Operations
12/10/2014
11:45 AM
Cam Roberson
Cam Roberson
Commentary
Connect Directly
Facebook
LinkedIn
RSS
E-Mail vvv
100%
0%

Smartphones Get Headlines, But Lax USB Security Is Just As Risky

Most companies use no software to detect or secure sensitive data when it is moved to a USB flash drive, or even check USB drives for viruses or malware.

While more expensive (and, OK, exciting) mobile devices like smartphones and tablets receive the lion’s share of data security scrutiny, organizations would be wise not to overlook the profound and costly damage a company can suffer due to those simple, unsecured USB flash drives. They are small, they are cheap, and they could be easily forgotten -- if not for the fact they usually contain a ton of sensitive company data.

Employees often place confidential data on USB flash drives while giving little care to the potential risks. In fact, in today’s world where issues such as BadUSB and Stuxnet fill the headlines, a 2013 AhnLab survey found that 78% of IT professionals admit to having picked up and plugged in abandoned USB drives they just happened to find. Non-shockingly, 68% of these IT professionals report being involved in a data breach, many USB-related. And while expensive devices like laptops, phones, and tablets are typically managed so that their losses are noticed immediately, many companies have no way of knowing if USB flash drives became lost or stolen.

Researchers in a recent 2014 study have found that secondhand USB drives purchased on sites like eBay often contain easily recoverable corporate or personal confidential information, with data never having been deleted in 29% of cases. If most organizations make great efforts to protectively house their sensitive data in a bunker of security software and device access policies, the lack of a spotlight on USB flash drive security makes these devices a frighteningly open door. Data is data, no matter how fancy the home that it lives in.

In our age of über-mobility and workers taking large data files with them across the work/home divide, USB flash drive use is so common it has become almost an afterthought, with tens of millions of the inexpensive devices in use and going overlooked each year. Many organizations leave USB flash drives unsecured because of not wanting to hamper worker productivity, and most use no software to detect or secure sensitive data when being moved to a USB flash drive, or to check USB drives for viruses or malware. Those same businesses, though, certainly would not extend that risk to other mobile devices like smartphones, tablets, or laptops.

These numbers are concerning, and organizations that ignore USB flash drive security do so at their peril. In July of this year, the Duke University Health System experienced a patient data breach resulting from the theft of an unencrypted thumb drive. A similar incident in June saw the data of 33,000 Santa Rosa Memorial Hospital patients stolen in a burglary from a staff member’s locker. Incidents like these prove the importance of treating USB flash drives as a critical front when an organization sets policies and strategies around device security.

Prevention techniques aren’t all that different from those for employee phones and tablets. For smaller businesses without dedicated IT security personnel (but whose data is no less important), USB flash drive data security can be handled through MSPs and software resellers. Another option is services that offer hardened and secured USB devices as a solution, but these take away the versatility of carrying a personal data device that can be used to move any file (which, of course, is the reason users like them).

Corporate data breaches are not the only security concerns; people who use their own devices for work might have personal files on them, too -- files they don’t want anyone, including their company, to see. One way around this is to create a secure division within the drive, where there are two segments on the same device: business and personal (not unlike a digital mullet, if you will). In this setup, companies can control their halves of devices, securing and encrypting files, and retaining the capability to remotely wipe their data if necessary. At the same time, the personal files a user keeps on her device is separate and not mixed up with company data.

This system has several advantages as far as security and user convenience. Workers can use their own devices and keep them if they leave the company (which, let’s face it, they probably would do anyway). If a device is lost or stolen, or if the worker is no longer authorized to have certain data, the company can quarantine or remotely wipe the files belonging to them. Such solutions are cloud-based; the user inputs her username and password, and the device “phones home” to the server and authenticates. If the admin hasn’t blocked that device from accessing the files in its drive, then those files are available. If the admin does block them, the user can’t get to them, and the admin can also simply remove the data.

That second authentication factor is key to USB device security, because with these devices the username and password credentials are often compromised. USB flash drives are designed for sharing, and the credentials are usually shared as well. Former employees will still know the passwords to devices in their possession. (In fact, we’ve often seen USB drives with the passwords written in Sharpie right on the device.)

Device security, be it phones, tablets, laptops, or other items, is often a balance between simplicity for the user and the strictness of control by organizations. This is certainly the case with USB flash drives. When looking at how to protect their mobile devices, companies should value the versatility employees enjoy when allowed to use their personal drives for work purposes, while putting in place measures to protect sensitive company data without encumbering their workers with difficult hoops to jump through.

The ultimate goal for companies should be to keep data readily available for those who need it to do their jobs, while keeping it safe from those who mean harm. Easier said than done, of course, but it’s better than making the news for an errant USB drive with hundreds of thousands of Social Security numbers on it.

Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1eustace
50%
50%
1eustace,
User Rank: Strategist
1/7/2015 | 1:07:06 PM
Re: Managing USBs? Impossible!
Great points.  But such DLP policies come at a great cost – efficiency & productivity loss.  It is not a surprise organizations that sustain such models are less concerned about costs.  Most non-governmental organizations will go under if they make similar sacrifices, with very few exceptions.  I have worked with some of these exceptions, private companies with close to DoD type DLP strategies, and the only reason they get away with such is because they have other companies freely working for them.  Not an exact analogy but this is akin to Wal-Mart having suppliers doing most of their work towards stocking their shelves.  Outside of these select few, strict DLP strategies are not an option to most organizations.  Not to lose hope, more practical solutions are possible but such will require tying the USB infrastructure into hardened security hardware. Unfortunately, it might require more major exploitations for the industry to head in this direction.
exacttrak
50%
50%
exacttrak,
User Rank: Apprentice
12/15/2014 | 4:50:36 AM
Secure USB Flash Drives
It is one thing to have a USB Flash Drive that encrypts data but the issue is that what happens when a USB Flash Drive is lost or stolen. My company, ExactTrak manufactures and sells a USB Flash Drive that can be tracked, managed and destroyed all through a central management console and without the need to be plugged in to a host PC or Laptop. If one of our customers has a Security Guardian device lost or stolen they can locate the device, anywhere in the world and turn off access to the data. They can then choose to retrieve to the device or remotely destroy (not delete or overwrite the data but destroy the device). Same thing goes for when an employee leaves the company. If they don't hand the device back it can be destroyed to ensure company data is not compromised.
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/11/2014 | 4:55:35 PM
Re: Managing USBs? Impossible!
"Any data moved to USB devices at my former employer were automatically encrypted as was all data on laptop hard drives and SSDs."

Same here, as well as an email to the offender from the DLP system telling them what they just did was a violation of policy and alert that was sent to IR (Incedent Response) who inturn contacted the offending individuals manager within 10-15 minutes if it happened during the work day. All a company would need is a good DLP solution, policy and someone to monitor\manage it properly.
dholcombe
100%
0%
dholcombe,
User Rank: Apprentice
12/11/2014 | 4:32:05 PM
Re: Managing USBs? Impossible!
Any data moved to USB devices at my former employer were automatically encrypted as was all data on laptop hard drives and SSDs. Unfortunately they missed encrypting data going to drives attached via eSATA on laptops. You have to think about all vectors through which data can flow rather than a select few. Just targetting USB is also not enough, you must also make sure you take care of any built in card readers, eSATA, or other ports through which data may flow.

As far as encryption of USB itself, that policy/program was quite successful and most users outside of engineering/IT did not have eSATA ports. For 90%+ of our userbase it became impossible to copy unencrypted data to a USB key and then lose it in an airport.
aws0513
100%
0%
aws0513,
User Rank: Ninja
12/11/2014 | 11:05:25 AM
Re: Managing USBs? Impossible!
There are places where USB policies are quite strict and overtly enforced.

First would be government classified environments where USB storage is highly controlled.  In some SCIF environments, even having a USB device on your person is grounds for administrative action.  The DoD mandates the use of USB protections (both physical and logical) to prevent unauthorized use of USB storage of any kind.
Where USB devices are used in classified environments, they are (supposed to be) highly monitored and controlled.
The policies behind the USB restrictions in classified environments is usually part of a larger DLP strategy that includes how hard media (CDs/DVDs/tapes) is managed and controlled. 

BTW...  those classified programs still function just fine without USB storage devices.  Albeit some could claim they could be working better, most classified systems owners have determined the risk is not worthy of the benefits.
Workers within those environments are not given an opportunity to even try to buck the trend.  In general, all workers within classified environments accept the situation as necessary and normal. Anything less stringent seems alien to them and is usually met with distrust and very little acceptance.

Another place I have seen similar policies was on critical banking and finance systems where the organization implemented administrative and technical controls to prevent wholesale data exfiltration due to internal threats.
Again, the workers in those environments accepted the situation as normal. 

In the end, the implementation of a strong USB storage use policy is a matter of willpower of the organization to take the necessary steps to implement effective controls and cultural acceptance that such policies and practices must exist.
The best example analogy I can relate in this matter would be smoking.  Twenty years ago nobody would have considered it possible that laws would exist prohibiting smoking within pubs/taverns/bars.  Now we have several states with such laws with likely more to follow.  All of this still came down to willpower to enact/enforce and cultural acceptance to conform to the new standard.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/11/2014 | 9:30:22 AM
Re: Managing USBs? Impossible!
Prohibiting USBs or requring encryption seems to me like an a totally unenforceable policy. Simpler to plug up USB ports on all company-owned laptops -- and even that is unthinkable...

Curious to know what, if any, USB policies are in place within the Dark Reading community. Any success/horror stories to share?
CAMROBERSON
100%
0%
CAMROBERSON,
User Rank: Author
12/10/2014 | 7:48:53 PM
Re: Managing USBs? Impossible!
Agree completely. It's incredible (and illogical), though, given the ease of data loss! The exact same dangerous data on other digital platforms is watched like a hawk, but no polices (or cares?) seem to exist around protecting it on other forms. Maybe it's time to disallow USBs or start enforcing encryption/authentication like on other devices.
Marilyn Cohodas
0%
100%
Marilyn Cohodas,
User Rank: Strategist
12/10/2014 | 3:51:48 PM
Managing USBs? Impossible!
It's hard for me to imagine enterprises -- let alone SMBs -- developing policies  and strategies around USB security. Smartphones may get headlines, but companies haven't really cracked the BYOD code for employees. The ubiquitous USB seems like an even greater challenge... 

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.