Plugging the hole in Windows USB security

Jul 10, 2005

As new ways of transferring and sharing data become commonplace in the workplace, software developers are marketing products to corporations to fill the void left by Microsoft Windows in portable-media-device security.

"The reality today is that organizations need a quick and reliable way to stop the unauthorized transfer of information to and from removable media devices," Brant Hubbard, general manager of Centennial Americas in Portland, Ore.,, told United Press International in an e-mail.

Centennial Software, headquartered in the United Kingdom, is the maker of DeviceWall, which gives companies the ability to manage and restrict access to USB ports on employee computers.

The development of USB or universal serial bus as a convenient way to connect peripheral devices to computers also has generated certain security risks."When people introduce new technology, they choose functionality and don't look at risk factors," Winn Schwartau, founder of Interpact Inc.in Seminole, Fla, an information-security services company, told UPI.Microsoft Windows does not include built-in USB security protection.Although its Service Pack 2 offers a lock-down feature, it does not include USB ports in its security protocols.

"Microsoft's failure to address USB security is one of the top five mistakes of 2005," Hubbard said."This focus on application convenience, not security, provides a great opportunity for Centennial Software to offer that more robust functionality."

Vladimir Chernavsky, chief executive officer of AdvancedForce InfoSecurity Solutions in San Ramon, Calif.,, said his company's DeviceLock allows administrators to control the input and output devices on corporate workstations.

"Maybe Microsoft should have implemented security measures in Windows and, sooner or later, I am sure they will, but we are constantly adding new functionality and features and should be one step ahead," Chernavsky told UPI.

The "Information Security Breaches Survey 2004," sponsored by the United Kingdom's Department of Trade and Industry, found two-thirds of companies surveyed had experienced some form of malicious incident involving their databases in the previous year.Such incidents were defined as viruses, unauthorized access, theft or fraud on a company's network.This was up from just over one-half when the survey was conducted in 2002.

Large companies that responded said 44 percent of their security incidents were known to have originated internally, while 38 percent were known to have an external origin.According to Centennial Software's "DeviceWall security attitudes survey 2005," which included 259 IT managers, 70 percent of security incidents at Fortune 1000 companies are internal and 70 percent of employees have stolen corporate information.

Products such as DeviceWall and DeviceLock enable several layers of protection.For instance, administrators can choose to block USB ports completely, allow only human-interface devices such as mice and keyboards, or create a white list of USB devices based on registered serial numbers.DeviceWall also includes a feature that warns when an improper action has occurred.

Companies must deal with security threats by deciding how to balance functionality and security, Hubbard said."Complete lockdown is actually counter-productive, as it blocks the USB port not only to storage devices, but also to keyboards, mice and printers," he noted.Both Hubbard and Chernavsky said they think although USB security awareness is growing and their list of clients is expanding, many companies still do not take proper precautions.Centennial Software's survey found 50 percent of all companies have placed no controls on portable media devices.

The U.K.security-breaches survey found that, on average, companies spent only 3 percent of their IT budgets on security measures.Less than half of those surveyed had conducted any type of cost-benefit analysis for security measures.Companies tend to view such measures as expenses rather than investments, the survey said.

"(Chief security officers) have seen viruses and spyware as more pressing security issues," Chernavsky said, "but with the price of portable media devices dropping and their capabilities increasing, it is becoming more of a problem and receiving more attention."

Hubbard said recent high-profile incidents involving removable media devices have caused the security issue to climb rapidly "to the top of the (chief information officer's) to-do list.When organizations compare the cost of purchasing DeviceWall against their risk exposure, many will simply 'find' the budget."

Both executives said encryption of portable media devices is the next step in securing data downloaded from company computers.

Copyright 2005 by United Press International. All rights reserved.

Explore further: Boxing match pops up on phones as TV habits change

Related Stories

Innovation boosts Wi-Fi bandwidth tenfold

Apr 20, 2015

Researchers at Oregon State University have invented a new technology that can increase the bandwidth of WiFi systems by 10 times, using LED lights to transmit information.

Canada auditor general lost data: report

Mar 19, 2015

The office of Canada's auditor general lost 120 USB drives, or one in five entrusted to staff last year, possibly containing sensitive information, a local newspaper reported Thursday.

Ford, Microsoft extend partnership on Sync 3

Mar 18, 2015

Ford dropped Microsoft for the operating system for its next-generation infotainment system but the long-time partnership continues with Tuesday's announcement Microsoft will provide cloud support to remotely update Ford ...

Recommended for you

Boxing match pops up on phones as TV habits change

6 hours ago

It should have been a proud moment for TV: drawing in millions of viewers willing to pay big money for a much-hyped sports event, while at the same time showing the clout traditional media still holds.

Engineering students create real-time 3-D radar system

7 hours ago

Spencer Kent stands nervously in front of Team D.R.A.D.I.S.' booth at Rice University's annual Engineering Design Showcase. Judging begins in about 10 minutes, and his teammate Galen Schmidt is frantically ...

Mozilla says HTTPS is the way forward for the Web

7 hours ago

The web developer community can hear a rallying cry loud and clear :Let's hear it for web security. Mozilla, the group behind the browser Firefox, is turning up the volume by saying enough's enough with non-secure ...

Facebook opens up Internet.org after neutrality flap

8 hours ago

Facebook said Monday it was opening up Internet.org, which provides connectivity to people in developing nations, to outside applications following a controversy over its limited set of online services.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.