Taking The You Out Of USB

Uploaded on 2024-11-26 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Portable storage devices such as USB sticks continue to be a problem on corporate networks. Because they plug directly into the corporate network, they effectively sidestep initial defences, making it easier for any malware on the device such as ransomware, keylogging or spyware, to then infiltrate the network.

And they’re a convenient way to transmit data which increases the risk of data loss or theft, with recent reports claiming over half of IT security professionals have seen company data stolen via USB during the last two years.

For these reasons, they’re also a particular concern when it comes to air gapped networks whose principal means of defence is segregation. 

Given these risks and the fact that these devices are used on a routine basis, it would be fair to assume organisations would seek to control USB use through acceptable use policies and by ensuring that only company sanctioned devices are used. But the reality is that only half of these devices are currently supplied by employers and only a quarter of companies specify the supplier that must be used.

That means a significant number of devices are purchased and used with no oversight whatsoever.

So how can businesses take the ‘you’ out of the USB and reduce the potential risks posed by these devices? First of all, it’s important to reduce the potential for malicious firmware by restricting which sticks are deemed acceptable for work use. But the next consideration then has to be how you protect your data once it is on that device. 

Safeguarding Data

Encryption is a must as it ensures that the minute the data leaves the network it is stored securely, with AES 256-bit encryption seen as the standard. Worryingly, privately sourced or owned USB sticks probably do not have any form of encryption housed on them and the vast majority are also not password protected. Encryption ensures that the data will remain protected even if it falls into the wrong hands, which is vital because users won’t always report when a device is stolen, either due to inertia or through fear of repercussions. To counter this, it’s advisable to encourage a culture of disclosure through regular user training exercises.

Users should also have to abide by an acceptable use policy that specifies acceptable device versions and to implement strong passwords. It’s also possible to log every time a USB key is used and to prevent unsanctioned USB keys from logging on altogether to the corporate network. Although the best defence is to lock ports to only accept approved devices, so you know anything else is blocked by default.

Real-time monitoring of these devices ensures the business knows where its data is.

If the business owns or governs the USB device it can also oversee data sanitisation, that is the permanent deletion of data. Contrary to popular belief, simply emptying the contents of a USB on a computer does not fully remove that data, making it possible to recover information. 

Selection Criteria

When it comes to selecting USBs, there are some important considerations to bear in mind. Whether buying direct or via a Managed Security Services Provider (MSSP), the business should seek to ascertain how the drives comply with industry standards and if it has been accredited. 

Accreditations such as FIPS 140-2 ensure that the device uses a high standard of cryptography. As mentioned, AES 256 is also regarded as the industry standard for encryption, but other considerations include whether the device is TAA (Trade Agreements Act) compliant, meaning it has to be manufactured or substantially engineered in the US or a TAA-designated country. 

These standards ensure the device has been rigorously tested and meet not just corporate but government and even military standards of encryption. But the business can and should also seek to govern the devices in use.

Taking the individual out of the equation by providing or recommending USBs and implementing controls can significantly reduce the risk associated with these peripheral devices without impinging upon the individual or taking away the flexibility they confer. 

Jon Fielding is Managing Director for EMEA at Apricorn

Image: charlesdeluvio

You Might Also Read:

USB Attacks: The Threat Putting Critical Infrastructure At Risk:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Government Minister Predicts Russia Will Step Up Cyber Attacks 
Cyber Attacks On Britain's Water Supply »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The Networking People (TNP)

The Networking People (TNP)

TNP supplies independent advice allowing large organisations to design, build and operate their own networks independently of the established telecoms companies.

Landry & Associates

Landry & Associates

Landry & Associates is a multidisciplinary firm specializing in risk management, performance and technology management.

Conscio Technologies

Conscio Technologies

Conscio Technologies is a specialist in IT security awareness. Our solutions allow you to easily manage innovative online IT awareness campaigns.

Hague Security Delta (HSD)

Hague Security Delta (HSD)

The Hague Security Delta Campus is home of the leading cyber security cluster in Europe with an Innovation Centre, labs and training facilities.

SCIPP International

SCIPP International

SCIPP’s courses are based on internationally recognized best business practices for security awareness, for both technical and non-technical staff and to comply with regulatory mandates.

ThreatMark

ThreatMark

ThreatMark provides fraud detection solutions for digital banking and payments.

GrrCON

GrrCON

GrrCON is an information security and hacking conference that provides the Midwest InfoSec community with a fun atmosphere to come together and engage with like minded people.

SAST

SAST

SAST provide Static Application Security Testing as a service based on SAST Tools.

PreEmptive Solutions

PreEmptive Solutions

PreEmptive Protection hit the sweet spot between cost, convenience and functionality by helping you protect and secure your apps in a smarter way.

Have I Been Pwned (HIBP)

Have I Been Pwned (HIBP)

Have I Been Pwned is a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.

Forta

Forta

Forta is a real-time detection network for security & operational monitoring of blockchain activity.

Inversion6

Inversion6

Inversion6 (formerly MRK Technologies) is a cybersecurity risk management provider that offers custom security solutions.

ZENDATA

ZENDATA

ZENDATA are an innovative provider of intelligent, tailored cybersecurity solutions to global companies and public sector institutions.

Instil Software

Instil Software

Instil helps technology brands transform, innovate and disrupt their markets with category-defining software products that challenge us to think, feel and act in new ways.

Trofi Security

Trofi Security

Trofi Security provides Information Technology and Information Security services to organizations in both the public and private sectors.

CirrusHQ

CirrusHQ

CirrusHQ are a Specialist AWS Advanced Consulting Partner with a focus on Cloud Management, DevOps, Migration and Consulting Services for the private and public sectors.