The Department of Defense banned the use of USB flash drives a couple of years ago because the organization recognized the security threats that the devices represented. The DOD created a number of campaign posters, provided briefings, taped over USB ports and initiated a required USB device policy quiz before personnel were allowed to create network accounts. In spite of these precautions, the DOD still has to disable numerous accounts on a monthly basis because of USB policy violations.
Most people use USB thumb drives in the workplace for completely benign reasons. Most employees are conscientious, and they want to use their thumb drives and other storage devices to take work home over the weekend. However, malicious parties use these same devices to steal proprietary data and take it to a competitor. USB drives are also frequently used to transmit malware. For example, when the U.S. and Israel launched the Stuxnet virus to disable an Iranian nuclear plant, operatives simply transmitted the virus via USB drive.
Any sound continuous data protection policy requires taking portable devices such as USB drives into account. Three ways to protect enterprise data from USB drives include creating device control policies, implementing appropriate security solutions and creating disaster response and prevention plans.
Device Control Policies
The DOD not only banned USB drives in its quest to fight back against data loss, it also banned e-book readers, iPods, smartphones, cameras and flash media card readers. While you may not want to go this far, you can implement sound device control policies, including:
Issue company-approved portable devices that allow workers to be productive. Make sure you establish who can check out the devices and limit access only to those end users. Consider etching unique serial numbers on the outside of the drive as well as etching the number in the firmware.
Block unauthorized devices. Disable the ports and block all unauthorized devices outright.
Discourage the use of devices received at trade shows. According to the Ponemon Institute, 72 percent of employees use devices that they receive at conferences or trade shows. Set up a program that allows your workers to trade in unauthorized devices for authorized ones.
Train your users. Your end users need to know just want can happen if a data breach occurs. Put them through scenarios so that they see exactly what happens when unsecured devices are used.
Security Policies and Monitoring
Developing the appropriate security policies can help admins to control how employees access data. Monitoring catches breaches quickly and develops context awareness.
Use device-level management software. This will monitor what kind of data is being transferred when a USB drive connects to a network. Password protection and remote wipe capability are also good ideas.
Conduct a risk assessment. Not every byte of data requires military-level encryption. Balance cost control, productivity and security by implementing the right policies for the right kinds of data.
Encrypt confidential data. Before any data can be sent over email or saved on removable media, it should be encrypted.
Conduct USB device audits. A regular trip through the office to check that only the appropriate documents are on a USB device will rapidly discourage unauthorized downloading.
Create Disaster Response and Prevention Plans
Even good device control and security policies sometimes fail. Make sure that you have plans in place to retrieve lost data.
Know what is on lost USB drives. If you’ve been backing up authorized USB drives on-site, then you can examine the latest backup information so that you know what has potentially been lost.
Decide what to do about the lost drive. Test your data recovery abilities regularly so that you can access a USB drive even if it has been maliciously disabled. Then, either recover the data through geotagging features, if available, or wipe the drive remotely.
Keep updated antivirus software on each endpoint. Make sure that your antivirus solution scans the USB drive when it’s connected and that older Windows machines have the patch that disables AutoRun.
Set clear transportation policies. Decide who can transport USB drives, who can see the data on lost drives and exactly what to do if the device is lost.
Christopher Budd is a seasoned veteran in the areas of online security, privacy and communications. Combining a full career in technical engineering with PR and marketing, Christopher has worked to bridge the gap between “geekspeak” and plain English, to make awful news just bad and to help people realistically understand threats so they can protect themselves online. Christopher is a 10-year veteran of Microsoft’s Security Response Center, has worked as an independent consultant and now works for Trend Micro.