IBM and thumb drives: epoxy or beacons?

IBM recently announced a startling company-wide policy for all of its employees that bans use of removable storage devices. It seems remarkable that this policy was announced in 2018. The Department of Defense (DoD) banned removable media more than a decade ago, in 2008. While DoD has functioned just fine without them, its data loss problem hasn’t gone away. I predict that IBM’s problem won’t disappear either.

Will the policy stop the loss of sensitive documents? Why did it take a commercial industry giant 10 years to get the message? I don’t expect it will solve the problem of data loss of corporate secrets overnight. There are just too many thumb drives all over the place. But, there is another way to think about solving the problem. 

What prompted the new IBM policy?

Removable storage devices pose two well-known security problems. Infected thumb drives can easily introduce malware into corporate networks in a blink of an eye, even with EDR capabilities onboard the target machine. There is a long history of how USB sticks provide a convenient threat vector. However, another problem is clearly more prominent.

The core message is that any organization is blind to its own document flows when thumb drives are allowed. Writing a document to a thumb drive blinds the network IDS and DLP systems from observing their exfiltration. Visibility and control is lost.  The policy intends to avoid both problems of malware injection and data loss, but its doubtful everyone will adhere to this policy. Convenience is just too hard to bypass.

Epoxy or Beacons?

DoD is an existence proof that the policy doesn’t quite make sense and that it failed to solve the problem of data loss. Government systems continued to lose a great deal of sensitive data via removable media, as widely reported in a number of new stories. One of the most recent of which involves an alleged illegal exfiltration of sensitive information apparently via removable media by a former Air Force veteran and NSA contractor.

But of course, thumb drives are not the only risk. A plethora of security architecture failures make exfiltration far easier via the cloud. Sensitive data from the US Army and NSA were discovered on the cloud just last year. How this classified data might have escaped isn’t clearly reported. Solving the thumb drive exfiltration problem has its merits, primarily by reducing unintended losses by non-malicious insiders. But it is not a failsafe solution. The cloud is still a far more convenient conduit for data loss.

Some have advised a number of “technical” ways to enforce the DoD policy on government systems, including BIOS setting configurations (not easy) and user behavior analytics (UBA) techniques (doubtful USB document writes are easily observable from a network log). If all else fails, the non-technical advice is to shoot epoxy into the USB ports on government machines, irrespective of the loss of maintenance contracts for the altered devices, and not to mention the costly maintenance nightmare. The epoxy solution will certainly solve the problem, although it could get a bit messy for flash drive ports. The technique may work, but there is a simpler and more effective solution. I’ve been writing about beacons recently, essentially GPS for your data, and your thumb drives. My advice is to beaconize all documents.

Beacons: GPS for your thumb drive

There is a very good chance data loss via thumb drives is preventable if you focus on tracking the data itself. The data can be tracked and protected with beacons when writing documents to a thumb drive.

A beaconized document signals when the document is rendered by its native application. The information is key to knowing if a document has been exfiltrated and opened outside of its security envelope. Intercepting documents written to thumb drives and injecting beacons into them—or even better, beaconizing all documents in the file system—provides a simple means of tracking sensitive documents no matter where they go and how they may escape. The beacons injected into documents will be conveniently carted away in a pocket or backpack, providing visibility on where the documents go.

So, until all thumb drives are finally eradicated (although they are just too convenient to be thrown away), or all IBM machines ooze globs of hardened epoxy from their USB ports, beacons can afford a level of protection and safety from data loss in a convenient and easy to use security mechanism. At least one can know where the thumb drive and its stored documents went. And surely IBM’s policy, doomed to fail, wouldn’t be necessary.