Tiny Media
Dave KennedyMarch 2nd, 2009
by Dave Kennedy and William Murray
The first disk drive that I ever saw was the size and weight of a refrigerator and gave off as much heat. It would hold one megabyte. It was so expensive that it was far more likely to be used as a table than as a database. At the same time, the storage medium of choice was punched paper, cards or tape. A gigabyte in punched cards would fill a railroad box car.
The first hard drive that I bought was 10mb and cost me $3000 at IBM employee price. I thought I would never use it up. One can now buy a terabyte in a cigar box for $99 (I kid you not! It dropped in price while I was working on this post) and for $50 one can buy 320GB that will fit in one’s shirt pocket.
This week I bought an 8GB microSDHC card. It is the size of my fingernail. I paid $18 plus $4 shipping and handling, although it could have been sent first class mail for less than a $1. A great portion of the cost is in the transaction, not the materials nor even the technology.
I thought that the SD card, the size of a postage stamp, was as small as a storage device would ever get. Smaller than that, one can hardly label or keep up with. However, the devices in which the storage is used are getting smaller and thus, the microSD.
About every decade or so, as storage gets smaller, denser, and cheaper, managers began to worry that its very existence will encourage data theft. One could carry a 2400′ reel of tape in one’s overcoat or send out half a dozen in the waste paper basket. Multiple diskettes could be carried in a shirt pocket. Said another way, it has been a long time since the weight or the volume of the data was a deterrent to its theft.
However, we are going through the panic again. This time it is “USB drives.” For example, a recent press release said “Lumension’s 2008 Annual Report and Threat Predictions for 2009 finds removable media as the leading cause of data breaches….”
Dr. Peter Tippett reports, “It [portable storage media] is endless talk among very large company CIOs and CSO/CISOs that I speak with every week… I think the driver is that everyone has a small case that happened in their shop, or that they heard about among their peers…. Then they have a “wouldn’t it be horrible if” worst case scenario they dream up relative to their own data… And voila! It is the worst thing.”
On the other hand, in the 500 cases that Verizon reports on in its Data Breach Report, there were no cases in which thumb drives (or other small portable media) played more than an incidental role. In no case did it appear necessary to the success of the breach, much less was it deemed “causal.”
Even DoD leadership has been panicked by “thumb drives.” Rather than control access to the data, they are trying to resist the technology. They no longer permit, at least as a matter of policy, portable digital media inside secure computing facilities, but rely on paper only. In some commands they do not permit the use of thumb drives on (user owned) laptops attached to their networks. Anyone else see the irony here?
Now we all understand the limits of such controls. Modern storage is now so small and dense that it can be concealed and carried virtually anywhere on one’s body. One can no more resist leakage by resisting media, digital or analog, than one can resist the use of computers, networks, or, for that matter, paper. The economics are simply against it. We pay extra for small and dense.
The way to resist data leakage is to restrict access to sensitive, proprietary, or personally identifiable information near the source (e.g., at the database server) and hold people accountable for its use. It is difficult to do but it is orders of magnitude more efficient than chasing the new tiny media de jour. It is far easier to control what data is copied than to control where it is copied or what happens to the copy. Data access control is media independent. Said another way, it works for the network as well as for tiny media, the siphon as well as the bucket.
Tags: data access control, data leakage, data leakage mitigation, flash drive risk, flash drive theft, physical security, portable storage risk, portable storage theft, thumb drive security, usb drive security
Great article, thank you!
I’m curious… is this a result of “no breaches with USB” or what you guys get called in for? How could we assess that ‘fairly’?
Posted by: Adam on April 6th, 2009 at 4:05 pm@Adam: I’m not going to answer on behalf of Bill but I’ll let him know and toss in my $0.02.
I’m sure you are right about our statement that we observed only one breach in 2008 that resulted from the misuse of portable media. That finding is certainly reflective of our caseload but I also think Bill’s main point is that not only is it probably not “THE leading cause of data breaches” as some claim but they are a tool of convenience rather than necessity for those wishing to compromise data. Sure, it makes it easier to smuggle data out the door but eliminating portable media certainly wouldn’t eliminate the export of sensitive data. That’s especially true for sealing up USB ports on end-user systems. My laptop’s hard disk is a little bit bigger but equally portable and concealable and short of any USB transfer methods, the extra 2 minutes to remove it isn’t much of a deterrent.
Posted by: Wade Baker on April 12th, 2009 at 1:20 pm[Posting on behalf of William H. Murray:]
Not really about that. However, we have seen only a handful of cases where tiny media was involved, mostly coincidental, none where it was necessary, much less “causal.”
Rather, this is about proportional and efficient security. It is about ensuring that sensitive data gets necessary protection while ensuring that expensive measures are reserved for that data that really requires it.
Control of tiny media is expensive; to be effective, it would have to be intrusive and disruptive. Far more efficient to identify the sensitive data, limit and control access to it, and fix accountability for all use to the level of the individual.
Posted by: Wade Baker on April 14th, 2009 at 5:08 am