Whatever you call them — USB, thumb or flash drives — they hold a ton of data. (For the purposes of this discussion, we will refer to them as “USB drives.”) Their storage capacity has surpassed multi-gigabytes to the lofty terabyte realm.
One terabyte can store thousands of hours of music and videos, 500 hours of movies and more than 300,000 photos, as well as over a million 1-megabyte Word documents.
In fact, a USB drive was Edward Snowden’s preferred device for storage when he stole thousands of highly classified NSA documents, which he gave to reporters. Snowden didn’t have to burn up a copy machine and carry off the documents a few at a time. They all fit on a plastic-encased device the size of his thumb.
USB drives can also pose external threats
Most people would never pick up food lying on a parking lot pavement. However, hackers desiring front-door entry to corporate networks have littered employee parking lots with malware-laced USBs. Employees have been duped into picking them up and plugging them into their workstation computers.
When testing the foregoing, CompTIA researchers placed 200 unlabeled USB drives in cities throughout the United States. They dropped the drives in heavy foot-traffic areas to find out the number and identity of people who would pick them up and plug them in.
The results were that 20 percent (one out of five) users plugged in the rigged drives and opened files as well as clicked on strange web links and sent messages to a loaded email address. And this was just a security test. Read about the real thing in this ZDNet online piece.
Threats also come from “friendly” sources
In a recent incident, the American Dental Association inadvertently mailed malware-infected thumb drives to thousands of local dental offices. A code embedded in the USBs could gain control of a user’s Windows computer. The contamination, according to ADA, occurred “somewhere in the supply chain,” and only a fraction of the drives may have been infected.
Sensible practices for minimizing the USB threat
Does your company have a detailed, yet thoughtful, usage policy and sensible security procedures for USBs on the job? Somewhere between banning USB usage altogether and allowing sanctioned, limited use are the best practices for your company’s security posture.
Here are five general suggestions:
1. Limit your exposure by disabling USB ports on computers containing sensitive information. Make USB functionality on a strictly need-to-know/have basis. Issue USB drives that have full encryption and pass-phrase protection. Make sure your IT people can remotely wipe or lock the USB drives. Look for high-security products such as Iron Key.
2. Automatically run a USB scanning program on all company computers when the USB drive is plugged in. Permit no unauthorized applications to be run from any USB drive.
3. Audit your USB drives to ensure authorized use. Unannounced and random USB drive confiscation and scanning are the best tools to imprint security awareness among users. Inventory, add serial numbers, and record names of users. Ban all use of personal USB drives on work computers for any reason.
4. Do regular backups of your USB drives and include encryption keys so that the data can be recovered. Run a data recovery test to ensure that your IT security people can unlock and access any USB drive — even if user malfeasance or malware have disabled the drive.
5. Have a plan in place in the event someone loses a company USB drive. Procedures could include locating the drive through geotagging or simply wiping or destroying the device remotely.
Looking for help?
Alary Clinitech is the trusted choice when it comes to staying ahead of the latest cyber security and information technology tips, tricks and news. Contact us at (416) 291-7377 or send us an email at firstname.lastname@example.org for more information.
Thanks for helping us upgrade our Macs and get them working exactly as our business needs! Fast, convenient and very knowledgeable! You’re the best!
Alary Technologies has been our IT support team for the past year at the START Clinic for Mood and Anxiety Disorders. They have done a excellent job in upgrading our system, organization, and supporting us in technical computer matters. Compared to other IT companies we have worked with, Alary Technologies comes on top. Ahmed Kufaishi the Managing Director at Alary Technologies is solution focused, knowledgeable and makes an effort to really understand his clients’ needs. It has been a pleasure to work with Ahmed and Alary Technologies. I would recommend their services to other companies and clinics.
“We continue to work with Alary Technologies due to the fact that they are quite educated and knowledge based with current upgrades, and their commitment to their customers.”
Ahmed has been providing our company with expert IT services for close to 3 years. He has guided us through hardware upgrades, server back up procedures and was instrumental in brokering a custom software program that fully automated some key functions in our business. Ahmed has always been thoroughly professional in all his dealings with us and has provided consistent and sound advise for all of our IT requirements. We consider Ahmed and Alary Technologies to be an important partner for our business.
It is refreshing to work with someone who can organize things and describe in plain language. I have a large and growing knowledge base for my work as an architect. I have realized that I can’t do everything, that I do need a team member who can look after this one relatively small by crucial part of my practice.