Open Letter From SESTA Calls For Tighter USB Security

A few weeks ago, the U.S. military wisely instituted a short-term ban on the use of USB drives after a worm infiltrated Army networks when a user plugged in a USB drive infected with malware.[1] Clearly, the Army needed to act quickly to maintain the integrity of its network and furthermore stated that the policy was short-term, allowing them to re-evaluate their policies and practices in regard to USB flash drive usage.

We commend them on this reevaluation effort largely because of the fact that flash drives have become a fundamental component of today's business environment, and instituting stringent policies is key to safeguarding organizations, users and, in many cases, sensitive personal information of others.

Flash drives make it both convenient and easy to move massive amounts of data from virtually any computer to another, these tiny yet powerful devices improve workforce mobility and productivity-which, in turn, increases business agility and boosts the bottom line.

It is possible for enterprises and government organizations to reap the benefits of removable media without the security risks. But it takes a tiered approach to security that includes encryption, centralized management, password protection and anti-malware.

USB drive usage and the cost of lost data A SanDisk Endpoint Security Survey in April 2008 found that the use of flash drives is often underestimated by IT professionals. The research demonstrated that 77 percent of corporate users admit to using their personal USB drives for work, yet IT professionals reported that they believe only 35 percent of corporate users are using personal USB flash drives for work.

Forrester Research data shows that 52 percent of companies surveyed have suffered data loss via USB drives and other removable media.[2] The Ponemon Institute reports that 53 percent of companies acknowledge confidential data resides on flash drives.[3] At the same time, 53 percent of these companies would have no way of knowing what data was on the flash drive if it was lost. Since 2005, more than 245 million records containing sensitive personal information have been involved in security breaches in the U.S. alone, according to Privacy Rights Clearinghouse.[4] Ponemon further reports that the average security breach costs corporations $6.3 million.[5]

In most cases, data loss and malware infection resulting from USB flash drives is not intentional. More often than not, an employee or user innocently used a device without realizing the potential harm to the organization. These users are not security experts and are often simply unaware of any internal policies and the implications of unsecured USB drives.

However, in order to mitigate risks, organizations not only need better policies, they need better enforcement of enabling technologies.

New policies and better enforcement SESTA (SanDisk Enterprise Security Technology Alliance) helps organizations realize the compatibility of security products with secure USB flash drives and management solutions from SanDisk Enterprise. This promotes interoperability in the corporate security environment and eases adoption of such products and solutions.

While many corporate IT managers have taken some steps to implement policies and training, more should be done proactively in addressing potential risks from USB flash drive usage within their organizations.

SESTA calls upon IT professionals to do more to adopt more stringent policies and begin to enforce them without limiting employee productivity and flexibility.

The adoption of best practices should include:

* Centralized security management solution * Encryption and password protection * Malware protection

Additionally, education around USB flash drive usage should be incorporated into an organizations standard security education program. Users should understand the need to use only company-issued devices, and be aware of the rules and restrictions around how these devices should be used.

Centrally-managed security solution In addition to the steps taken to secure the actual drives, organizations need help enforcing the use of these drives through central management. There are a number of technologies that provide policy-based enforcement of portable device use in order to secure endpoints from data leakage and further protect against malware. These technologies track the lifecycle of portable devices, from initial user deployment, through tasks such as password recovery and data backup, and finally to drive termination.

The key for such technologies is to provide continuous enforcement of company policy by tracking and monitoring activity beyond the corporate network.

Policies can be enforced with the right technologies. Central management solutions can help organizations to better control data when in use outside the network perimeter by extending the network security policies to secure USB drives. This should include full audit tracking of USB drive use, even when used outside of the network; scheduled and automatic backup of USB drive contents; compliance reporting using built-in and customized reports and remote termination (or "poison pill" signal) for lost drives.

Encryption and password protection Reducing the risk of data leakage through USB drives helps organizations protect their reputation and meet internal and external guidelines for information security. For example, U.S. financial companies are tasked with demonstrating extensive compliance with laws such as the Gramm-Leach-Bliley Act (GLBA), while healthcare providers and insurers must address the demands of the Health Insurance Portability and Accountability Act (HIPAA) for safeguarding electronic protected health information (ePHI). For credit card companies and merchants, the Payment Card Industry Data Security Standard (PCI DSS) is a priority, and sections of the Sarbanes-Oxley Act (SOX) work to secure IT infrastructures and sensitive corporate data. In Europe, the EU Data Protection Directive and Basel II set recommendations for the secure handling of information.

Among the most effective tools for minimizing the risk of data loss and leakage via USB flash drives are hardware-based encryption and password protection. This combination of USB encryption and password protection makes it extremely difficult for unauthorized users to access data if the drive is lost or stolen. Furthermore, when used in combination with virus scanning, encryption and password protection offer a formidable defense against security risks.

Malware protection Malware has been in existence almost as long as computers themselves. However, it, like most security threats finds new channels - including USB flash drives - to keep administrators guessing. There has been a rise of incidents where malware has been spread through USB drives, including the recent U.S. Army's virus interception previously mentioned. In May 2007, the SillyFD-AA worm spread by copying itself onto removable media such as USB flash drives, then automatically running when that drive was connected to a PC.[6] The following month, the LiarVB-A worm surfaced. Like the SillyFD-AA worm, it too spread by copying itself onto removable drives such as USB flash drives and running as soon as the device connected to a PC.[7]

And more recently, in August 2008, NASA made headlines after the TGammima.AG worm infected a computer on the International Space Station which was uploaded via an unsecured USB flash drive.[8]

These incidents point to the possibility that USB drives are becoming a more popular propagation method. The April 2008 Information Security Breaches Survey by PricewaterhouseCoopers and the UK Department of Business, Enterprise, and Regulatory Reform (BERR) underscores the relevance of this concern, pointing out that two-thirds of UK companies allow employees to remove data on unsecured USB sticks.[9]

As the use of flash drives grows and USB device-borne threats increases, enterprises must limit the propagation of such threats through a multi-tiered defense that includes virus scanning. Every file that is saved or copied to the USB drive must be scanned. To take it a step further, the host must also be scanned whenever the USB device is inserted. With this layer of protection in place on the USB drive, organizations can be sure that their network and USB flash drives are virus-free.

Conclusion For most organizations, completely banning USB flash drives inhibits the mobility of end users. Organizations of all industries need to implement policies, but they also need technologies that ensure the highest degree of security without impacting the productivity and mobility benefits of USB drives, including antivirus, encryption, password protection and a centrally-managed security solution.

We call upon all IT professionals to do more to provide better security without hampering worker productivity through the implementation of these simple steps.

Signed by the following SESTA members:

SanDisk Corporation http://www.sandisk.com/enterprise

Centennial Software, part of FrontRange Solutions http://www.frontrange.com

ControlGuard http://www.controlguard.com

CoSoSys http://www.EndpointProtector.com

DeviceLock http://www.devicelock.com/dl/

Diversinet http://www.diversinet.com

Dmailer http://www.dmailer.com

Lumension http://www.lumension.com

McAfee http://www.mcafee.com

Safend http://www.safend.com

Secuware http://www.secuware.com

Vericept http://www.vericept.com

WinMagic http://www.winmagic.com

Xenocode http://www.xenocode.com