USB flash drives are popular for easily storing and transferring large amounts of data, which is exactly why they are such a hotspot for malicious entities. So much so, that in 2008, the worst military breach in US history occurred when a malware-containing USB flash drive infected a network and leaked sensitive information. Referred to as a “network administrator’s worst fear,” this cyber-attack was a wakeup call for many professionals in the cyber security space.1
After the attack, widespread efforts were made to expose potential risks and protect against network intrusions associated with USB storage devices. But as new, even more damaging malware continues to be developed, it is crucial to be as proactive as possible to protect information on a USB device from third-party access and from becoming a transport for malware.
Examples of Thumb Drive Security Risks
Much like a phishing scam that makes its way through an email contact list, a flash drive has the potential to spread malware from computer to computer without the original USB owner even realizing. Here are other common ways in which USB flash drives become a security threat:
- An employee plugging in an unknown USB drive into their computer
- A stolen or lost USB drive that ends up in the wrong hands
- An employee who leaves the organization and takes a USB drive with organization data
With how easy it is to leak sensitive information via USB drive, it’s understanding why many companies choose to ban USB drives altogether. But there’s no need to throw the baby out with the bath water. With proper USB drive security best practices, organizations can enjoy the best of both worlds.
USB Flash Drive Security 101
- Educate employees about the risks of USB drives and require them to never plug in a USB device that they are unsure about.
- Allow only software encrypted USB drives to be used to store and transfer company data.
- Implement company software that only works with approved flash drives.
Discussing the Risks of Using Unknown Flash Drives
Even if the intention was to look for evidence to return it to its rightful owner, plugging in an unknown USB device and clicking on files poses several cyber security threats. Not only could a flash drive be manufactured to perform a scripted malware attack on the computer, it could even fry the computer port itself.
When educating employees about potential USB threats, the most important policy to drive home is this: if you don’t know what’s in it, don’t use it.
The Encryption Advantage
Most IT professionals are well aware of the importance of using encrypted devices. So it will come to no surprise that USB flash drives should be included in this list. To ensure all USB drives in an organization are encrypted, there are several options:
- Purchase hardware encrypted USB flash drives. (Make sure the encryption standards meet NIST guidelines for encryption.)
- Install encryption software on existing USB drives.
- Use open-source encryptions programs. Many of these programs, including VeraCrypt, are highly secure and HIPAA compliant, but do require additional steps.
Setting Up Windows Group Policies
One of the best ways to ensure employees are following best practices with USB drives is to utilize Active Directory in Windows to create group policies that prevent or limit unrecognized hardware installations. Group policies can be created to flag new devices while still allowing approved devices
Additional software can be installed to block the use of non-company-approved USB drives, such as VeraCrypt or BitLocker. Other software can block access to files in a USB drive if the drive is lostor stolen.
Steps to Tighter USB Security
We recommend the following steps to increase the security protocols when using USB drives:
- Perform an audit on current USB devices in the organization. This can be done internally or outsourced to a specialized security firm if there’s a large inventory
- Scan network for removable media devices to determine where USB devices are used in the organization.
- Create an encryption process for all removable devices and implement it.
- Require regular reporting to ensure safeguard policies are in place.
- When a USB device reaches its end of life cycle, clear all sensitive data before scrapping/re-cycling/donating.
Use WipeDrive for Privacy Protection
Now that we’ve gone over the precautions of using a USB stick, don’t forget the final step of USB drive security. Simply tossing the device in the trash is not enough to protect from data theft. If a USB drive is ready to be retired, make sure to use a secure media sanitization software to clear any remaining data. WipeDrive is the only data destruction solution software that has been successfully evaluated to the EAL 2+ Standard. The EAL 2+ certification is required by the US Department of Defense, Department of State, and Homeland Security.
For more information on data security and data erasure products, please contact WhiteCanyon Software at 801.224.8900.