Averting the USB Drive Security Crisis

Michael Vizard
Slide Show

The State of USB Drive Insecurity

Insecure USB drives have created a significant risk for lost data as well as the spread of malware.

One of the biggest rising security issues of the day is the ubiquity of USB drives. It seems just about everybody has at least three USB drives lying around, and more than likely they have misplaced one or more of them in the last 12 months. Whether they were lost or stolen is anybody's guess. The end result, however, is that more than likely there is sensitive corporate data available on a USB drive somewhere that at this point could be anywhere.

To make matters even more interesting, distributors of malware are leveraging the promiscuous use of USB drives to distribute their wares. It's not unheard of for the makers of malware to install their payloads on USB drives that are then casually left somewhere to be discovered by an unsuspecting employee. In fact, many folks think is this is exactly the approach that was taken by the unidentified parties that came up with the Stuxnet malware that found its way into Iran's nuclear facilities.

Naturally, there are a lot of folks who think that USB drives should just be banned more from the workplace all together. But in reality that may not be very practical. A more viable strategy might be to adopt a USB drive standard for encrypting these drives and then making sure that employees use these drives. Unfortunately, a recent survey conducted by The Ponemon Institute on behalf of Kingston Digital, a unit of Kingston Technology that specializes in Flash memory, finds that a big part of the USB drive security problem stems from the simple fact that no one in IT manages these devices.

According to Larry Ponemon, chairman of The Ponemon Institute, the problem is further compounded by the fact that when people lose a USB drive, most of them don't own up to what happened, so most IT organizations are unaware there might even be a potential problem.

John Terpening, business manager for secure USB products at Kingston, adds that a lot of these issues can be mitigated by deploying encrypted drives that are also centrally managed. Having tools to manage these drives can, for example, automatically back the data on these drives up and in other cases remotely wipe data from the devices themselves.

For all the concern about a host of IT security and compliance issues, it's usually the simplest ones that trip up most IT organizations. In the grand scheme of IT things, putting policies and procedures in place to manage USB drives is not all that hard. And while that may not completely eliminate the problem, it sure will go a long way to reducing a lot of the security problems associated with allowing USB drives to simply run free.

Add Comment      Leave a comment on this blog post
Aug 15, 2011 6:43 AM Bob Bob  says:

This article confuses two problems, doesn't quite get encryption, and flippantly makes suggestions that would be difficult to actually do.

Losing information on USB drives and floppy disks and stolen laptops is a real problem. Encryption is a good solution, but not easy. You can't actually have an "encrypted USB stick." It's just a regular USB stick, and the computer needs to encrypt the data before writing it to the stick. This requires that every computer in the company have encryption software installed, and be configured to use it. It also requires that each employee have a strong encryption password. Securely managing and policing data and disks, including USB drives, is a very hard problem.

Aug 15, 2011 9:31 AM ted ted  says: in response to Bob

Actually, there are encrypted USB flash memory devices, they just are not common.  One example is IronKey https://www.ironkey.com/ and integral cryptodrive http://www.integralmemory.com/product/crypto-drive-fips-197-encrypted-usb

Aug 19, 2011 12:25 PM promotional sub promotional sub  says:

There are quite a few applications you can download for usb stick protections. There are ones that sit in the usb themselves, and there are ones that run on your computer and when a usb flash drive is inserted the scan it before any thing has a change to run on the computer.

Aug 21, 2011 3:38 AM SNABU SNABU  says:

We are in the Beta testing stage of our flash drive security product - SNABU. SNABU (Situation Normal All Backed Up) loads onto a Microsoft Windows based computer and will encrypt your selected folders or files. A scheduler will secure your selections at times you select or you can run it when you need.

The application is free during the beta testing stage.

If you would like to join the beta team to help us go to the link provided, enter the required information and enjoy! http://www.royalpalmsoftware.com/SNABU.html

Aug 24, 2011 2:37 AM Noel Noel  says:

Absolutely disagree with this case as there are solutions found everywhere in the market. The core solution to resolve this issue is using a biometric encrypted USB to implement a structure in the organization with an IT manager or host to manage the device by enrolling their fingerprints and only accessible using 2 of their unique fingerprints. Encryption standards and tamper detection features are also equally important.

BioSlimDisk is a manufacturer and designer of this solution which had registered international patents to resolve this sort of security issues. We are currently appointing exclusive distributors to expand our market. 


Aug 27, 2011 12:36 PM Justin Justin  says:

While it may seem to play to a vendor portfolio, I believe that this is part of a bigger picture. We have all moved into an information centric weld and our security policies need to reflect this. Implementing controls that are information centrically focussed will mitigate some of the challenges and, by default, change our thinking when it comes to the way we make that information available. The device is irrelevant, whether it is USB, External Harddrive (1TB drives common), Smart Phone etc, classifying the critically of the information is key, identifying access levels & permissions pertaining to that information and then enforcing unilaterally actions taken when that information is accessed.

An encompassing project, yes: however if you consider how quickly we accepted the move from static to Laptop assets, and then compare that to the rise of tablet, Smart Phone & other portable media, factor in the increasingly attractive SaaS models for applications, consensus is that we are a) creating more information than ever before and b) storing it in increasingly unstructured ways. This information is the life blood of the businesses we work in and our approach needs to reflect the current reality not the past.  This will involve Data Classification, Data Loss Prevention, Encryption, User Authentication, Awareness Campaigns etc.

Just a few thoughts .....

Jan 9, 2013 8:55 AM brandonrobnational@yahoo.com brandonrobnational@yahoo.com  says:
Is it possible to invest in custom flash drives that could be more easily tracked by IT? Of course I really can't think of any reason why it would be hard to track the hard drives other than the fact that the process was never implemented to begin with. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.