Thumb drives are too often the victims of convenience

 

Connecting state and local government leaders

USB flash drives can be a data security nightmare. Here are some ways to fix the problem.

Maybe you've seen them after you've given a PowerPoint presentation when people hand you a thumb drive and ask for a copy of your electronic slides. Or maybe you own one or more of the thumb-size devices and find them convenient to transfer files from one computer to another at work or home.

USB flash drives, also known by many other names, seem to be everywhere ' and that's the problem. Last year, vendors sold 85 million of the drives, according to market research firm Gartner, but few of those buyers thought about the drives' security implications.

A drive consists of a rewritable memory chip and standard USB plug mounted in a plastic case the size of a small pack of chewing gum. People with malicious motives can use it to swipe sensitive data from government computers or to infect them with software viruses and other malware.

A big security risk that such devices pose made news in October when a contract employee for Los Alamos National Laboratory was caught taking home a USB flash drive containing classified government information, in violation of lab policy.

Other reports earlier this year described an incident that involved stolen U.S. military flash drives containing records about operations and individual soldiers. The drives were being sold at a street market in Bagram, Afghanistan.

Adopting policies that outline the proper use of flash drives ' or ban them ' is the first step in addressing the risks portable storage devices present. But as the Los Alamos incident showed, written policies alone won't stop a careless or dishonest person from jeopardizing government data.

Controlling what users can and can't do with the portable storage devices has to be part of any security solution, experts say. The good news is that agencies have several immediate options for closing dangerous security holes.

'There is a spectrum of actions that can occur that can take some, a lot or all of discretion away from individual end users,' said Bruce Brody, vice president of information assurance at CACI International. Brody previously held posts as chief information security officer at the departments of Veterans Affairs and Energy.

Unintended consequences
Like many IT security risks, those associated with USB flash drives stem from actions originally intended to make life easier for users.

Starting about seven years ago with its Windows 2000 operating system, Microsoft allowed users to plug generic mass storage devices, such as flash drives, into their PCs' USB ports. The operating system automatically recognized the drives, without the user needing to load extra software to read or write data to the drives.

USB flash drives grew in popularity, especially as their prices fell and their capacities surpassed those of traditional portable storage options such as floppy disks and rewritable CDs. A single USB flash drive can hold as much as 8G.

'We originally thought USB storage was a terrific idea because it got our users away from the horrible floppy, and it was very easy for them to use and for us to administer,' said Joe Gabanski, network administrator for Lake Forest, Ill.

However, the honeymoon didn't last long. 'We started seeing these things getting lost, which is potentially dangerous,' Gabanski said. 'And as [capacities] get larger and larger, we realize you can pull a lot of data in a relatively small amount of time. Not to mention that on the newer ones you can put [software programs], which is a potential significant issue for things coming in.'

So what can IT managers do to ensure that their agencies are not hurt by careless or dishonest use of such devices? They have several options.

No ports, no problems
The most immediate ' and drastic ' step an agency can take to mitigate risks with USB flash drives is to eliminate the mechanism that the devices use to physically connect and transfer data: a computer's USB ports. IT managers can disable the ports by using operating system commands, disconnecting the port's wires inside the computer's case or putting glue in the port to block physical access. Even if a person violates a written policy and sneaks a USB flash drive into work, the device would be useless.

That is the option Los Alamos officials chose with some of the lab's computers in the wake of the recent data security incident, said Kevin Roark, a lab spokesman.

'The goal was to disable, either by disconnecting or blocking or otherwise disabling these specific types of ports in a specific computing environment,' Roark said. Los Alamos coupled those actions with a new lab policy forbidding the use of USB flash drives and other types of portable storage devices until the lab finds a long-term security solution, he said. 

Another way to solve the USB security problem is by replacing traditional desktop computers with thin clients. Such a solution can be expensive because product acquisition and software reconfiguration costs are high, Brody said. Thin clients are stripped-down computing terminals that typically have no ports and rely instead on a central server for most processing and data handling tasks. 

'With thin client, when an individual comes to a work location, the only thing that person has access to is a keyboard, a monitor and a mouse,' Brody said. 'Everything else that controls computing is locked behind some central door in that facility, so there's no access to removeable media.'

Encryption's the key for some
Not everyone wants to put glue in USB ports or banish flash drives. The portable drives are popular because they are cheap, convenient and useful. And USB ports do more than hook up storage devices. They can connect a computer to a keyboard, a mouse, printers and other peripherals.

If agency managers want to keep USB ports open and allow employees to use flash drives, one option is to encrypt the data that goes on the portable storage devices, making lost or stolen devices useless. There are two main ways to do this: host-based or device-based encryption.

Host-based endpoint encryption products are available from many vendors, including Credant Technologies, GuardianEdge Technologies, PGP, Pointsec Mobile Technologies, SafeNet and others. Another company offers an open-source solution called TrueCrypt. Many of those companies support government-approved Advanced Encryption Standard (AES) and comply with Federal Information Processing Standards (FIPS) 140-2 for cryptographic modules and the international Common Criteria standard.

The solutions allow a laptop or desktop PC to encrypt data before it is written to an attached portable storage device, such as a USB flash drive. An administrator can configure the products so encryption policies are always enforced and users cannot circumvent the process.

This past summer, the VA quickly deployed a departmentwide endpoint encryption solution following a widely reported incident in May in which an employee brought home a laptop and portable storage device containing records on 26.5 million veterans and their families. VA officials installed encryption software on laptops, but they also plan to include portable storage media such as flash drives as part of a broader security plan.

The Agriculture Department, meanwhile, is soliciting quotes for an endpoint encryption solution that would include portable USB storage and require as many as 150,000 licenses.

Alternatively, encryption software can reside in a USB flash drive. A benefit of that approach is portability.  Users can plug the device into any computer that can run the flash drive's encryption software and have full access to its encryption and decryption capabilities, said Nate Cote, vice president of product management at Kanguru Solutions.

Last summer, the company's KanguruMicro Drive AES became the first USB flash drive to achieve FIPS 140-2 certification. Other companies offering flash drives with device-based encryption, though not necessarily FIPS certification, include Advanced Media, Kingston Technology, Lexar Media and SanDisk. Some of those companies also offer biometric drives, which use a fingerprint scanner built in to the flash drive to authorize access to encrypted data. Users do not have to remember passwords.

 Encryption capabilities increase a flash drive's cost. For example, Kanguru's list price for an encryption-enabled 1G flash drive is $99 compared with only $35 for its 1G model without encryption. All the company's products are available at a discount for volume orders, Cote said.

USB flash drives with built-in encryption or biometric sensors account for less than 10 percent of the market, but that will change as more enterprises understand the risks of unprotected drives, said Joseph Unsworth, a principal analyst at Gartner.

Such growing concerns prompted an IT official in New York last summer to prohibit his employees from using any unencrypted flash drives.

'Employees can only use state-issued thumb drives with encryption going forward,' said William Pelgrin, the director of the New York State Office of Cyber Security and Critical Infrastructure Coordination.

That directive also requires employees to bring in any older USB flash drives they have been using for state business. A security officer cleans the drives of all data and bans those drives from the workplace. 

Pelgrin said a statewide policy in New York based on similar rules and procedures will go into effect in the first quarter of 2007.

Port control
Encryption is a good way to safeguard data from prying eyes if a flash drive is lost or stolen. But what if you can't trust all employees with unsupervised access to a high-capacity, portable storage device? Insider data thefts happen often.

Endpoint control software might be the desired solution. Software from companies such as Msystems ' which SanDisk now owns ' Safend and SecureWave help administrators enforce the secure use of desktop and laptop PCs and the portable storage devices that connect to them through USB and other ports.

'Our approach is to focus on enabling what you want to occur and disabling or preventing those things that you do not want to occur,' said Dee Liebenstein, director of product management at SecureWave. 

So, for example, IT managers could use the software to give only certain employees permission to write data to only certain types of USB flash drives, perhaps those that the organization issued and that support encryption. Any nonapproved drives would be denied access to the system.

Some endpoint control products also provide an audit trail on user activity. That audit information could help managers assess the risk to data if a particular portable storage device is lost or stolen.

The need to track how, where and by whom flash drives are used is why Lake Forest, Ill., deployed SecureWave's Sanctuary Device Control software last summer on more than 300 of its desktop, laptop and tablet computers. Gabanski said the first step was to identify the specific USB flash drives that would be authorized to work with city computers and to begin keeping records of how people used those drives.  

'This was a quick and easy way for us to get a control on things,' Gabanski said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.