USB Security Issues Illustrate the Last Mile Problem of IT Security

There has been a lot of news lately about USB security problems.  A recent Government Computing News article by William Jackson referenced the 2008 Pentagon breach that started from a worm uploaded from a USB flash drive.  Computerworld has an article by Darlene Storm that recounts several “USB security blunders”, including malware on free USB tradeshow giveaways.

USB devices and their use illustrate how little real information that IT departments have available about their endpoint populations.  It is a strange derivation of the “last mile” phenomenon – they closely measure and monitor networks and servers, but have very little insight into what is on, or what is happening on, endpoint machines which are the last mile of the IT architecture.

For example, our CTO Dave Hooks was at a customer site where they told him that USB keys were forbidden and that they had eliminated their use within the organization.  Dave promptly ran a report easily accessible from the data in the Triumfant repository to show that a USB storage device had in fact been used on over 10 percent of the machines in the organization over the past two weeks.  This information certainly opened some eyes.

You see, because Triumfant scans for over 200,000 attributes per machine, we have that data available to produce such a report.  But unless an organization has Triumfant or some other means to collect that information, they have no idea about the extent of such activity.  That is why the Computerworld article notes that agencies have resorted to gluing shut USB ports in the absence of actionable data.

When I write about Triumfant it is to educate on the capabilities of the tool given that it is unlike other tools on the market.  The ability report on machines that use USB storage devices is a small but significant example of what Triumfant can do – provide information where there is a vacuum.  Information drives understanding which drive analysis which drives action.  Secondly, disabling autoplay is one step an organization can take in defending against malware on USB devices – one of the actions borne of information.  Continuously enforcing that configuration setting is easily accomplished by Triumfant.

The threat presented by USB devices is also a reminder that all of the network security in the world won’t protect against malware introduced directly to the machine.  Here again Triumfant comes to the rescue as Triumfant is able to detect attacks such as the Pentagon worm that made it through the endpoint defenses.  In such cases, Triumfant would have seen the worm when it executed, analyzed the threat, and built a remediation to remove the worm on every machine where it was introduced.  The time from infection to remediation would have been under five minutes, which likely would have kept it from propagating.

The threat represented by USB storage devices is not new and it is certainly not the last threat organizations will face.  It is an example of how detailed information about the endpoint population can help address such threats, and how organizations must look past traditional defenses to guard against such threats.