Taking The You Out Of USB

Uploaded on 2024-11-26 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Portable storage devices such as USB sticks continue to be a problem on corporate networks. Because they plug directly into the corporate network, they effectively sidestep initial defences, making it easier for any malware on the device such as ransomware, keylogging or spyware, to then infiltrate the network.

And they’re a convenient way to transmit data which increases the risk of data loss or theft, with recent reports claiming over half of IT security professionals have seen company data stolen via USB during the last two years.

For these reasons, they’re also a particular concern when it comes to air gapped networks whose principal means of defence is segregation. 

Given these risks and the fact that these devices are used on a routine basis, it would be fair to assume organisations would seek to control USB use through acceptable use policies and by ensuring that only company sanctioned devices are used. But the reality is that only half of these devices are currently supplied by employers and only a quarter of companies specify the supplier that must be used.

That means a significant number of devices are purchased and used with no oversight whatsoever.

So how can businesses take the ‘you’ out of the USB and reduce the potential risks posed by these devices? First of all, it’s important to reduce the potential for malicious firmware by restricting which sticks are deemed acceptable for work use. But the next consideration then has to be how you protect your data once it is on that device. 

Safeguarding Data

Encryption is a must as it ensures that the minute the data leaves the network it is stored securely, with AES 256-bit encryption seen as the standard. Worryingly, privately sourced or owned USB sticks probably do not have any form of encryption housed on them and the vast majority are also not password protected. Encryption ensures that the data will remain protected even if it falls into the wrong hands, which is vital because users won’t always report when a device is stolen, either due to inertia or through fear of repercussions. To counter this, it’s advisable to encourage a culture of disclosure through regular user training exercises.

Users should also have to abide by an acceptable use policy that specifies acceptable device versions and to implement strong passwords. It’s also possible to log every time a USB key is used and to prevent unsanctioned USB keys from logging on altogether to the corporate network. Although the best defence is to lock ports to only accept approved devices, so you know anything else is blocked by default.

Real-time monitoring of these devices ensures the business knows where its data is.

If the business owns or governs the USB device it can also oversee data sanitisation, that is the permanent deletion of data. Contrary to popular belief, simply emptying the contents of a USB on a computer does not fully remove that data, making it possible to recover information. 

Selection Criteria

When it comes to selecting USBs, there are some important considerations to bear in mind. Whether buying direct or via a Managed Security Services Provider (MSSP), the business should seek to ascertain how the drives comply with industry standards and if it has been accredited. 

Accreditations such as FIPS 140-2 ensure that the device uses a high standard of cryptography. As mentioned, AES 256 is also regarded as the industry standard for encryption, but other considerations include whether the device is TAA (Trade Agreements Act) compliant, meaning it has to be manufactured or substantially engineered in the US or a TAA-designated country. 

These standards ensure the device has been rigorously tested and meet not just corporate but government and even military standards of encryption. But the business can and should also seek to govern the devices in use.

Taking the individual out of the equation by providing or recommending USBs and implementing controls can significantly reduce the risk associated with these peripheral devices without impinging upon the individual or taking away the flexibility they confer. 

Jon Fielding is Managing Director for EMEA at Apricorn

Image: charlesdeluvio

You Might Also Read:

USB Attacks: The Threat Putting Critical Infrastructure At Risk:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Government Minister Predicts Russia Will Step Up Cyber Attacks 
Cyber Attacks On Britain's Water Supply »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

44CON

44CON

44CON is an Information Security Conference & Training event taking place in London. Designed to provide something for the business and technical Information Security professional.

Itaccel

Itaccel

IT Accel began a decade ago as a band of technical recruiters who wanted to bring our experience and depth of knowledge to solving complex human resou

Cifas

Cifas

Cifas are leaders in fraud prevention, working closely with UK law enforcement partners.

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

Capita

Capita

Capita is a consulting, digital services and software business, providing end-to-end enterprise IT services and solutions focused around digital transformation and innovation.

ElcomSoft

ElcomSoft

ElcomSoft is a global leader in computer and mobile forensics, IT security and forensic data recovery.

Halon

Halon

Halon is a flexible security and operations platform for in-transit email.

Infigo IS

Infigo IS

INFIGO IS specializes in information security consulting services. Our employees are leading information security experts in Croatia.

Dualog

Dualog

Dualog provides a maritime digital platform which ensures that services work reliably and securely onboard.

Defscope

Defscope

Defscope is an Azerbaijani company entirely focused on cybersecurity offering training, security consulting, and other professional services.

OwnBackup

OwnBackup

OwnBackup proactively prevents you from losing mission-critical data and metadata with automated backups and rapid, stress-free recovery.

Future Planet Capital

Future Planet Capital

Future Planet is the impact-led, global venture capital firm built to invest in high growth potential companies from the world's top research centres.

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity

Rocky Mountain Cybersecurity's mission is to provide value by dramatically improving the cybersecurity posture of our clients and business partners.

ViewDS Identity Solutions

ViewDS Identity Solutions

ViewDS Identity Solutions develops innovative identity software including cloud identity management solutions, directory services, access and authorization management solutions.

Mindgard

Mindgard

The Mindgard Security Copilot platform secures your Artificial Intelligence, GenAI and LLMs.

ARGOS Cloud Security

ARGOS Cloud Security

ARGOS aims to simplify and strengthen cloud security, by creating a visual map of security vulnerabilities, to your priceless information stored in any cloud provider environment.