Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

May 9, 2007

Insider threat - USB thumb drive

"A worker calls up a sensitive investor list and downloads it on her thumb drive, slips it into her pocket, and walks out, smiling and waving to her boss and the security officer stationed at the front door. This is just one of the scenarios that security professionals and IT managers are increasingly worried about. According to one recent study, IT managers said portable storage devices, such as thumb drives and MP3 players, have surpassed even malware to become a top concern."

I presume reporter Sharon Gaudin from Information Week has simply swallowed and regurgitated the blurb from Bill Piwonka (yes, that's his real name - I couldn't make 'em up), VP of product management for Centennial Software, which conducted a "survey" at the InfoSec security conference in London. [Would you be surprised to hear that the company sells a "solution" to control access to USB drives?] The scenario described above looks more like an insider threat example to me. The fact that the worker used a USB thumb drive is incidental: it could equally have been a USB hard drive, a CD-ROM, even a pen and paper. She could have emailed it to herself or an accomplice, perhaps ZIPped up with 256-bit AES to bypass any content inspection. Preventing the abuse of USB thumb drives is hardly going to stem the flow.