Posted by: Robert Vamosi
Post date: 2/6/2007
In their talk at the RSA Conference 2007, Dennis Szerszen of SecureWave and John Geldman of LexarMedia discussed the pros and cons of allowing USB devices into the workplace. Geldmen thought that Gartner's recommendation a few years ago to ban all USB devices was unlikely. Szerszen cited the rise in popularity of iPods and BlackBerrys as examples in the workplace. The dark side is that enterprises are losing data due to thefts, lost USB devices, and finally, lost productivity from messed-up PC hard drives. Geldman noted that USB devices present themselves to the PC operating system not as they are, but as something the operating system will recognize such as a removable hard disk drive, a hard disk, a card reader, or even a CD-ROM. This is done based on what the manufacturer wants the USB device to do, how fast it needs to move data, and so forth. But it also can lend itself to USB drive spoofing, which can allow a malicious user to circumvent security and place malware on a PC. Geldman cites new standards, such as MSC Lock, TCG, and ATA Lock, as ways in which USB device makers can better secure the device. Szerszen says enterprises should think about what USB devices they'll allow on their systems. It's no longer a question whether they will; his research shows that currently the average employee has roughly 4.5 USB devices at his or her disposal, from Flash drives to iPods to mice. As an example, Geldman showed a picture of an innocent USB device that is a limp puppet and whenever one of his IM friends comes online, the puppet stands to attention.