Taking The You Out Of USB

Uploaded on 2024-11-26 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Portable storage devices such as USB sticks continue to be a problem on corporate networks. Because they plug directly into the corporate network, they effectively sidestep initial defences, making it easier for any malware on the device such as ransomware, keylogging or spyware, to then infiltrate the network.

And they’re a convenient way to transmit data which increases the risk of data loss or theft, with recent reports claiming over half of IT security professionals have seen company data stolen via USB during the last two years.

For these reasons, they’re also a particular concern when it comes to air gapped networks whose principal means of defence is segregation. 

Given these risks and the fact that these devices are used on a routine basis, it would be fair to assume organisations would seek to control USB use through acceptable use policies and by ensuring that only company sanctioned devices are used. But the reality is that only half of these devices are currently supplied by employers and only a quarter of companies specify the supplier that must be used.

That means a significant number of devices are purchased and used with no oversight whatsoever.

So how can businesses take the ‘you’ out of the USB and reduce the potential risks posed by these devices? First of all, it’s important to reduce the potential for malicious firmware by restricting which sticks are deemed acceptable for work use. But the next consideration then has to be how you protect your data once it is on that device. 

Safeguarding Data

Encryption is a must as it ensures that the minute the data leaves the network it is stored securely, with AES 256-bit encryption seen as the standard. Worryingly, privately sourced or owned USB sticks probably do not have any form of encryption housed on them and the vast majority are also not password protected. Encryption ensures that the data will remain protected even if it falls into the wrong hands, which is vital because users won’t always report when a device is stolen, either due to inertia or through fear of repercussions. To counter this, it’s advisable to encourage a culture of disclosure through regular user training exercises.

Users should also have to abide by an acceptable use policy that specifies acceptable device versions and to implement strong passwords. It’s also possible to log every time a USB key is used and to prevent unsanctioned USB keys from logging on altogether to the corporate network. Although the best defence is to lock ports to only accept approved devices, so you know anything else is blocked by default.

Real-time monitoring of these devices ensures the business knows where its data is.

If the business owns or governs the USB device it can also oversee data sanitisation, that is the permanent deletion of data. Contrary to popular belief, simply emptying the contents of a USB on a computer does not fully remove that data, making it possible to recover information. 

Selection Criteria

When it comes to selecting USBs, there are some important considerations to bear in mind. Whether buying direct or via a Managed Security Services Provider (MSSP), the business should seek to ascertain how the drives comply with industry standards and if it has been accredited. 

Accreditations such as FIPS 140-2 ensure that the device uses a high standard of cryptography. As mentioned, AES 256 is also regarded as the industry standard for encryption, but other considerations include whether the device is TAA (Trade Agreements Act) compliant, meaning it has to be manufactured or substantially engineered in the US or a TAA-designated country. 

These standards ensure the device has been rigorously tested and meet not just corporate but government and even military standards of encryption. But the business can and should also seek to govern the devices in use.

Taking the individual out of the equation by providing or recommending USBs and implementing controls can significantly reduce the risk associated with these peripheral devices without impinging upon the individual or taking away the flexibility they confer. 

Jon Fielding is Managing Director for EMEA at Apricorn

Image: charlesdeluvio

You Might Also Read:

USB Attacks: The Threat Putting Critical Infrastructure At Risk:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Government Minister Predicts Russia Will Step Up Cyber Attacks 
Cyber Attacks On Britain's Water Supply »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation is Europe's leading centre for research & education in cybersecurity, cybercrime and digital forensics.

CROW - University of Waikato

CROW - University of Waikato

CROW is the first cyber security lab established in a New Zealand educational institution at the University of Waikato.

CERTuy

CERTuy

CERTuy is the national Computer Emergency Response Team for Uruguay.

Combitech

Combitech

Combitech is the Nordic region’s leading cyber security consultancy firm, with about 260 certified security consultants helping companies and authorities prevent and manage cyber threats.

Trapezoid

Trapezoid

Trapezoid is a cybersecurity company developing Firmware Integrity Management solutions designed to detect unauthorized changes to firmware & BIOS across the entire data center infrastructure.

NanoLock Security

NanoLock Security

NanoLock delivers the industry’s only end-to-end platform for the IoT and connected devices ecosystem.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

International Cybersecurity Institute (ICSI)

International Cybersecurity Institute (ICSI)

ICSI is a UK company offering specialized and accredited professional qualifications in cybersecurity for young IT graduates as well as mature professionals.

Startup Capital Ventures

Startup Capital Ventures

Startup Capital Ventures is an early stage venture capital firm with a focus on FinTech, Cloud/SaaS, Security, Healthcare IT, and IoT.

Thomsen Trampedach

Thomsen Trampedach

Thomsen Trampedach offers a tailored-made brand protection solution to each customer using a proprietary enforcement automation and reporting tool and a multilingual enforcement team.

DeepView

DeepView

DeepView delivers a unified platform for managing risk on digital platforms. One interactive secure portal allowing employees to engage their networks securely and compliantly.

HackEDU

HackEDU

HackEDU provides secure coding training to companies ranging from startups to the Fortune 500.

Sourcepass

Sourcepass

Sourcepass is an IT consulting company that focuses on providing expert IT services, cloud computing solutions, cybersecurity services, website, and application development.

ACI Learning

ACI Learning

ACI Learning - Training tomorrow’s industry leaders with formats for all types of learners in Audit, Cybersecurity, and IT.

CertNexus

CertNexus

CertNexus is a vendor-neutral certification body, providing emerging technology certifications and micro-credentials for business, data, developer, IT, and security professionals.

Emircom

Emircom

Emircom is one of the Middle East's leading independent providers of IT infrastructure services, helping clients to drive growth and deliver measurable outcomes.