The unsavoury side of USB storage

USB storage, (such as thumb drives, hard drives and mobile device integrated storage) is incredibly common in most workplaces. It’s cheap, convenient and provides a way of transferring or backing up large amounts of data easily. And, unfortunately, it is these attributes which make it a huge risk.

A hacker’s friend

Cyberwar – Copyright Patrick Chappatte

Due to it’s ease of use and popularity, USB storage devices have become the favoured method of attack for many hackers and criminal groups. USB sticks can be easily converted into “BadUSB” devices which provide attackers with an easy way of getting access inside the network, bypassing most security methods (such as antivirus). A single USB device, plugged in just once, can provide an attacker with complete control of a network, the computers and all the data on it.

Smart phones, smart attacks

Many organisations allow staff to plug their smart phones into their computers to charge them. However, this can be extremely dangerous as this also exposes the phone’s storage to the computer. Malware is often crafted to infect smartphones from a user’s home computer and then activate when it is plugged into an office computer, handing the attacker full control of it.

Making an inside job easy

Due to it’s ubiquitous nature, USB storage devices make it easy for disgruntled or malicious employees to steal large amounts of data undetected.

Easy to loose

The vast majority of USB storage is unencrypted, meaning that anyone can read the data on it. USB sticks and smart phones are commonly lost, meaning that the confidential data on them is accessible to whoever finds them.

A convenience which needs careful management

Although a convenient way to store and transfer data, USB storage has a number of serious security implications which need careful management. And with fines starting at €10million for a single breach, this management should be treated as a priority.

Unfortunately, securing USB storage can be a challenge as there are seven main aspects which need to be controlled:

  • controlling which devices can be used to store data
  • protecting the data on approved devices,
  • knowing which data is on each device
  • preventing unauthorised access to lost devices
  • staff training
  • cleaning devices after use
  • and secure data disposal of old equipment.

Device control

Due to the large number of devices which can use the Universal Serial Bus (USB), most of which are not storage related (such as keyboards, mice and network adaptors) blanket blocking of USB ports is not practical. Care should be taken to identify a solution which allows not only non-storage devices to be used, but also only permits approved storage devices (as some are more secure than others – see below).

Data protection on approved storage devices

When it comes to security, not all USB storage devices are equal. Cheaper thumb drives, and some mobile devices, lack the hardware encryption chip-sets which provide the best levels of protection. Ideally, approved storage devices should also have features which prevent physical tampering to prevent them being opened and the data read directly from the internal storage integrated circuits (chips).

Knowing which data is on which device

Should a device be lost, it’s vital to know if any user data resides on the device, and which users are affected, so they can be notified. Traditionally, USB storage devices do not keep a log of which files are written to it or what data it contains, so a system will need to be implemented which can provide that functionality.

Managing lost devices

It’s a fact of life that, no matter how careful an organisation it, that staff will loose devices. There should be a way of identifying which data is on a device, and ensuring that data is no longer accessible, once it is lost. You will also have to have a way of proving which steps you have taken and when. This can be challenging for mobile devices, but is considerably harder for USB thumb drives.

Staff training

For a system to be secure, staff must have a good understanding of the disks and procedures associated with it. Understanding which data can be stored on which devices, which devices should not be used and what to do should devices be lost is vital to prevent costly mistakes. Regular staff training and testing is a great way to keep staff abreast of the latest development and remind them to be vigilant.

Cleaning devices after use

Once a storage device has been used, the data it has been used should be completely wiped to prevent the data on it from being accessed once it is reused. As with many storage devices, simply deleting the files or formatting it isn’t sufficient as deleted files can be recovered with specialist software. Ideally, each device should be forensically wiped once it has been used.

Device disposal

At the end of it’s life, each device will contain either whole, or fragments of user data. As well as physical disposal, which should meet local environmental regulations, care should be taken to ensure that all the data is removed by forensically wiping the device. This can be expensive if handled internally, due to the specialist equipment needed, so the use of an external disposal company should be considered.

Summary

USB storage is, by it’s very nature, convenient and easy to use, but this means it can be abused. Although most operating systems have tools to allow USB storage to be used, very few have controls to secure it’s use meaning that robust use and security strategies are needed.

Not sure where to start or need some advice on your current solution? Contact us today for some free advice.