|
Information security
USB
storage devices - the pros and cons
¡@
|
|
Almost everyone uses one or more USB storage devices for personal or business purposes nowadays. Why have these small devices suddenly become so popular during the last few years? The most likely answer is that they are cheap, they can store more data, and they are easy to use and carry around.
People in most companies use them to save and transfer data from one computer to another - for example, to transfer a working document from an office computer to another one at home, in order to finalise it to meet a tight deadline. However, some IT administrators regard them as nuisances, and potential threats to their company's network infrastructure.
A convenient device
Have you ever removed sensitive information - such as client contacts, customer databases, financial models and reports - from your workplace? The answer is probably yes. While we may copy sensitive data in our working environment almost every day, the idea we might lose them seldom crosses our mind, because we tend to be focused mainly on convenience when we use our USB storage devices.
"Convenience" sometimes comes at a very high price, especially when we accidentally lose or misplace a USB storage device containing a vast quantity of documents and files. For instance, a 1GB device can contain the same amount of data as 690 floppy disks; some of them can hold a staggering 64GB.
Perhaps the greatest disadvantage of having a USB storage device is the risk of losing it, because they are becoming smaller and smaller. However, if it is encrypted and subscribed to a recovery service, you can trace it whereabouts with the aid of technology, then the problem is not so great. But, if it is not password-protected and it holds valuable information about your recent projects, company documents, client details, beware! Its loss may cost your company millions of dollars.
Blocking ports
Although, USB storage devices are small, convenient and popular, most companies still regard them as a general risk, a threat to their network security. If a company does not have any policies or procedures to control known USB storage devices, then it is wide open to potential dangers, such as newly developed viruses and malicious codes that may be unintentionally transferred from an employee's home computer onto those in the workplace, thus putting its entire secured network at risk.
On the other hand, some organisations literarily block USB ports on their office computers, and allow files to be transferred to and from USB storage devices on a few machines only. This enables them to control the types of documents, files and reports that are being transferred, yet it is not always an ideal solution if most of their employees are mobile users.
Preventing data loss
Organisations that wish to continue using USB storage devices may find it difficult to strike a balance, especially if they have hundreds of users out in the field. However, they must still take some measures to protect these little devices when they leave the workplace, and develop standardised policies and procedures to mitigate the risks they might pose when they are brought back.
The following steps can help minimise the potential loss of valuable data stored on USB storage devices, and the risk of them contaminating the office environment with new viruses and malicious codes:
 |
develop and implement a security policy that clearly states that only pre-configured USB storage devices may be connected to the network, and that these must be scanned for potential viruses and malicious codes before they are connected to the company's network; |
|
|
|
scan USB storage devices on dedicated standalone computers that are not connected to the network; |
|
|
|
encrypt all USB storage devices by means of security and data access software; and |
|
|
|
consider blocking all USB ports, except for authorised users and those on computers approved for the use of USB storage devices. |
¡@
Besides the above measures to mitigate the risk of using USB storage devices, their security can also be increased while they are out of the office by implementing encryption methods. These can either be based on standard software applications that came bundled with the device or else a customised container with encryption methods like AES, Serpent or even Twofish. The general idea is to prevent or deter any unauthorised person from accessing information stored on the device if it comes into their possession.
Policies, procedures and effective security encryption can all play a part in mitigating the potential leakage of an organisation's data. Yet, a balance must be struck between manageability and convenience when decisions are made about USB storage devices, so that employees are not discouraged from using them as easy and enjoyable tools for doing their work.
Matthew Chu
Forensic and Investigation Services
matthew.chu@gthk.com.hk
¡@
|