 9

10

10 10 11 11

Scope In this white paper we will discuss the real issues surrounding why it is imperative that organisations manage the use of USB removable media across a network or standalone environment.

We will examine a number of documented scenarios with organisations ranging from government depart-ments to military bodies to financial institutions that have been brought to their knees through lack of sufficient security measures that tackle the most common cause of network breach or data leakage; ‘The Insider Threat’.

ContextBefore looking in greater detail at these examples, it is important to visulaise the scope of this problem to help us understand why and where this new ‘insider threat’ now exists.

We see two key factors that have led to the need for what is often referred to as ‘end point security’.

• XP Migration

• USB removable media adoption

XP MigrationAs organisations continue to migrate from Windows 2000 to Windows XP, we are beginning to see a familiar pattern develop. Operating Systems that promote ‘plug-and-play’ device capability have exposed the need for increased security measures.

Numerous articles have been published in the press highlighting network breaches or data loss associated with unmanaged USB removable media devices. Many believe that we have only seen the tip of the iceberg where this threat is concerned.

Introducing the Latest Technology

1

USB removable media device adoptionUSB flash drives have evolved from their initial use as marketing ‘give-aways’ to devices capable of addressing corporate needs, ranging from mobile computing platforms to file storage of immense capacity.

Winson Yu, Vice President of Sales in North America for reseller USB007 said he has watched thumb drives evolve at a staggering pace. Yu began his career 20 years ago selling 5MB hard drives for IBM. Today, he sells thumb drives half the size of a stick of gum with 8GB capacity. The size of USB drives is expected to jump to 16GB capacity by the end of 2006. It is clear that business uses of USB thumb drives are expanding.

As stated in Computerworld, Joseph Unsworth, a principal analyst at research firm Gartner Inc. in Stamford, Conn., said he too sees growing thumb drive use in the corpo-rate ranks. Unsworth said drive adoption is about to see another big boost from Microsoft’s forthcoming Windows Vista operating system, which, through its ReadyBoost function, will allow thumb drives to cache applications for faster computer boot times. In some cases, Ready-Boost-enabled computers will start twice as fast as conventional systems.

These USB Removable Media Devices come in a variety of forms, from wacky to techy sleek, and with the capability to store entire desktops for mobile computing. There are models that display available capacity and even water-proof drives for scuba divers to carry personal medical information.

Introducing the Latest Technology

2

This USB drive from reseller USB007.com displays the owner’s identity and the

capacity remaining on the drive.

Photo - http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002563

Introducing the Latest Technology

If unprotected , be afraid, be very afraid…Kanguru Solutions in Millis, Mass, has jumped ahead of the pack with its Kanguru Flash Drive Max, which comes in 16GB, 32GB and 64GB versions. The only catch is that today, such capacity comes at a price: $800 for 16GB, $1,500 for 32GB and $2,800 for 64GB.

3

Expanding the possibilities Over the past two years, the thumb drive has outpaced other hardware devices in terms of storage capacity growth by one and a half times. As stated in Techworld, according to Gartner, more than 110 million USB thumb drives will be shipped worldwide in 2006, accounting for more than $3 billion in sales. By 2008, the number of flash drives shipped will have increased to 155 million a year.

Alongside this phenomenal growth, USB drive capacity is outpacing Moore’s Law by doubling every year instead of every 18 months. Storage capacity is expected to leap from 16GB for most manufacturers by the end of 2006 to 32GB in 2008. Most importantly, the cost to purchase these drives is ever decreasing. As a result, USB flash media is becoming part of every employee’s tool kit.

projected figures

Sold USB devices [m] USB cost based on 128 MB device [£]

2004

50

100

150

2000 2008

USB removable media are a business requirement – and readily available. But at what cost?

It is common knowledge that USB removable media has become a vital tool in the workplace. Flash media sales support this view. However, business demand and a deep focus on security have not met to address this internal threat.

In August 2006, Ponemon Institute LLC released a survey that revealed that more than 53% of respondents believed that their company’s would be unable to determine what sensitive or confidential information resided on a USB memory stick if it was lost or stolen.

According to a study conducted in 2005 by the Philadelphia-based Computer Security Institute and the San Francisco office of the FBI, losses from unauthorised access to computer systems and intel-lectual property theft totalled $130.1 million for the company’s polled.

The same survey showed that the loss per incident of unauthorised access went up six-fold to $300,000 in 2005 from $51,000 the previous year. The ‘insider threat’ is growing.

The ‘Insider Threat’

Consider the following scenario. A good looking woman is wandering around your premises and approaches you asking to show her how to use some functions in Excel or any other application. Do you start questioning who she is, from what department she comes from or do you invite her to your PC and show her what she needs to know?

Let’s say you choose the latter, and then she asks you to get her a drink. Would you leave her unattended at your PC, or would you ask her to accompany you?

If you leave her unattended at your PC, how long would it take for her to insert a USB device and install a Trojan horse, key logger, or any other application to steal information or gain access to the rest of your corporate network? By the time you return she may have installed all sorts of surveillance applications and have the ability to access classified information whenever she feels like it from her home computer.

Geek Whistle • Gigachip • Jump Drive • Jump Stick • Jumper • Key • Keychain Drive • Keydrive • Keyfob • Magic Key • Magic Stick

Stick • Stick Drive • Thumb Drive • Thumb Key • Travel Stick • USB Disk/Disc • USB Drive • USB Key • USB Pen • USB Stick • USB • USB Zip Drive

4

Bug • Chip Stick • Clip Drive • Clip Flash Drive • Data Key • Data Stick • Disk on Key • Flash Disk • Flash Drive • Flash Memory Drive • Geek Stick

Memory Drive • Memory Flash • Memory Key • Memory Stick • Micro Hard Drive • Mobile Drive • Nerd Stick • Pen • Pen Drive • Pocket Drive

This is not such a farfetched scenario, especially in large organisations with no real physical security beyond the reception. According to this year’s CSI/FBI survey on Computer Crime and Security more than $30 million worth of damage was caused by insiders stealing proprietary information. FBI and other security analysts still maintain that the majority of threats originate from insiders or people with insider privileges.

Kevin Mitnick, a notorious hacker from recent years, explained in his testimony to a senate panel on computer security: “When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it is money wasted, because none of these measures address the weakest link in the security chain.”

Even in more simplistic scenarios, where a promotional CD is sent to an employee, for example, a secretary or data entry clerk. Would they think twice before running it on their PC? It may have a stealth application embed-ded that secretly installs itself onto that PC and may spread across the network enabling criminals access to your most sensitive information.

The above is a real example of an event that actually took place in Israel and was reported by the BBC of a Trojan horse that was planted into a number of organisations by competitive companies and by parent companies.

In one particular company a CD was sent to an employee with the same Trojan embedded in it and without a second thought the employee’s curiosity caused him to run the CD and see what he had received. Of course without his knowledge the Trojan had installed itself onto his PC, gradually found its way around the network and transmitted data regularly back to the originating company.

These are just a couple of examples where company networks have been easily infiltrated from within or by insiders and suffered major financial damage, which in extreme cases have been difficult to recover from.

The ‘Insider Threat’

Geek Whistle • Gigachip • Jump Drive • Jump Stick • Jumper • Key • Keychain Drive • Keydrive • Keyfob • Magic Key • Magic Stick

Stick • Stick Drive • Thumb Drive • Thumb Key • Travel Stick • USB Disk/Disc • USB Drive • USB Key • USB Pen • USB Stick • USB • USB Zip DriveAlternative names for USB flash drive - http://en.wikipedia.org/wiki/USB_flash_drive

5

Bug • Chip Stick • Clip Drive • Clip Flash Drive • Data Key • Data Stick • Disk on Key • Flash Disk • Flash Drive • Flash Memory Drive • Geek Stick

Memory Drive • Memory Flash • Memory Key • Memory Stick • Micro Hard Drive • Mobile Drive • Nerd Stick • Pen • Pen Drive • Pocket Drive

Business examples to support ‘The Insider Threat’.Having examined the issues surrounding I/O device management, and the overall growing awareness that is developing within the space, we must now take a closer look at some cautionary tales that highlight the potentially devastating effects often associated to ignoring this internal threat.

We have focused on three main examples that demonstrate these security risks. Each scenario either led to significant network downtime and unnecessary additional workload for IT personnel, or more seriously data theft/loss resulting in damaged reputation and more importantly irreplaceable consumer confidence.

“Social Engineering, the USB Way”

- Dark Reading, June 07, 2006 -

In June 2006, Secure Network Technologies worked in conjunction with Dark Reading to expose the real-ity of ‘The Insider Threat’. Utilising social engineering methodology, it was discovered how easily organisa-tions could be affected by unmanaged USB removable media, exposing this modern day vulnerability. While a lot of people had raised concerns surrounding data theft and the risk of potentially malicious code being introduced into the network, very few, if any, had done anything about protecting themselves from USB devices.

Years of give-away thumb drives were collected by Secure Network Technologies technicians and imprinted with special software. A Trojan was created that, when run, would collect passwords, logins and machine-specific information from the user’s comput-er, and then email the information back to the Secure Network Technologies site.

A Credit Union in the United States was the target. The real challenge was to get the now malicious device in the hands of the credit unions internal users. This proved to be the easiest part of the exercise by simply scattering them in the parking lot and smoking areas. The article highlights some interesting findings:

‘It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.’

‘I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknow-ingly running our piece of software.’

In the Press

6

‘After about three days, we figured we had collected enough data… I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers.’

The report concludes that of all the social engineering efforts performed over the years by Secure Network Technologies, the USB route was by far the most successful approach to infiltrate an organisation. It states:

‘You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off human’s innate curiosity. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.’

In the Press

Malicious devices in form of USB sticks were scattered in the parking lot and smoking areas ...

“It was really amusing to watch the reaction of the employees who found a USB drive. ...

...You know they plugged them into their computers the minute they got to their desks.”

“... scouring through the planted image files, then unknowingly running our piece of software.”

7

-Los Angeles Times, April 12, 2006-

The Los Angeles Times revealed back in April 2006 the shocking discovery of stolen U.S. military computer drives and USB thumb drives showing up for sale at local bazaars outside the base. It was reported that these included what appeared to be information about Afghan spies informing on Al-Qaida and the Taliban.

One flash memory drive, the Times reported, held the names, photos and phone numbers of people described as Afghan spies working for the military. The data indicated payments of $50 bounties for each Taliban or Al-Qaida fighter caught based on the source’s intelligence.

One particular drive, which a teenager sold for $40, also held scores of military documents, marked “secret”, which described intelligence-gathering methods and information.

The Times said that while the documents appeared to be authentic, it had not been able to verify the accuracy of the information independently. Other shopkeepers were selling memory drives as well, including one with the Social Security numbers of four American generals.

Approximately 2,000 Afghans were employed as cleaners, office staff and labourers at the Bagram base. Though they are searched coming in and out of the base, the flash drives were the size of a finger and proved to be easily concealed. Asked if any disks had been found, one soldier, who declined to give his name, said: “We are looking. That’s all I can say.”

“Stolen military data for sale in Afghanistan”

In the Press

Photos - http://www.msnbc.msn.com/id/12289823/http://news.bbc.co.uk/2/hi/south_asia/4905052.stm

8

- The Register, April 13, 2005 -

A criminal gang with advanced hacking skills attempt-ed to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo. The idea was to transfer the funds to 10 bank accounts around the world. In a Mission Impos-sible-style scam, hardware bugs were placed into the keyboard sockets at the back of the bank’s computers where they could not be seen, and then reattached the keyboards to the hardware bugs. While a spokes-woman for the National High Tech Crime Unit (NHTCU) in London said: “No money has been lost,” a computer expert added, “The problem with this is that the skill sets of the attackers are very high.”

The ongoing investigation into the attack at the Japa-nese bank is now focusing on the use of sophisticated hardware devices, showing what may have been inserted into a USB keyboard port on some of the bank’s computers. The leads include a Walkman battery-sized device known as a hardware ‘keylogger’, which can be bought from spy shops for around £20, and can be connected to the keyboard. These devices can then download passwords and other data that is used to gain access to the computer system.

Due to the panic caused by the discovery of the keyloggers, many banks resorted to super-gluing keyboards and other devices into their computers. Is this moment of madness foolproof?

“Mission Impossible at the Sumitomo Bank”

In the Press

9

10

Proactive Solutions

What measures have organisations put in place? Based on the results taken from the ‘Information Security Breaches Survey 2006’, it is clear that the threat posed by I/O devices is real. This survey states:

‘Removable media devices can hold large volumes of data, and reduced prices have made devices such as USB tokens and MP3 players affordable to all.’

Despite this, it was found that 55% of organisations have taken NO STEPS to protect themselves against the threat posed by removable media. The other 45% have disabled USB ports through either PC BIOS or Group Policy, effectively blocking the unauthorised AND authorised use of removable media devices. In addition to this, there are purchased solutions that provide for a more granular control of removable media storage than disabling USB ports through PC BIOS or using Group Policy.

It is increasingly difficult for businesses to protect against all the threats employees pose to company security. While most employees are not malicious, it is without question that they do present a significant security risk through ignorance or complacency.

Take back controlEnforcement is the key to ensuring that the environ-ment remains secure. It only takes one non-compliant device accessing a corporate network to render that network vulnerable to attack. As demonstrated in our cautionary tales, employees using devices to exchange data in order to carry out their daily tasks, or to simply satisfy their curiosity, can unknowingly place the entire network at risk.

More recently, companies have learned to take a pro- active approach to the growing threat of plug-and-play devices. While user education and ‘paper policy’ is important, organisations are still highly vulnerable unless technological measures to enforce end user compliance are in place.

Reflex Disknet Pro is the only device management software that enables the secure use of removable media such as USB memory sticks – by providing hardware independent transparent encryption.

With the added benefit of inbound and outbound data protection, Reflex Disknet Pro allows businesses to harness the benefit of USB removable media without the risk of introducing malicious code or data loss/theft.

The use of Reflex Disknet Pro has significantly reduced the burden on the IT department at Shepherd & Wedderburn. Its ability to tackle multiple security threats at the same time, has enabled the company to rely on it almost exclusively to secure valuable data and fight malicious code. Even in today’s increasingly complex IT environment it has kept pace and remains our front line defence.

– IT Manager - Shepherd & Wedderburn

“”

Reflex Disknet ProExisting security tools may address areas such as anti virus, spyware, firewall, and host intrusion prevention. However, I/O device management must form part of this tiered security architecture to provide total pro-tection against modern day security risks.

Reflex Disknet Pro is a Server>Client kernel driver technology that prevents access to any number of I/O devices such as USB removable media, CD/DVD, floppy, Bluetooth, hardware keyloggers, wireless adapters, printers, modems, and so on that are connected to company workstations without the appropriate authorisation. Roaming user ‘profile templates’ are created to mirror security policy that can be applied directly to Active Directory/eDirectory users or groups in the domain. Once a user logs on to the protected system, security rights are applied to the file system filter drivers that prevent unauthorised access to un-approved media regardless of whether the machine is on or off the network.

Reflex Disknet Pro is the market leading device management solution that focuses on the encryption of removable media, utilising military grade FIPS certi-fied technology that enables hardware independent transparent encryption of data copied to USB storage devices. Security profiles or ‘policies’ are defined in the Reflex Disknet Pro Enterprise Server Administra-tion Console. These polices enable administrators to enforce that ANY data written to ANY device type, irrespective of model or brand, is automatically encrypted, while offering the ability to access this data off-line through the use of a secure password.

Value-Added servicesMany organisations make use of Reflex’s consultancy services in order to maximise the level of flexibility they offer. This service offers technical expertise, built on extensive experience, obtained from years of deploying device and application management solutions across a variety of organisations throughout the world. Reflex Magnetics Ltd. prides themselves on maintaining the highest quality to ensure that service levels remain exceptional.

Proactive Solutions

The consulting service offered by Reflex was outstanding. Way before we had committed to buying anything, they worked closely with us to develop a solution that was fully tailored to our needs as a company.

“

”The Reflex team delivered the instal-lation and rollout on time. They not only had extremely advanced technical knowledge, but were incredibly helpful and friendly throughout the process.

“”

– Matt Cordina - Telecom Plus

- Peter D’Ardenne - Wing Commander RAF

11

© Reflex Magnetics 2006

Reflex Magnetics Limited Telephone: UK �44 (0)20 7372 6666UK �44 (0)20 7372 6666 Email: info@reflex-magnetics.comWeb: www.reflex-magnetics.com