I thought that, by now, most organizations might have spotted the risk posed by USB sticks. Not so. I was in a household name organization a couple of days ago – one of those organizations were there’s restrictions on internet access, tight controls on software purchases, instant dismissal for breach of the Internet Acceptable Use Policy, and so on, and watched in stupefaction as the event organizer set up his slide presentation.
He pulled a USB stick from his pocket, put it into a port on his laptop – which was plugged into the network – and downloaded the presentation. I presumed that there must be some form of port protection installed but no.
In fact, I learned, this was the simple way that people who didn’t have laptops took work home – because of the internet gateway restrictions on document export to non-business addresses, staff simply put their work onto their (privately acquired) USB sticks, took it home, did their work, and then uploaded it again in the morning.
And no one seemed to think this was strange.
USB Loopholes
July 18, 2005
About The Author
Alan Calder
Alan Calder is an acknowledged international cyber security expert and a leading author on information security and IT governance issues. He is also the CEO of GRC International Group PLC