Posted on 2005-04-11
Last Modified: 2010-04-11
Hello all,

Over here we are doing a project to restructure our entire IT infrastructure.
We're going to citrix, everyone's getting terminals, novell is being replaced with microsoft stuff etc.

Some managers have decided in all their wisdom that it would be nice to have USB-sticks. We've already told em that this would bring extra security risks.
Bringing virii into the organisation,
Having a cmd.exe on the stick and thus being able to reck havoc
The terminals needing WinCE instead of WyseOS (and thus being more expensive)
But they seem deaf to these arguements.

So I'd appreciate it if you could all list some extra security risks for me to use as arguements in discussions.

Question by:kneH
    LVL 5

    Expert Comment

    LVL 12

    Author Comment

    Cheers for the link. The loss of information is a strong point.

    But seeing I need to convince managers and already addressed virii the article leaves only one arguement... and I am not gonna tell the people upstairs that their prolly gonna loose their info when they overwrite it or loose the stick altogether.

    That's just calling them stupid to their faces which will not improve my salary...

    I am looking for different stuff.
    Eg what extra risks would winCE bring for instance. Basically I wanna slap em in the face... only seeing I like my job I'd rather do it with good arguements rather than with my hand. And I need "techy" arguements cos they will not take the personal assaults. If you get my drift.
    LVL 9

    Expert Comment

    Memory sticks are very common and they don't bring any more risk that any other storage medium.  Security-wise, there's no difference between a memory stick and a floppy disk drive or even a CD-ROM drive.  A user can have a virus on a floppy disk (but you should have antivirus software anyhow) or they could have a Linux LiveCD or an WinowsPE environment CD that lots them do stuff to their computer, and potentially the network, that they otherwise wouldn't be allowed to do.  

    Some memory sticks let you encrypt data so that even if you lose the stick, at least whoever finds it won't have access to what's on it.

    The only real argument against memory sticks is that people might lose them.  Just as they might lose a CD or a floppy disk.

    As for WindowsCE based terminals,  they do carry a bit more of a security risk because they could become infected by viruses (and you might not be able to find antivirus for them) and they're more expensive....  but they also offer more potential functionality than a lot of WiSE terminals.  If the WinCE terminal doesn't support ICA (WinCE has built-in support for RDP), then you wouldn't want to use them with Citrix.

    LVL 22

    Accepted Solution

    A USB stick can carry 1 hell of a lot of information. I'd immediately raise the following warnings:

    1. Theft of information. Other competitors would love to have a full look at your accounts:) If your company has any intelectual property, then how about that being delivered to a competitor by a disgruntled employee.

    2.  'Hacking' / 'cracking' software could be brought in. A whole bootable OS can exist on a USB stick......with loads of utilities....perhaps sniffing the network for passwords...or other vulnerabilities. Incidentally the same issue exists with CDs, and less so with floppies, because they hold less information.

    3.   Accidental loss of a USB stick may compromise data...and a large amount at that. Consider having data on the sticks encrypted.

    4.    Bringing in any unauthorised software is a recipie for wasted productivity. Joe Bloggs brings in a Doom Engine Server on Fri afternoon, and the company grinds to a halt? Generally anything that can be brought in results in loss of productivity as it diverts attention from the correct ptiorities in the company.

    5.    Generally illegally imported software, increases network/IT administration costs. It slows down the development of the network, because more time is spent sorting out problems. (Perhaps additional cost of extra administration controlling dodgy of software, requirement for an extra sysadmin, issues with compatabilities, users 'messing' trying to get something to work,....)

    I'm guessing that your IT policy is weak or non-existant. Ideally, your companies system is there to create value, and income for the company. If your directors wish to do otherwise, I guess it's their choice........after all they are ersponsible for the company. I'd recommend putting your views in writing, and after that it's their choice! However, the correct action for you is to get a decent IT policy in place. Then when directors make a decision on say USB sticks, they need to alter a whole policy to get it to work. Generally, once a policy is in place, directors will leave it alone.....

    LVL 15

    Expert Comment

    there is some memory stick with encryption and integrated Biometric identification.. it would protect the access to the key, and the information contained.

    something like this:
    LVL 2

    Expert Comment

    Well, like all of the aforementioned vunerablitites, data loss, ability to steal large amounts of information, could carry viruses, etc., USB drives are also nice and small, so they can be easily hidden, another thing to consider is the fact that it is possible to boot an OS off of a USB drive, assuming someone were to boot knoppix or another similar system, anyone could literally wreak havoc on your local system.
      Hope This Helps,

    PS - Don't let them tell you they have made sure that this option was diabled, becuase ANYTHING can be circumvented.
    LVL 9

    Assisted Solution

    You can boot an OS off a CDROM as well...  it's actually a lot easier; it requires much more work to put knoppix/beatrix/pclinuxos on a USB drive (where's anyone can easily burn the .ISO).

    As for stealing data... if the users have unfettered internet access (or email access) they can steal data anyhow (and they could encrypt it before sending it so you'd never know what they sent).  Also if anyone either has a CD or DVD burner (or has access to one) they can do the same thing.  Check or even a buncha floppy disk and a fair amount of patience...

    Of course If you do manage to convince the Big Cheeses that giving everyone a USB drive is a bad idea,  you  have to create a Group Policy Object to change the StorageDevicePolicy registry key (under XP) or USBStore key (under 2000) to make sure that no one can simply bring their own USB Drive (of course if they have local Admin rights and are pretty computer savy, you're out of luck).

    I agree with pjedmond... you need a well defined IT policy.  Should everyone have full access to the internet?  Are people allowed to install software on their computers?  Can people send email messages of an unlimited (or damned big) size?  Do you have an antivirus software in place?  Do people have acces to a CD/DVD burner?  Are the computer's BIOSes password protected (so they can't boot from a CD).  Do people have local administrator rights on their machines?

    If you've got a good security policy with which management agrees, you can simple say "Look, this compromises these parts of our security policy... the policy to which you agreed, so we shouldn't do it".  If users can do damn-near whatever they want anyhow, it's a lot harder to make a case against something like a USB drive because you might list all of the associated risk and management can turn around and say "it's like that anyhow, how does this change anything?"

    LVL 6

    Expert Comment

    an operating system could be isntalled on a CD also. So using the USB device to "hack" the computer isn't the only option available. Your main concern should be data theft as mention, and viruses. However, this is an option that they will most likly receive, so you should start prepairing for security measures. Are USB devices currently disabled? if not, then any of the things mention could already be in effect... You can control which users recieve access to USB storage and which do not.
    LVL 12

    Author Comment

    Cheers for all the answers!

    Some good stuff in there. pjedmond's answer really helped. So he's gonna get the bulk of the points.

    As for CD's and Floppy's raising the same problem... well they would if we were to put any of those in the terminals which we are not. We have sensitive data on our systems and we want to keep it there at all cost. Hence the HDD less terminals etc.

    As for the non-exsisting IT policy.... We have one. A proper one even. Only we have managers who think themselves to be above all law (and thus policy). So there's our real problem. But seeing I can't tell em off without losing my job or making life impossible for myself I will have to convince them.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now