Taking The You Out Of USB

Uploaded on 2024-11-26 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Portable storage devices such as USB sticks continue to be a problem on corporate networks. Because they plug directly into the corporate network, they effectively sidestep initial defences, making it easier for any malware on the device such as ransomware, keylogging or spyware, to then infiltrate the network.

And they’re a convenient way to transmit data which increases the risk of data loss or theft, with recent reports claiming over half of IT security professionals have seen company data stolen via USB during the last two years.

For these reasons, they’re also a particular concern when it comes to air gapped networks whose principal means of defence is segregation. 

Given these risks and the fact that these devices are used on a routine basis, it would be fair to assume organisations would seek to control USB use through acceptable use policies and by ensuring that only company sanctioned devices are used. But the reality is that only half of these devices are currently supplied by employers and only a quarter of companies specify the supplier that must be used.

That means a significant number of devices are purchased and used with no oversight whatsoever.

So how can businesses take the ‘you’ out of the USB and reduce the potential risks posed by these devices? First of all, it’s important to reduce the potential for malicious firmware by restricting which sticks are deemed acceptable for work use. But the next consideration then has to be how you protect your data once it is on that device. 

Safeguarding Data

Encryption is a must as it ensures that the minute the data leaves the network it is stored securely, with AES 256-bit encryption seen as the standard. Worryingly, privately sourced or owned USB sticks probably do not have any form of encryption housed on them and the vast majority are also not password protected. Encryption ensures that the data will remain protected even if it falls into the wrong hands, which is vital because users won’t always report when a device is stolen, either due to inertia or through fear of repercussions. To counter this, it’s advisable to encourage a culture of disclosure through regular user training exercises.

Users should also have to abide by an acceptable use policy that specifies acceptable device versions and to implement strong passwords. It’s also possible to log every time a USB key is used and to prevent unsanctioned USB keys from logging on altogether to the corporate network. Although the best defence is to lock ports to only accept approved devices, so you know anything else is blocked by default.

Real-time monitoring of these devices ensures the business knows where its data is.

If the business owns or governs the USB device it can also oversee data sanitisation, that is the permanent deletion of data. Contrary to popular belief, simply emptying the contents of a USB on a computer does not fully remove that data, making it possible to recover information. 

Selection Criteria

When it comes to selecting USBs, there are some important considerations to bear in mind. Whether buying direct or via a Managed Security Services Provider (MSSP), the business should seek to ascertain how the drives comply with industry standards and if it has been accredited. 

Accreditations such as FIPS 140-2 ensure that the device uses a high standard of cryptography. As mentioned, AES 256 is also regarded as the industry standard for encryption, but other considerations include whether the device is TAA (Trade Agreements Act) compliant, meaning it has to be manufactured or substantially engineered in the US or a TAA-designated country. 

These standards ensure the device has been rigorously tested and meet not just corporate but government and even military standards of encryption. But the business can and should also seek to govern the devices in use.

Taking the individual out of the equation by providing or recommending USBs and implementing controls can significantly reduce the risk associated with these peripheral devices without impinging upon the individual or taking away the flexibility they confer. 

Jon Fielding is Managing Director for EMEA at Apricorn

Image: charlesdeluvio

You Might Also Read:

USB Attacks: The Threat Putting Critical Infrastructure At Risk:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Government Minister Predicts Russia Will Step Up Cyber Attacks 
Cyber Attacks On Britain's Water Supply »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Paraben

Paraben

Paraben provides digital forensics solutions for mobile devices, smartphones, email, hard drives, and gaming system.

DTEX Systems

DTEX Systems

DTEX Systems is the global leader for insider risk management. We empower organizations to prevent data loss by proactively stopping insider risks from becoming insider threats.

Snow Software

Snow Software

Snow Software is changing the way organizations think about their technology investments, empowering IT and business leaders to drive transformation with precision and agility.

AirCUVE

AirCUVE

AirCUVE provide authentication and access control solutions for networks and mobile security.

Inspired eLearning

Inspired eLearning

Inspired eLearning deliver solutions that help clients nurture and enhance workforce skills, protect themselves against cyberattacks and regulatory violations.

Identillect Technologies

Identillect Technologies

Identillect Technologies provide a user-friendly secure email solution to protect critical information, with an emphasis on simplicity.

ISEC7 Group

ISEC7 Group

ISEC7 Group is a global provider of mobile business services and software solutions. The company was one of the first movers in mobilising company and business processes.

Greenwave Systems

Greenwave Systems

Greenwave's AXON Platform enables IoT and M2M network service providers to address security, interoperability, flexibility and scalability from a single IoT platform.

Incognito Forensic Foundation Lab (IFF Lab)

Incognito Forensic Foundation Lab (IFF Lab)

IFF Lab is a premier cyber and digital forensics lab in India that offers forensic services and solutions, cyber security analysis and assessment, IT support, training and consultation.

XPO IT Services

XPO IT Services

XPO IT Services are dedicated to providing secure, high quality IT recycling and asset disposal services.

Injazat

Injazat

Injazat Data Systems is an industry recognized market leader in the Gulf region for Information Technology, Data Center and Managed Services.

AlertFusion

AlertFusion

AlertFusion is a platform that makes security operations more effective. It complements existing tools and technologies, unifies operations, enhances process maturity and drives efficiencies.

Trapp Technology

Trapp Technology

Trapp Technology combines the very best cloud, Internet, IT managed services, and IT consulting to provide a true all-in-one IT solution for small to mid-sized businesses.

Thoropass

Thoropass

Thoropass (formerly Laika) helps you get and stay compliant with smart software and expert services.

Scribe Security

Scribe Security

Scribe security provides end-to-end software supply chain security solutions.

Amtivo Group

Amtivo Group

Amtivo provides Certification, Inspection and Training services to national and local Government bodies, multi-nationals, enterprise clients and SMEs.