[unisog] Policy on "removeable storage devices"

Jim Dillon Jim.Dillon at cusys.edu
Mon May 2 17:39:44 GMT 2005

Not to mention 2 layer DVD burners are now standard on certain PCs.  Thumb drives are less recognized, but 14GB DVD could certainly do a lot of damage.

We are working on policies but I have none sufficient to offer at present.  Suffice it to say that the policies should not be device/technology specific, but should educate or point to sufficient info to include flash devices, DVD/CD writeable media, phones, cameras, PDAs, MP3 players, and so on.

To get to a place where policies can work, you first have to come up with a data categorization scheme/policy.  Until all users can easily recognize the value/risk/requirements for an individual data item, no policy will be very effective - users will define for themselves these values, and that result is anarchy at best.  Until you see disk shredders in every hall, and labeling stamps on every desk that allow quick labeling of a "Sensitive Data - Destroy don't Dispose" type message, you won't have a control environment strong enough to maintain data security on assorted media types.

I think technically we will not be able to keep up.  We are going to have to develop much better employee training, indoctrination, and understanding about the perils of managing electronic/information assets.

It would be really helpful to have good figures on the value of data items that could be used to assist in risk assessment and abatement.  I heard from the FBI recently that they use a "black market" value of $35 per identity to value identity loss.  That makes recent Higher Ed losses quite costly, eh? $10s of millions! More trustworthy value estimators can help drive this discussion towards a proper conclusion.

As for encryption on the devices, I'm using a Lexar JumpDrive Secure.  I've read that it's encryption is a trivial break (for a cryptographer with an interest).  So I find it good enough for my own private risk, but not corporate level. (Still, this should defeat the casual/opportunistic opportunity most lost thumb drives would provide.  I couldn't decrypt the thing...)  You can always use WinZip to place contents in a 256 bit AES encrypted state, and that should be good enough for most applications, but that depends on WinZip's implementation standard, and a slightly less friendly process.  I've found most average users just don't want to get it when it comes to zipped encryption - seems to difficult to them.  We've got to overcome that kind of mindset or provide easier solutions.

Best regards,

Jim Dillon

Jim Dillon, CISA
IT Audit Manager
University of Colorado
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Harry Hoffman
Sent: Friday, April 29, 2005 7:57 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Policy on "removeable storage devices"

hmm, interesting question especially because 1 and 2 GB usb key disks 
are starting to become really affordable.

I just got a 1GB sized one for $60/USD.

It's small (read easy to lose) and the capacity means I can store quite 
a bit of sensitive data on it.

The one that I have (SanDisk Cruzer Mini 1GB) comes with an encryption 
program (windows only) so I use gpg/openssl to encrypt everything on it.


Russell Fulton wrote:
> HI Folks,
> 	 We currently have a policy regarding the use of laptop computers,
> particularly as they relate to sensitive data:
> http://www.auckland.ac.nz/security/LaptopSecurityPolicy.htm
> and we are now looking at addressing similar issues with the ubiquitous
> usb/firewire storage devices which are even easier to loose or have
> stolen.
> We are particularly interested to hear if anyone has experience with
> data encryption for such devices -- either built in to the device or via
> software on the 'host' machine.
> Cheers, Russell
> ------------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list