Will you then also work to disable the following:
* FireWire ports
* Writable CD/DVD drives
* PCMCIA/CardBus slots
* SD Card/Memory Stick/etc. slots
* Internet access (Hotmail, Gmail, Yahoo Mail, FolderShare, and so on)
* Printers and photocopiers
* Digital cameras
* Telephones
You see, there are many ways people can export data from your organization.
You're looking at only one mechanism.
For most of the history of computer security, we defenders have been
struggling to keep the bad guys out. Well, we've reached that point -- with
modern operating systems and properly-written applications, the bad guys
indeed are mostly kept out.
Now, for various reasons, we've had to turn our attention to a completely
different kind of task -- applying more controls over what authorized users
can do with data they're allowed to see. Think about this for a moment! It's
a completely different task, one that requires new thinking, new processes,
and new technologies.
You can't use old-style bad-guy-prevention methods anymore. Attempting to
limit "containers" (be it the network or a PC or a memory module) has
limited utility here. Instead, we must adopt new methods that allow data
sources to protect themselves. Essentially, the notion of portable access
control, where the object -- in this case, a file -- controls its own access
and enforces its own policies, rather than relying on the container -- a
file share.
Yes, this is rights management. IMHO, it's the only way we can truly start
to mitigate the "authorized user threat" (I hate that term, but so far
haven't come up with anything better). Implementing such a system -- say,
Windows RMS -- requires a fundamental shift in thinking about the roles and
work of information security. But I don't see any other way. Blocking USB
drives just won't cut it: you'll simply create what I call a "circumvention
vulnerability," something that encourages users to look for ways to get
around the security policy. And I promise you, they'll find many.
--
Steve Riley
(E-Mail Removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"yepiknowiam" <(E-Mail Removed)> wrote in message
news:376C801A-FB6D-411C-BC6E-(E-Mail Removed)...
> Trying to prevent users downloading possibly sensitive files/information
> and
> bringing it home to work on. They could easily lose a thumb drive and we
> are
> a financial institution. It's a preventive measure. I believe there are
> many risks with usb devices.
>
> "Steve Riley [MSFT]" wrote:
>
>> Every time I see this, I have to ask: why do you want to do this? What
>> security threats are you trying to mitigate by disabling USB storage
>> devices?
>>
>>
Similar Threads
