A little post we found on a supplier’s blog reminded us just how ubiquitous USB sticks have become – the equivalent of the old fashioned ‘sneaker-net’ in the days before networks when we used to copy things onto floppy disk and walk it across the office.
“For years, people have used USB sticks to back up their files on an external device. Through doing this they have felt that their files were safe and secure, but they were wrong. Unknowingly they have been exposing their companies to a potential security disaster.”
Given that the virus that hit the Iranian nuclear programme was allegedly propagated via USB stick, this is not a problem to be ignored.
How often have you used these devices to save important documents, move them to different parts of your organisation without permission or any form of data protection, with the possibility that the files could become corrupted and infected with malware or even be stolen when you leave the USB stick in a cafe?
“A study done on behalf of Kingston Technology showed that when polling 450 IT staff in the UK from a global total of 3,000, found that 73% of experienced staff used USB drives without permission, with 72% not mentioning if the data was corrupted or lost. Of the whole group, only half even thought to employ some form of security policy to these devices or showed adequate awareness of risk with these devices.”
- Enable USB functionality on a need-to-have basis. Disable storage devices on computers with access to sensitive information. It will limit exposure and reduce the risk of unauthorized data being transferred away from your organization.
- If your business needs USB drives, issue devices that provide whole drive encryption and are passphrase protected.
- Make sure those drives have remote management options, such as remote wipe or remote lock. Drives like those from Iron Key have remote administration tools that also enforce strong passwords, have strict re-entry limits, disable portable applications and, believe it or not, even self-destruct.
- Look for drives that provide event logging and geo-tagging, so information on what computer, and where, is retained on every use.
- Enforce USB scanning on all corporate computers whenever a thumb drive is plugged in. This can help ensure no malware or malicious programs are on the drive. Allow only corporate signed and approved applications to be run from the drive.
- Regularly audit USB devices to ensure that only documents in compliance with acceptable usage are being stored. This is a snatch and scan. It only takes of few of these kinds of trips around the office before everyone is very aware of the seriousness of the new USB policy.
- Perform regular backups of USB devices internally, including encryption keys, for data recovery purposes. Ensure that backups are properly safeguarded, and have separate procedures and security controls for backup of encryption keys. It’s also another excellent way to monitor what information is being moved to and from the device.
- Test data recovery procedures to ensure that the corporate security office can unlock and access any USB drive, even if an end user or malware maliciously disables the USB drive.
- Ensure that mobile devices with USB storage cards—such as digital cameras and SD Card readers—have the same controls as any USB drive.
- If possible, issue USB devices with unique serial numbers tagged in the firmware, as well as etched on the outside cover.
- Know your assets. Have a precise count of the USB devices at your organization. List them by owner and use. Ban use of all personal USB devices, without question, on any work computers or for any work use.
- If a USB device is lost, take a look at that latest secure backup to review what was lost and the potential risk. Consider recovering the drive through those geotagging features or wiping, or destroying the device with remote administration tools.
For the ordinary user like you and me, this can seem like a right royal pain in day-to-day use; it is. But the peace-of-mind and extra data security it gives you will be immeasurable on the day that one of those handy little memory sticks goes missing! AJS