IBM bans USB, SD cards, flash drives and all other portable devices from every office, worldwide

Silly.

If they are worried about data infiltration/exfiltration via USB, they need to worry about PORTS, not USB devices. And that’s an issue because lots of stuff uses the USB port as a charging port. I had a friend that filled all of the USB ports in the computer lab with hot glue.

If they are not centered on USB - laptops and cell phones are also external media that could have similar issues (easily misplaced or stolen).

This is King Canute ordering back the tides.

1 Like

I was coming to say the same. Our workplace has banned these things for nearly 10 years at this point. You can plug them in and read from them…but never write to them.

1 Like

If so, then why do they need the flash drive ban?

3 Likes

Because they are heading off complaints. You can’t say “my flash drive doesn’t work” when they are banned.

6 Likes

leaving infected thumb drives lying around an office is a popular pentesting tactic.

10 Likes

At my job, we have a solution for that. Everything we write is free software, all documentation is CC, and we keep most of our source code on Github. Gets you a long way.

Anyway, if anyone wants to leak stuff, having information stored remotely in “the cloud” (= “other people’s computers”) won’t stop that from happening. Actually, “the cloud” guarantees that the IP already walked out the door, climbed to the sky and can be hacked from everywhere.

10 Likes

I worked at a place full of ITAR and EAR engineering data… so my outlook on it is from a more paranoid point of view. Code I didn’t deal with. But access to company proprietary and PII data, yep.

1 Like

But banning USB devices still gets you nowhere as long as your employees have Internet access.

I’m sure they are enforcing this with technology, not just company policy. This is just an announcement so all the employees will have time to get the crap they need off their thumb drives and into the cloud written in such a way the non-engineers will understand it.

2 Likes

Not with the firewall they had. Cloud stuff was very very very blocked.

1 Like

About 10 years ago I finished a 5 year stint working as a windows clustering SME on account with IBM Global Services. I’m out of that line of work now so maybe things have changed, but back then there was no way we could have deployed systems without removable storage. It was still mostly optical then but where possible we were using USB to put base images on servers.

We also “got” (read had) to use the IBM Tivoli management and monitoring platform. It was so bad I wrote my own. Also, the data loss and downtime incurred because the mandated monitoring platform didn’t work… let me just say I have no faith that IBM can develop a solution for this that is actually functional for the people doing the work. Typical C*O BS. Should leave the work to the people who actually know how to do it.

4 Likes

If you don’t have ILO or DRAC or equivalent yes you still need physical boot media for physical servers. And even if you have the remote access sometimes it is way way faster than pushing the .iso image over the intertubes.

2 Likes

Oh we had those things but we weren’t allowed to use them. Security and all that.

3 Likes

At the aforementioned help desk job, more than a few coworkers left to go work for pre-IBM Tivoli. They used to have free beer once a week. I’m a stick in the mud and not even the free beer lured me away…

1 Like

It’s going to work great - and then their consultants will be on site at a place that bans all cloud sharing URLs (like most of my secure clients do and have done for years).

I spent two full workdays earlier this year at Redacted friendly nation Ministry of also redacted trying to deliver a work document to them - they blocked all USB drives, and also blocked all access to any cloud sharing services, even the secure Enterprise ones we use. Seems like nobody had thought about how to get a document delivered that was larger than their 10 MB email attachment limit. The one encrypted USB drive they were allowed to use had a flaky, custom application that wouldn’t work on OS X (which I run) or a VM of Win 10 on that same laptop.

4 Likes

It’s standard practice for security conscious businesses/organizations. It’s less about employees stealing shit that the fact that these things are so often misplaced and so easy to get your hands on. Regardless of how files make it off and on them, files being carried on these things is a big security risk. Even if everything is on the up and up.

Phones have some related risks. But they’re generally more secure devices from the start. And no-one has 23 different phones knocking around their briefcase. And if their phone goes missing they tend to notice. These policies tend to go hand in hand with other ones. Like barring phones, shutting off USB ports etc.

I worked for a corporate communications company for a bit. Doing video work. Everything we did was public facing. But when we did work for government contractors or certain financial companies we had temp security measures. Portable storage was barred outside the video unit. USB ports would temporarily be deactivated where that was practical. And a couple of times we had to turn in our phones at the door for a few days in a row. All media collateral for those clients would come in on non-rewritable cds or on a secure digital link. And we had to out up those screen blockers on every monitor including the tvs and calibrated video monitors used in the video lab.

3 Likes

We use Raritan KX series KVM units here; it’s a fantastic product, but unless you have upwards of an hour to kill, it’s faster to make a bootable USB drive using rufus and plug it into the server than to connect the ISO through the client and the KVM’s USB ports.

1 Like

We have a similar situation here; some of [RedactedCo]'s LOB applications have to be delivered to a governmental agency, who then brings it over to us. Fortuantely, it’s on CD-R media, so we keep a USB optical drive around just for that.

We had a VM set up as a generic terminal server set up in each data center so we had a local fast network. We would have the .iso files on those boxes and get to the remote interface from there to load the base OS image.

1 Like

Do they allow music streaming services (ex Pandora) on the company network? Seems like a great way to get a lot of false positives.