State agency moves to plug USB flash drive security gap

State agency moves to plug USB flash drive security gap
State agency moves to plug USB flash drive security gap 

By Brian Fonseca
March 17, 2008 

Security officials are issuing USB flash drives to workers in the state 
of Washington's Division of Child Support as part of a new security 
procedure established to eliminate the use of nonapproved thumb drives 
by workers collecting and transporting confidential data.

The state has so far distributed 150 of 200 SanDisk Corp. Cruzer 
Enterprise thumb drives to unit supervisors in the division who manage 
collections teams in 10 field offices, said officials (see also "Review:
7 secure USB drives" [1]).

Brian Main, the division's data security officer, said the new drives 
promise to help officials keep better track of mobile data by 
integrating them with Web-based management software that can centrally 
monitor, configure and prevent unauthorized access to the miniature 
storage devices.

"We do periodic risk analysis of our systems, and one of the things that 
came up is the use of thumb drives -- they were everywhere," said Main. 
"We had a hard time telling which were privately owned and which were 
owned by the state." He also said that officials had difficulty keeping 
track of what data was stored on the workers' thumb drives.

Main said the division plans to manage and back up the new drives using 
SanDisk's Central Management & Control server software, which will soon 
be installed at the division's headquarters in Olympia. The software, 
which relies on a Web connection to directly communicate with agents on 
the tiny flash drives, can also remotely monitor and flush any lost 
drives, he said.

Each field office will run a copy of the software to handle localized 
management needs, he said.

Officials in the division's training operations will get Cruzer 
Enterprise devices with 4GB of memory to store large presentations and 
screenshots. Enforcement personnel will get devices that store 1GB, Main 

Main said the division first looked at Verbatim America LLC's thumb 
drives in its effort to improve security but ultimately turned to the 
SanDisk technology because of its support for Microsoft Corp.'s Windows 
Vista operating system.

Cruzer Enterprise provides 256-bit AES encryption and requires users to 
create a password upon activation. The device automatically deletes all 
of its content once someone has tried 10 times to access it using 
incorrect passwords. Main said the self-encrypting capability was 
removes the "human component" from managing confidential data, a key 
feature for the agency.

The Division of Child Support collects about $700 million annually in 
child-support payments form noncustodial parents. The agency, part of 
the state's Department of Social and Health Services, manages 350,000 
active child-support cases annually, noted Main.

Sensitive data transported by off-site workers includes tax documents, 
employer records, criminal histories and federal passport data of some 
agency clients, Main said. At the least, he noted, the drives include 
the names, dates of birth and Social Security numbers of children 
serviced by the agency.

The state began rolling out the Cruzer drives late last year after 
recalling the thumb drives used by workers. Most of those had been 
purchased independently by the employees, causing myriad problems for 
security personnel, Main said. The new policy requires workers to use 
the drives supplied by the agency. Main said he eventually plans to 
destroy all existing thumb drives collected as part of the security 
policy change.

Most companies are too enamored of the convenience, portability and low 
cost of USB flash drives to consider their threat to security, said 
Larry Ponemon, chairman of Ponemon Institute LLC, a Traverse City, 
Mich.-based research firm.

"I think a lot of organizations are asleep at the switch. They don't see 
this as a huge problem, and it obviously has the potential to be the 
mother of all data-protection issues," said Ponemon. "A lot of 
organizations believe if you have a good [security] policy and you 
educate people and ask them to be good, that's sufficient. The reality 
is, thumb drives create a lot of uncertainty because they contain 
enormous an amount of information."

A December 2007 survey of 691 IT security practitioners by Ponemon 
Institute asked respondents if they believed most employees would report 
a lost laptop or memory stick. While 78% said that employees would 
likely notify IT about a lost laptop, only 25% expected that workers 
would report a lost USB flash drive.

"The general perception is no one will report a lost USB memory stick 
because they're so cheap -- and the embarrassment factor. It's hard to 
even know all the different instances where information [on them] is 
lost or stolen," remarked Ponemon.

The agency is in talks with ControlGuard to deploy the security 
provider's Endpoint Access Manager Server and Endpoint Agents across its 
network. Access Management Server sends security policy information from 
a central location to agents installed at specific data points to 
enforce protection and monitor activities. Main said the technology 
would allow his office to restrict authentication and control data 
output access on PCs, hard drives and printers.


Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods