That Little USB Thumb Drive Could Be a Big Security Violation
Published on: 13th May 2014
At Intel, most office employees work in open cubicle environments, so it's not surprising to see laptops, key chains, documents and thumb drives laying out on desks while roaming the hallways. Unfortunately, there is risk involved in all of this "openness," and that's why Intel performs IP security sweeps on a random basis. A single thumb drive can result in a red notice left behind as a reminder.
But that's not all that raises a red flag when security guards roam the cubicles after-hours. They look for a variety of violations sitting in clear line of sight like confidential documents or even old silicon wafers, and the red or blue tickets they leave behind give employees mixed feelings.
Common to many large technology companies, Intel has an open environment when it comes to employee workplaces. Rows of cubicles and open desks while good for collaborating, can also pose potential security violations. Intel doesn't take security risks lightly and often performs "security sweeps" that look for violations out in the open.
"There is an element of the security sweeps that goes way back. There is a concept called SMBWA - safety management by walking around," says Malcom Harkins, chief security and privacy officer at Intel. "That dates back because of our manufacturing history, 20 plus years."
As is common with many technology companies, security and the protection of intellectual property are huge concerns. Threats to infrastructure, systems and devices are ever-present and evolve in real time. But while a company may be locked down from a firewall and network perspective, it is often the more mobile and portable side of technology that pose the biggest risks to corporations.
Tablets, laptops and smartphones often have corporate security frameworks and software installed in them if they are to be connected to corporate infrastructure, allowing security and IT administrators to remotely disable, lock or even wipe compromised devices.
But often, these security measures have a limit in their effectiveness when it comes to other portable devices like USB hard drives or thumb drives. And this is where corporations move from software solutions to manual intervention to reduce the risk. At Intel, security officers perform regular checks of employee workstations looking for obvious violations of security policies.
Depending on what if any violations are found, the employee might just get a notice left behind on the desk as a reminder. In other cases, the person may have to talk with his or her manager to remind them of the guidelines. Multiple violations could be escalated higher. In other cases, if the desk is clean of violations, a "Congratulations, you passed an IP Security sweep" notice might be left behind.
Sometimes the biggest security risks come in the smallest form factors. NSA whistleblower, Edward Snowden, reportedly snuck out many of the leaked and highly classified documents on a regular basis using a simple, inconspicuous USB thumb drive, a device allegedly banned from NSA offices.
Portable USB thumb drives, which Intel security will flag but not take, pose a variety of risks. They can be transmitters of viruses or malware between work and home and are increasingly being targeted by hackers as easy ways to distribute malicious payloads. In fact, the Stuxnet virus may have been planted in a Russian nuclear plant via an infected USB stick, according to Kaspersky.
And USB thumb drives can pose a threat via the unintentional dissemination of intellection property external to corporate physical and virtual firewalls.
A 2011 survey conducted by Credant Technologies of more than 500 dry cleaners and launderettes around the United Kingdom found that more than 17,000 USB sticks or thumb drives were left behind in 2010 when clothes were dropped off to be dry cleaned.
Often, these USB thumb drives are not password protected nor encrypted.
Thumb drives have risks and benefits. Because they are small, they can get lost, stolen or misplaced. It's the company's responsibility to set security expectations as to what should or should not be stored on them and provide technical mechanism to employees to protect the data on the thumb drive, Harkins says.
Depending on the business, government office or corporate facility, security sweep violation outcomes can range from simple warning notifications to employee terminations or criminal actions being leveled at the violator. And sometimes, the employee may no longer be an employee when the violations are uncovered.
So, whether an employer takes a laissez-faire approach to security or rigorously cracks down on security violations, employees should take some time to ensure their pesky little USB thumb drives remain under their control and protection. Left plugged into devices in the office, they can be easily pocketed with confidential information within; left in a pocket, they can be lost or picked up by a third party; and connecting them to infected hardware, they can unleash unknown havoc to other environments.
"Wow, as a new employee, I didn't even know that these sweeps were done!" said Ellen Healy, a recently hired Intel employee who received a security sweep a few months after she arrived. "I felt a bit scared when I saw some of those red citations on other desks as I walked to my cube."