Removable drive/BYOD policy for company devices

Pew

Joined
Mar 12, 2018
Messages
3,733
Location
IL
Hi folks,

Does anybody's company use a policy where any removable devices like USB drives or "BYOD" have to be encrypted? If so, would you like share the gist of the policy? I'm pretty open with users using their company laptops for certain personal stuff like Facebook or youtube when using the laptops but lately I've noticed that my users like to plug in their personal USB drives which may have malware or suspicious program picked up by our AV. I'm about to put a policy in place where any removable drive used by the company has to be from me and has to be encrypted because of this. I've helped our IT consultants with a client when they were hit by ransomware (NOT FUN!) and they lost ~$30K + 6 months worth of data so I don't want my company to end up the same way.
 
Do not do it period is the policy. USB ports are monitored and the mothership is called. I strongly suspect any repeated intentional violation would get you escorted to the door and probably a first time offense if it allowed malware of any sort...
 
I wish I could have a policy of no USB drives allowed but unfortunately some of our clients like CDOT or ComED require copies of reports and drawings on USB drives or even a CD-R. Luckily this isn't frequent and makes me wonder if I can use our endpoint encryption to limit the USB access to encrypted USB thumb drives that I can setup.
 
The customer i support has a NO removable media policy (enforced by technical controls) and valid uses have to be documented and enabled on company supplied removable devices on specific PCs only. Documented uses automatically encrypt files placed on the drive; Pretty sure the use cases are reviewed annually to validate the use case still exists.

I think you are wise to consider this policy.

Too much IT security is reactive. "Doing X" is too expensive until "Not having done X" costs twice as much to recover from
 
Navy/Marine Corps and Contractors' machines are locked down. Very few have the ability to write a CD/DVD though some people have encrypted hard drives that are controlled. They have DoD encryption software that allows them to be plugged into a locked down laptop or desktop.
If you plug any other device in, your machine reports the violation (if connected) and bricks on you. You can't charge a cell phone through USB or you'll brick your machine.

You should be able to go to Microsoft, Apple, McAfee, Cisco or someone and get guidance/support to do whatever level you want to use. People could still burn DVDs or load specific, encrypted, external devices.

You could also lock down the machines and only allow transfer of files through a cloud share or a secure file sharing website like dropbox with encryption and passwords.
 
No USB drives allowed for fear of IP walking away or malware concerns. We use file transfer via FTP sites for everything outside.

Just my $0.02
 
USB drives were outlawed in DOD many, many years ago for security concerns.

If your company allows their use, it's only because their IT folks are morons, or just don't care about malware.
 
I can only imagine how stressful it'd be overseeing security over hundreds, thousands, or hundreds OF thousands of users and their devices. I presume Windows features the equivalent of what I would do in Linux: Ensure that their write permissions extend only to their /home/name directory; with /home being a partition with the noexec flag. External media is mounted to /media and that, too, has a noexec flag. The only gaping security hole at that point is a user doing something like:
Code:
some-legit-app --use-config-file="/path/to/the/malicious/data"
... Where /path/to/the/malicious/data is on the external media or their /home/name:
Code:
ssh super-secret-sensitive-server -i /media/someones_stolen_id_rsa
... In which case I am dealing with a malicious user with my device - and my problems extend beyond hardware and software.
But even with no USB media allowed, unless you're in a LAN-only environment you're still a few keystrokes away from:
Code:
cd ~/.ssh && wget http://really-bad-website.xyz/someones_stolen_id_rsa && ssh super-secret-sensitive-server -i /home/name/.ssh/someones_stolen_id_rsa
... In which case "the interwebs" could be thought of as one big external media drive and you have to think carefully and perpetually about URL and content filtering, which is orders of magnitude more of a pain than disallowing external media.

EDIT: I just tried plugging a USB device into my wife's school board-issued laptop and access was denied. I right-clicked "This PC" and selected "Manage" and was again denied. If there wans't a football game coming up in a little while I might have pulled the SSD out of it and tried to mount it in a Linux system to see if it is encrypted. I have, however, placed "portable apps" in her home directories (from portableapps.com; including a browser w/ a VPN add-on and DNS-over-https) and they execute and operate without issue.
 
Last edited:
I helped write the policy for a drive similar to this Aegis drive.
You tell someone in IA what you're going to put onto the drive. IA unlocks the drive, hands it to you, and you put the content onto it, making sure you've verified the sha-256 checksums of every file, and bring it back to IA.
They virus scan everything, make sure what you put on it is what you said and nothing else, then they lock it and hand it back to you.
You can then upload it onto the company network. Return it to IA and they wipe the drive, and throw it in their drawer for next time.
All of this is logged and initialed.
Kind of sucks, but when you're in a supply chain and don't want to be the one who infects your customer....
 
Back
Top