Taking The You Out Of USB

Uploaded on 2024-11-26 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Portable storage devices such as USB sticks continue to be a problem on corporate networks. Because they plug directly into the corporate network, they effectively sidestep initial defences, making it easier for any malware on the device such as ransomware, keylogging or spyware, to then infiltrate the network.

And they’re a convenient way to transmit data which increases the risk of data loss or theft, with recent reports claiming over half of IT security professionals have seen company data stolen via USB during the last two years.

For these reasons, they’re also a particular concern when it comes to air gapped networks whose principal means of defence is segregation. 

Given these risks and the fact that these devices are used on a routine basis, it would be fair to assume organisations would seek to control USB use through acceptable use policies and by ensuring that only company sanctioned devices are used. But the reality is that only half of these devices are currently supplied by employers and only a quarter of companies specify the supplier that must be used.

That means a significant number of devices are purchased and used with no oversight whatsoever.

So how can businesses take the ‘you’ out of the USB and reduce the potential risks posed by these devices? First of all, it’s important to reduce the potential for malicious firmware by restricting which sticks are deemed acceptable for work use. But the next consideration then has to be how you protect your data once it is on that device. 

Safeguarding Data

Encryption is a must as it ensures that the minute the data leaves the network it is stored securely, with AES 256-bit encryption seen as the standard. Worryingly, privately sourced or owned USB sticks probably do not have any form of encryption housed on them and the vast majority are also not password protected. Encryption ensures that the data will remain protected even if it falls into the wrong hands, which is vital because users won’t always report when a device is stolen, either due to inertia or through fear of repercussions. To counter this, it’s advisable to encourage a culture of disclosure through regular user training exercises.

Users should also have to abide by an acceptable use policy that specifies acceptable device versions and to implement strong passwords. It’s also possible to log every time a USB key is used and to prevent unsanctioned USB keys from logging on altogether to the corporate network. Although the best defence is to lock ports to only accept approved devices, so you know anything else is blocked by default.

Real-time monitoring of these devices ensures the business knows where its data is.

If the business owns or governs the USB device it can also oversee data sanitisation, that is the permanent deletion of data. Contrary to popular belief, simply emptying the contents of a USB on a computer does not fully remove that data, making it possible to recover information. 

Selection Criteria

When it comes to selecting USBs, there are some important considerations to bear in mind. Whether buying direct or via a Managed Security Services Provider (MSSP), the business should seek to ascertain how the drives comply with industry standards and if it has been accredited. 

Accreditations such as FIPS 140-2 ensure that the device uses a high standard of cryptography. As mentioned, AES 256 is also regarded as the industry standard for encryption, but other considerations include whether the device is TAA (Trade Agreements Act) compliant, meaning it has to be manufactured or substantially engineered in the US or a TAA-designated country. 

These standards ensure the device has been rigorously tested and meet not just corporate but government and even military standards of encryption. But the business can and should also seek to govern the devices in use.

Taking the individual out of the equation by providing or recommending USBs and implementing controls can significantly reduce the risk associated with these peripheral devices without impinging upon the individual or taking away the flexibility they confer. 

Jon Fielding is Managing Director for EMEA at Apricorn

Image: charlesdeluvio

You Might Also Read:

USB Attacks: The Threat Putting Critical Infrastructure At Risk:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Government Minister Predicts Russia Will Step Up Cyber Attacks 
Cyber Attacks On Britain's Water Supply »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ITrust

ITrust

French cybersecurity pure player since 2007. ITrust offers its Cyber expertise services and develops disruptive products in Cyber/Artificial Intelligence.

Qualitèsoft Technology

Qualitèsoft Technology

Qualitèsoft Technology is a leading Software Development and Quality Assurance organization. We specialize in Custom Development, Mobile Application, Software Testing and Quality Assurance.

Azeti Networks

Azeti Networks

Azeti Networks is a global provider of IoT technology to a variety of verticals including telecomms, oil/gas, manufacturing, finance and healthcare.

TCPWave

TCPWave

TCPWave IPAM is the world’s first acclaimed DNS/DHCP management software to pass the most stringent Information security tests.

TorGuard

TorGuard

TorGuard is a Virtual Private Network services provider offering secure encrypted access to the internet.

CSIRT-IE

CSIRT-IE

CSIRT-IE is the body within the NCSC that provides assistance to constituents in responding to cyber security incidents at a national level for Ireland.

Blockchain Firm

Blockchain Firm

Blockchain Firm is a leading Blockchain based software solutions and service provider with our roots of expertise running deep into the technology.

Diateam

Diateam

Diateam is an R&D company specializing in computer security. Diateam develops highly innovative cyber range platforms and Industry-leading systems for cybersecurity training and testing labs.

VectorUSA

VectorUSA

VectorUSA is a premier technology solution provider. We design, build and maintain cybersecurity, data center, wireless and managed solutions – transforming business needs into technology solutions.

Belcan

Belcan

Belcan is a global supplier of engineering, manufacturing & supply chain, workforce and government IT solutions to customers in the aerospace, defense, automotive, industrial, and private sector.

Institute for Pervasive Cybersecurity - Boise State University

Institute for Pervasive Cybersecurity - Boise State University

Boise State University’s Institute for Pervasive Cybersecurity is a leader of innovative cybersecurity research and advancement in Idaho and the region.

Swissbit

Swissbit

Swissbit AG is the leading European manufacturer of storage, security and embedded IoT solutions for demanding applications.

N-able

N-able

N-Able deliver simple and sophisticated monitoring, security, and business solutions that empower you to solve your toughest IT challenges.

Ipstack

Ipstack

Ipstack offers one of the leading IP to geolocation APIs and global IP database services worldwide. Protect your site and web application by detecting proxies, crawlers or tor users at first glance.

CyberSecureRIA

CyberSecureRIA

We founded CyberSecureRIA specifically to secure and support RIAs. We exist to secure SEC-registered RIAs, and keep them compliant with cybersecurity regulations.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.