Live Journal about blowfish |

USB flash drive security

Major dangers of USB drives

The uncontrolled use of USB drives is a major danger since it represents a significant threat to information security and confidentiality.

Therefore the following should be taken into consideration for securing USB drives assets:

Storage: USB flash drives are usually put in bags, backpacks, laptop cases, jackets, trouser pockets or are left at unattended workstations.

Usage: tracking corporate data stored on personal flash drives is a significant challenge; the drives are small, common, and constantly moving. Many enterprises have strict management policies toward USB drives, and some companies ban them outright to minimize risk.

The average cost of a data breach from any source (not necessarily a flash drive) ranges from less than USD 100 000 to about USD 2.5 million.

A Sandisk survey characterized the data corporate end users most frequently copy:

customer data (25 %)

financial information (17 %)

business plans (15 %)

employee data (13 %)

marketing plans (13 %)

intellectual property (6 %)

source code (6 %)

Examples of security breaches resulting from USB drives include:

In the UK:

HM Revenue & Customs lost personal details of 6500 private pension holders

In the United States:

a USB drive was stolen with names, grades and social security numbers of 6 500 former students

USB flash drives with US Army classified military information were up for sale at a bazaar outside Bagram, Afghanistan

Solutions

Since the security of the physical drive cannot be guaranteed without compromising the benefits of portability, security measures are primarily devoted to making the data on a compromised drive inaccessible. One common approach is to encrypt the data for storage, although other methods are possible.

Software

Software solutions such as FreeOTFE and TrueCrypt allow the contents of a USB drive to be encrypted automatically and transparently. This software can be carried on the same USB drive, and run without having to install it on a host computer. Such software solutions may be used with any USB drive – turning cheap, commonly available USB drives into secure storage systems. Also, Windows 7 Enterprise and Ultimate Editions and Windows Server 2008 R2 provide USB drive encryption using BitLocker to Go.

Additional software on company computers may help track and minimize risk by recording the interactions between any USB drive and the computer and storing them in a centralized database.

Hardware

Some USB drives offer embedded hardware encryption, although these do cost significantly more. Microchips within the USB drive carry out automatic transparent encryption.

Hardware systems may offer additional features, such as the ability to automatically overwrite the contents of the drive if the wrong password is entered more than a certain number of times. This type of functionality cannot be provided by a software system since the encrypted data can simply be copied from the drive. However, this form of hardware security can result in data loss if activated accidentally by legitimate users, and strong encryption algorithms essentially make such functionality redundant.

As the encryption keys used in hardware encryption are typically never stored in the computer’s memory, technically hardware solutions are less subject to “cold boot” attacks than software-based systems. In reality however, “cold boot” attacks pose little (if any) threat, assuming basic, rudimentary, security precautions are taken with software-based systems.

Compromised Solutions

The security of encrypted flash drives is constantly being tested by individual hackers as well as professional security firms. At times data on flash drives that have been positioned as secure was found to have a bug that potentially and with very sophisticated tools which are not publicly available, could give access to data without knowledge of the correct password. A few noteworthy solutions that could have been compromised include:

SanDisk Cruzer Enterprise

Kingston DataTraveler

Verbatim Corporate Secure USB Flash Drive

It is worth noting that these companies immediately reacted and their customers were never at risk – a fix was made available by all three before this has become public. The fix completely eliminates the issue – they are all perfectly safe now.

Management

In a commercial environment where most secure USB drives will be used , a central management system may provide IT organizations with an additional level of IT asset control. This may include initial user deployment and ongoing management, password recovery, data backup, and termination of any issued secure USB drive. Such management systems are available as Software as a Service (note that in strict network environments where internet connectivity is limited or prohibited such a solution will be futile) or behind-the-firewall solutions.

See also

Health Insurance Portability and Accountability Act – encryption is needed in order to move confidential data

Cruzer Enterprise

Data remanence

IronKey

References

^ a b c ENISA, June 2006.

^ SanDisk Survey, April 2008.

^ fghan market sells US military flash drives, Paul Watson, Los Angeles Times, 18 April 2006

^ http://www.freeotfe.org/docs/Main/FAQ.htm#de

^ http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009

^ http://www.kingston.com/driveupdate/

^ http://www.verbatim.com/security/security-update.cfm

External links

nalysis of USB flash drives in a virtual environment, Derek Bem and Ewa Huebner, Small Scale Digital Device Forensics Journal, Vol. 1, No 1, June 2007.

ata breaches are veryday incidents, Matt Chapman, vnunet.com, 15 Nov 2007

Dataquest insight: USB flash drive market trends, worldwide, 20012010, Joseph Unsworth, Gartner, 20 November 2006.

‘Computerworld Review: 7 Secure USB Drives, Bill O’Brien, Rich Ericson and Lucas Mearian, March 2008

Categories: USB | Computer storage devices | Solid-state computer storage media | Disk encryption | Non-volatile memoryHidden categories: Articles lacking in-text citations from September 2009 | All articles lacking in-text citations

Related Encryption Journal Articles

BYOPC is really Bring Your Own Security Nightmare

Bring Your Own Security Nightmare

When I first heard about the bring your own pc (BYOPC) trend, my first thoughts were “those marketing guys will say anything.” It seemed totally unreal that any IT manager would allow employees to bring in their home computers and connect to network resources.

Yes, it’s true: if you make sure the configuration is according to policy, install encryption software, anti-virus, and whatever else – in theory it really isn’t terribly different from having employees take home their laptops from work. And in theory, it would be great for companies like Promisec who can detect unauthorized computers and software. Still, it just sounds to me like someone’s idea of a cost-saving measure that will end up costing a lot more than it saves.

First of all, the help desk will end up swamped with software and hardware conflict issues. Organizations usually control the types of hardware in their organization – now they will have no control Rather than 2–3 machine configurations, hundreds of configurations will need to be managed.

It’s natural that as companies get increasingly excited about putting everything “in the cloud”, it would seem irrelevant what endpoints are accessing this cloud. So why not let employees use any access point?

Fundamentally, the idea of everything in the cloud is also fantasy. No matter how much cloud computing we do, sometimes we simply aren’t connected. Whether it’s because we are in an airplane or because we are reserving battery power, we are always going to download files and software onto our computers. And whatever we download becomes a security risk.

But let’s assume the best possible scenario. The IT department actually manages to enforce its policies on employees’ personal computers, and the employees actually use their warrantee to get service, so it doesn’t incur extra support costs. Or maybe the PCs never break down, because of course, if they do use the warrantee, the corporate policy software would still need to be re-installed.

Even in this idyllic scenario, what happens when an employee leaves? The employee isn’t likely to let you wipe their hard drive. They might give you the opportunity to take off the VPN software, just because it slows down their computers and prevents them from viewing interesting web sites. On the other hand, they might not. In the best case, you have managed to prevent that employee from future access of your network, and deleted sensitive files, maybe even permanently. In the worst case, some day in the future, a disgruntled ex-employee has free access to your network.

In addition what happens to the licenses of the apps he has installed and uses. Now you need to manage also the licenses better and to make sure the employee will uninstall them so you reduce the payment for the different vendors.

At the risk of being proved wrong in the future, I predict this is a trend that simply won’t ever have serious reach. As is, IT managers are struggling with endpoint management. It’s a matter of time before policies and lock-downs are placed on mobile devices. Security officers and security concerns won’t disappear, because security breaches are both real and costly.  While BYOPC may continue to be used in some niche areas, it’s simply not a practical solution for mainstream.

 

Here are a couple of articles about BYOPC:

Computer World: BYOPC could make sense for your IT shop

Computer World: Security Manager’s Journal: BYOPC won’t be a party for security

Computer World: Proctor & Gamble tries a bring your laptop to work program

Original Source

Find More Encryption Journal Articles