Information Security Today is brought to you by Auerbach Publications

New Books

Security in an IPv6 Environment Profiling Hackers: The Science of Criminal Profiling as Applied to the World of Hacking CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives How to Complete a Risk Assessment in 5 Days or Less IT Auditing and Sarbanes-Oxley Compliance: Key Strategies for Business Improvement Security Software Development: Assessing and Managing Security Risks Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet

USB Security at Multiple Tiers

Eric Krauss

USB flash drives have become a fundamental component of today's business environment. After all, by making it both convenient and easy to move massive amounts of data from virtually any computer to another, these tiny yet powerful devices improve workforce mobility and productivity-which, in turn, increases business agility and boosts the bottom line.

At the same time, however, flash drives often fall outside the protective perimeter of the enterprise IT infrastructure. While the corporate network and its servers, desktops, and laptops are hardened against external and internal attack, USB flash drives are not. In fact, few IT managers even know who is using a flash drive and how they are using it.

The potential risk of using USB drives was illustrated last month when it became public that the US Army had banned the use of USB drives after a worm that spreads by copying itself to thumb drives or other removable media infiltrated Army networks.

This incident is proof that the threats to enterprise data continue to evolve. A few years ago, the potential risks of unsecured USB drives in military and government organizations became apparent when news organizations reported that a flash drive was on sale for $40 outside the Bagram airbase in Afghanistan. The drive apparently held details of Afghan spies informing on the Taliban and Al Qaeda.

Unfortunately, USB flash drives have since become a prime vehicle for the intentional or inadvertent loss of gigabytes of sensitive information. Since 2005, more than 245 million records containing sensitive personal information have been involved in security breaches in the U.S. alone, according to Privacy Rights Clearinghouse. The loss of hundreds of thousands of those records were the result of misplaced or stolen flash drives involving schools and universities, hospitals and healthcare providers, government agencies, corporations, and even a prison. The drives contained everything from Social Security numbers and personally identifiable information to financial data, credit card numbers, and sensitive medical records.

Reducing the risk of data leakage through USB drives enables organizations to not only protect their reputation but also meet internal and external guidelines for information security. For example, in the U.S., financial companies are tasked with demonstrating compliance with laws such as the Gramm-Leach-Bliley Act (GLBA), while healthcare providers and insurers must address the demands of the Health Insurance Portability and Accountability Act (HIPAA) for protecting electronic health information (EHI). For credit card companies and merchants, the Payment Card Industry Data Security Standard (PCI DSS) is a priority, and sections of the Sarbanes-Oxley Act (SOX) aim at securing IT infrastructures and sensitive corporate data. In Europe, the EU Data Protection Directive and Basel II set recommendations for the secure handling of information.

Among the most effective tools for minimizing the risk of data loss and leakage via USB flash drives are hardware-based encryption and password protection. This combination of USB encryption and password protection makes it extremely difficult for unauthorized users to access data if the drive is lost or stolen. Furthermore, when used in combination with virus scanning, encryption and password protection offer a formidable defense against security risks.

USB-Borne Malware Threat Complicates Protection
Unfortunately, simple data loss is not the only potential threat to unsecured USB drive use. As is often the case, attackers have become more creative. Because of their proliferation in the enterprise, along with their small form factor, USB drives are becoming more popular as a vector for spreading malware.

Last week's reported infection of the Army network is not the first of its kind. In May, 2007 the SillyFD-AA worm spread by copying itself onto removable media such as USB flash drives, then automatically running when that drive was connected to a PC. The following month, the LiarVB-A worm surfaced. Like the SillyFD-AA worm, it too spread by copying itself onto removable drives such as USB flash drives and running as soon as the device connected to a PC.

And more recently, in August 2008, NASA made headlines after the TGammima.AG worm infected a computer on the International Space Station. And how did it get there? Via a USB flash drive.

Attackers have been consistent about one thing - always looking for the next attack vector. USB drives are easy targets given that they are small enough to easily plug into computers. Also, such a threat can bypass the other security measures an organization has taken to mitigate malicious code risks.

These incidents point to the possibility that USB drives are becoming a more popular propagation method. April 2008 Information Security Breaches Survey by PricewaterhouseCoopers and the UK Department of Business, Enterprise, and Regulatory Reform (BERR) underscores the relevance of this concern, pointing out that two-thirds of UK companies allow employees to remove data on unsecured USB sticks.

As the use of flash drives grows and USB device-borne threats increases, enterprises must limit the propagation of such threats through a multi-tiered defense that includes anti-virus scanning. Not only must every file that is saved or copied to the USB drive be scanned, but the host must also be scanned whenever the USB device is inserted. With this layer of protection in place on the USB drive, organizations can be sure that their network and USB flash drives are virus-free.

Maintaining Productivity and Mobility
In most cases, data loss and malware infection resulting from USB drives is not intentional. More often than not, an employee or user innocently used a device without realizing the potential harm to the organization. These users are not security experts and are often simply unaware of any internal policies and the implications of unsecured USB drives.

Over time, more details are likely to emerge about the US Army incident. For most organizations, completely banning USB flash drives inhibits the mobility of end users. Organizations of all vertical industries need to implement policies, but they also need technologies that ensure the highest degree of USB security without impacting the productivity and mobility benefits of USB drives, including antivirus, USB encryption, and password protection.

About the Author
Eric Krauss is Director of Federal Business Development for SanDisk Enterprise Solutions.

Subscribe to
Information Security Today

Powered by VerticalResponse

© Copyright 2008 Auerbach Publications