IBM banned USB drives. Is it the future of security or a knee-jerk reaction?

Pile of USB Sticks
Pixabay

(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.

Despite the wide use of cloud services like Dropbox, sometimes a handy old USB drive is the quickest way to get large amounts of data from one computer to another. But imagine if one day you went to work and found out that all USB drives had been banned from the premises? That’s what happened over at IBM recently.

A recent leaked memo indicated that IBM would be banning all employees from using USB drives. That kind of reaction might be understandable given the current state of cybersecurity, but is that really the most effective strategy?

A quick fix for a huge problem

“That’s the easiest way to cover your rear end: Make an announcement that you’re banning everything to show that you’ve put a policy in place,” Kingston’s strategic product marketing manager, Ruben Lugo, told Digital Trends. In actuality, he said, these kinds of policies can hinder a company far more than they helps it.

“People will just start using their own Dropbox, their own Google Drive, and then you start circumventing your own firewall.”

“Companies aren’t looking to apply the right resources from the beginning,” he said. “It’s always ‘what’s the quick fix? Do I need to do anything really?’ And usually that revolves around banning things […] We’ve found that that actually hinders productivity and efficiency that the mobile workforce needs while they’re out there in the field.”

The past few years have seen some of the biggest data thefts and breaches ever, leaving hundreds of millions of individuals vulnerable to identity theft, exploitation, and even political manipulation. That’s led to many companies and individuals taking privacy and data security online more seriously and even brought politicians to the table to discuss how it can be improved. But not all practices to do so are necessarily recommended. Banning USB drives is just one example of such a practice.

An advertisement for the USB Rubber Ducky, a tool used in carrying out a USB drop attack.

Banning USB drives may seem like an easy way to stop leaks. It makes data theft much more difficult when the people working with the data can’t physically remove it from where it’s stored. But some would argue that such a policy merely opens up companies like IBM to new avenues of attack and doesn’t get to the root of the problem: the vulnerability of unsecured data.

That sentiment is echoed by Malwarebytes’ VP of Products and Research, Pedro Bustamante, who told us that “disconnecting systems from having access to the internet would also be highly effective. It’s just not practical in most cases. With the evolution of technology and internet speeds, USB drives represent a relatively small risk at this point. The frustration to end-users (or your employees) isn’t likely to be worth the small improvement to your security posture.”

usb encryption ibm kingston ruben lugo portrait
Ruben Lugo, strategic product marketing manager for Kingston. Kingston

The reason for IBM’s ban on removable storage was said to be to reduce instances of leaks and data loss, whether that’s deliberate leaking of information or through misplaced hardware. We reached out to IBM for comment on the ban, but haven’t received a response.

Either way, Kingston’s Lugo believes that banning external drives won’t stop people from getting data out of the company if they want or need to.

“Where there’s a will there’s a way,” he said. “People will just start using their own Dropbox, their own Google Drive and then you start circumventing your own firewall, your own protection and it’s really just creating another issue.”

Controlling the media

In Lugo’s mind, it would be far better for IBM and companies like it to control physical media and the data they contain, rather than try to ban the devices outright. He recommends the use of drives like Kingston’s own Ironkey devices, which combine physical protections like metal casings and epoxy coatings for the drive’s circuit board, with hardware-driven encryption that makes the digital data completely unreadable to prying eyes.

“When that user plugs in another random USB drive, the endpoints security will look at it and recognize it’s not an issued drive.”

The Ironkey is at the extreme end of the products that Kingston offers, but whatever the brand or make of the device, as long as it leverages hardware-driven encryption, it should prevent unintentional data loss almost entirely. It doesn’t matter if an employee misplaces a drive with sensitive data on it, because even if someone were to find it and try to access that information, without the correct passcode they would find the data completely unreadable.

Kingston also has other measures in place to prevent that data from being accessed, such as a maximum number of password entries to prevent brute-force hacking and remote wipe capabilities – something that could prevent against some deliberate leaks from disgruntled or ex-employees.

usb encryption ibm kingston encrypted usbs ironkey
Kingston

“We have management software and what that allows is for the geo-locating of drives, the ability to audit the drives to see what’s on there, enforce complex passwords,” Lugo said. “If someone were to leave the company or was fired or disgruntled, there is an ability to send a message to the drive to render it useless and wipe the drive clean.”

Controlling the end point

The physical media itself though, is only one part of protecting a company’s data. Something that a number of securities companies, including the likes of Symantec, MalwareBytes, and McAfee, have been developing in recent years, is endpoint protection.

“The best security polices combine people, processes and technology; one does not exist without the other two.”

Endpoint protection is the practice of securing a network at the point of connection by a device. While typically that might be when a new laptop or smartphone is connected to a system, it can also be applied to physical drives like USB devices. That’s something Kingston believes companies like IBM could use to prevent some of the data theft that it’s looking to thwart with its outright ban.

“[Endpoint protection] allows the administration, IT, whoever is involved with cyber security, to recognize who does need access to USB ports, who needs access to X, Y, Z data,” Lugo said. “Then they can actually build a user profile, a user group to then allow only just one specific USB drive, be it a Kingston drive or other, so that when that user plugs in another random USB drive, the endpoints security will look at it and recognize it’s not an issued drive. Thus not letting the user transport any data back and forth onto that drive.”

By controlling the physical media itself and the point of contact it has with the internal network, a business has far greater control over the data that flows in and out of its protected systems than it does by, ostensibly at least, prohibiting the use of all physical media.

Part of the new General Data Protection Regulation legislation that was recently enacted involves companies having real accountability of data, controlling who has access to it, and how it is stored. Having a policy of no physical media makes it impossible for IBM to be truly accountable were someone to flout such a policy and get around any internal safeguards it has against it.

The combination of an encrypted drive and strong endpoint security would allow for powerful auditing of physical devices, preventing the use of unauthorized physical media, and protecting  data that is removed from a network by making it unreadable to all but validated parties.

GDPR and beyond

Now that the GDPR has been implemented and is fully enforceable with any entities doing business with EU customers, more companies than ever need to pay attention to the way that they handle digital information. Outright bans on USB devices might offer some measure of protection against some of the harsher fines and arbitration systems in place, but as Lugo points out, they don’t give companies the control they need to truly protect their data and that of their employees and users.

As for IBM, Lugo is hoping that Kingston can turn it around on its recent policy changes and is already in the process of trying to do so.

“IBM is an amazing company,” he said “[But] some of our sales team is [in contact with it] at the moment, so we’ll see how that goes.”

Raising awareness of the alternatives to IBM’s ban is important among its employees too. As MalwareBytes’ Bustamante highlighted to us, the best way to secure a network is with a combination strategy that brings together people, hardware, and software, to comprehensively lock down important data and the networks it’s stored on.

“Businesses need to ensure they have the right internal processes in place to deal with a breach and ensure that staff are given regular security training – after all your employees are your first line of defense so equip them with the knowledge to be able to spot a dodgy email or attachment,” it said. “The best security polices combine people, processes and technology; one does not exist without the other two.”

Emerging Tech

Your smartphone could be the key to predicting natural disasters

A challenge for atmospheric scientists is gathering enough data to understand the complex, planet-wide weather system. Now a scientist has come up with a clever idea to gather more data using smartphones and Internet of Things devices.
Emerging Tech

Mount Everest is now home to the world’s highest weather station

A team of scientists has created a new record with the installation of the world’s highest weather station atop Everest. Data from the expedition will help researchers better understand the effect of climate change on the region.
Home Theater

Netflix can drain your data in a hurry. Here's how to turn it down a notch

Ever wondered how much data you need to stream a show (or movie) on Netflix? You aren't alone. The answer could be anywhere from 1GB per hour to 7GB per hour, but there's more to it than that. Here's how to control your Netflix data.
News

U.S. border agency says photos of travelers stolen in cyberattack

Last month, traveler photos and license plate images were compromised in a cyberattack on a U.S. Customs and Border Patrol subcontractor, which stored the data on its network against CBP rules.
Deals

Amazon cuts prices on Microsoft Surface Pro 6 and Surface Go

The Microsoft Surface series is an excellent alternative to other tablets if you're a dedicated Windows user, and the superb Surface Pro 6 (our favorite 2-in-1) and its cheaper sibling, the Surface Go, are both on sale right now.
Deals

Amazon sale drops deals on Microsoft Surface laptops

Despite an increasingly crowded market, the sleek Microsoft Surface laptops have left their mark. Both the Microsoft Surface Laptop 2 and Surface Book 2 are discounted on Amazon right now, too, with deals that can save you up to $300.
Computing

AMD’s Ryzen one-two punch will end with a 64-core Threadripper in 2019

AMD's Threadripper may be set to deliver the killing blow to Intel in Q4 2019, with a rumor suggesting a new Zen 2-based Threadripper line is coming down the pipe with a top chip that has as many as 64 cores.
Computing

If you need your laptop to be large, these ones are most in charge

Whether you're in the market for a mobile workstation or a gaming behemoth, there's probably something in the 15-inch form factor that can fit the bill. Here, we've rounded up the best 15-inch laptops available.
Computing

Need more pixels? These 4K laptops have the eye-popping visuals you crave

If you're looking for the best 4K laptops, you need to find one that has powerful internal hardware, and doesn't scrimp on weight and battery life. All of these 4K notebooks are great options, but which one is the right one for you?
Photography

What’s the difference between Lightroom CC and Lightroom Classic?

Lightroom CC has evolved into a capable photo editor, but is it enough to supplant Lightroom Classic? We took each program for a test drive to compare the two versions and see which is faster, more powerful, and better organized.
Computing

HP's Spectre x360 is a better 2-in-1 than Microsoft's Surface Laptop 2 is a clamshell

The Microsoft Surface Laptop 2 is a refresh of Microsoft's clamshell option, an oddity given Microsoft's creation of the modern 2-in-1. The HP Spectre x360 13 is, therefore, an interesting comparison.
Deals

Amazon deal drops prices on Asus VivoBook laptops and 2-in-1s

Asus is one of the premier PC brands cranking out Windows ultrabooks today with its sleek VivoBook series, and these Amazon deals let you score one for $700 or less. Read on to find out what we love about these laptops and how you can save.
Deals

The best Amazon Prime Day 2019 deals: Leaked date and what you need to know

Amazon Prime Day 2019 is still a month away, but it's never too early to start preparing. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what to expect this year.
Computing

Air, Pro, or just a MacBook? Here's our guide to finding the right Apple laptop

Apple's lineup of MacBooks has started to swell, leaving fans a bit confused about which laptop they should buy. Depending on what you're looking for, we'll point you in the right direction.