1. Field of the Invention
The present invention relates, in general, to network security including remotely monitoring the use of client and other computers in a computer network or a system of networked computing devices, and, more particularly, to software, hardware, and computer systems for determining the addition and removal of devices such as removable storage or media and the like from client computers and, more specifically, to the unauthorized use of devices such as removable media attached to a client computer or node connected to a secure computer system.
2. Relevant Background
A significant security risk for many organizations and enterprises is the unauthorized copying of secret or proprietary information. For example, many companies closely guard technical specifications for their products, recipes for making their products, plans for business expansion, and other information. Similarly, nearly all organizations need to prevent or limit access to human resources information including employee lists and information including birth dates and identifying data such as social security numbers. Security risks increase as proprietary and other information is stored in memory of a computer system, and this memory is made available over a communications network, such as a local area network (LAN), a wide area network (WAN), the Internet, or other digital communications network. Firewalls and other mechanisms are implemented to limit the risk of unauthorized users accessing the computer system via a public network, e.g., to block unauthorized users from breaching security or hacking into the organization's memory to access sensitive information. Similar mechanisms may also be used to limit or at least monitor data transfer over public communication networks such as the Internet by employees or authorized users of a computer network.
Unfortunately, one of the greatest vulnerabilities to data theft or loss is the copying of data from within the organization or by using one of the organization's networked devices or client computers. Removable media such as removable or portable data storage can be used to remove large amounts of information, and with recent advances in memory technology, the removable media can be quite small and easily concealed, e.g., a Universal Serial Bus (USB) memory device such as a flash drive, key, ZIP disk, can easily store many megabytes of data while being small enough to fit in the palm of a person's hand. In a typical computer system, numerous client computers or computing devices are linked together via a communications network, and many of the client computers are configured with drives and ports to allow media or devices to be attached or inserted. For example, a typical workstation computer may take the form of a personal computer (PC), a desktop computer, a laptop computer, a notebook computer, or other computing or electronic device, and each of these may be configured with one or more floppy disk drives, DVD and CD-ROM drives, removable hard drives or substitute drives, USB ports, serial and parallel ports, and plug-and-play devices such as Bluetooth devices, PDA devices, digital cameras, and the like.
As a result, many organizations have instituted policies that prohibit the use of removable devices with particular client computers or that at least limit such use to a set of acceptable devices that may be used only by authorized users. However, in large and often dispersed computer systems, it is very hard to enforce removable device policies and even harder to identify offenders of such policies.
Hence, there remains a need for improved methods and systems for identifying the attachment or use of removable media or devices to a client computer and reporting the identified use along with an identification of the user to a system administrator or information technology (IT) manager.