The State of USB Drive Insecurity
Insecure USB drives have created a significant risk for lost data as well as the spread of malware.
One of the biggest rising security issues of the day is the ubiquity of USB drives. It seems just about everybody has at least three USB drives lying around, and more than likely they have misplaced one or more of them in the last 12 months. Whether they were lost or stolen is anybody's guess. The end result, however, is that more than likely there is sensitive corporate data available on a USB drive somewhere that at this point could be anywhere.
To make matters even more interesting, distributors of malware are leveraging the promiscuous use of USB drives to distribute their wares. It's not unheard of for the makers of malware to install their payloads on USB drives that are then casually left somewhere to be discovered by an unsuspecting employee. In fact, many folks think is this is exactly the approach that was taken by the unidentified parties that came up with the Stuxnet malware that found its way into Iran's nuclear facilities.
Naturally, there are a lot of folks who think that USB drives should just be banned more from the workplace all together. But in reality that may not be very practical. A more viable strategy might be to adopt a USB drive standard for encrypting these drives and then making sure that employees use these drives. Unfortunately, a recent survey conducted by The Ponemon Institute on behalf of Kingston Digital, a unit of Kingston Technology that specializes in Flash memory, finds that a big part of the USB drive security problem stems from the simple fact that no one in IT manages these devices.
According to Larry Ponemon, chairman of The Ponemon Institute, the problem is further compounded by the fact that when people lose a USB drive, most of them don't own up to what happened, so most IT organizations are unaware there might even be a potential problem.
John Terpening, business manager for secure USB products at Kingston, adds that a lot of these issues can be mitigated by deploying encrypted drives that are also centrally managed. Having tools to manage these drives can, for example, automatically back the data on these drives up and in other cases remotely wipe data from the devices themselves.
For all the concern about a host of IT security and compliance issues, it's usually the simplest ones that trip up most IT organizations. In the grand scheme of IT things, putting policies and procedures in place to manage USB drives is not all that hard. And while that may not completely eliminate the problem, it sure will go a long way to reducing a lot of the security problems associated with allowing USB drives to simply run free.