"   GFI s EndPoint Security controls USB device activity; 

providing full auditing and device control

"   Aladdin s USB Port Protector  restricts the types of 

USB devices connected to the end points of the

company infrastructure. However, this product

does not provide encryption or restrictions on size

of files transferred to the USB devices

"   Safend offer a number of products to enhance USB 

security. Safend do not offer a complete all in one

solution, each product performs an individual func-

tion. However, Safend do offer USB port protec-

tion, USB data encryption and auditing of USB de-

vice activity

"   CDLock by Smartline restricts the types of remov-

able media to be used on a desktop PC. Restrictions

can be based on the the types of devices utilising a

USB device white list of acceptable devices and

also based on the time of day. Permissions can be

set via the Active Directory Group Policy and also

granted on a temporary basis

"   SecureWave s  Sanctuary  Device  Control  software 

offers a number of features in a one product solu-

tion. Port protection focuses on a number of com-

munication ports including USB, FireWire (IEEE

1394) and IrDA. Policies and restrictions can be set

through the Active Directory Group Policy. The

software also offers auditing of device activity and,

importantly, data encryption on sensitive data.

 

USB device security control software

There are several products available that may offer a

number of features to enhance USB device security. The

features of some of the products are listed below. Prod-

uct selection should be based on individual require-

ments.

 

The technical features to enhance USB device security

are as follows:

"   Devices are restricted by user, user group and ma-

chine specific access control lists

"   Configurable device  white list  to prevent installa-

tion of unknown devices

"   Full  protection  to  disconnected  and  remote  com-

puters

"   Customizable  event  notification  when  access  is 

denied

"   Auditing and reporting functionality 

"   Device  restriction  on  a  variety  of  communication 

ports and devices

"   Silent installation and deployment using MSI tech-

nology

"   Easy encryption mechanism without the necessity 

of installing additional software

"   Ability to integrate biometric authentication. 

 

Restrict access to vital files and folders on critical

servers

Files or systems vital to the company should be deemed

restricted and should be limited to those who require

regular and/or frequent access. Access to critical files

and folders should be granted and removed in accor-

dance with the role and as soon as possible to maintain

access controls.

 

Access to files and folders can be monitored

and automatically restricted through the

use of the following systems:

"   IDS   File access should be monitored 

by file access logging or by installing

host based intrusion detection systems

on the relevant servers. It is vital that

the IDS policies are tuned to ignore

unimportant   information   and   that

adequate notification is sent to system

administration   teams as and when

necessary. Custom alerts may be set up

to alert on the unauthorised copying of

data files from the server.

"   Identity Management - Access to files 

and folders within an Active Directory

environment can also be controlled

within the Group Policy for users or

computers. Insight Consulting recom-

mends either an IDM solution or

through changes to the Active Directory

Group Security Policy. It is very impor-

tant to note that any monitoring and

logging system requires additional re-

source to examine the log files and in-

vestigate alerts. There will be no advan-

tage gained in deploying an IDS system

and enabling high level logging on criti-

cal systems if the log files and monitor-

ing systems are not periodically checked

for alerts and anomalous activity.

 

Limit the size of data transferable to USB

storage devices

As part of a technical solution for mitigating

the risks of USB devices, some software

products are capable of limiting the size of

files copied to a USB device. This solution is

totally configurable. Products such as Sanc-

tuary Device Control by SecureWave pro-

vide this functionality. The ideal configura-

tion would be to set the maximum allow-

able transfer size to be less than the size of

the smallest critical file.

 

Enforce acceptable usage policies for USB

device usage

As part of any other security mechanism

installed into a company s IT infrastructure;

policies should be put in place so that em-

ployees are fully aware of acceptable usage.

There should be a separate section within

the IT security and acceptable usage policy

on data retention on laptops and other

mobile devices. The important aspects of

the acceptable computer usage policy of

note are:

"   USB devices should only be used for 

transfer and not for storage

"   Data on mobile devices should be 

transferred to data servers at regular

intervals

"   Data should not be transferred from 

servers to USB media if unauthorised

to do so