Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/28/2008
09:30 AM
50%
50%

Tech Insight: Keeping Your Thumb on Thumb Drives

Those little USB drives certainly are handy, but how do you keep your company's sensitive data from walking away? Here are a few ideas

Every time it begins to seem safe to read the news again, there’s a new security breach report: Another company is reporting the potential exposure of customers' personal data as a result of the loss or theft of a laptop, backup tape, or external drive. You'd think all these reports would teach companies a lesson, but it’s apparent that most companies must learn that lesson firsthand -- by experiencing it themselves.

While laptop thefts are reported nearly every day, it's unusual to hear about the loss of portable USB storage devices (thumb drives). Is that because enterprises have learned to secure them properly? Or is it because thumb drives are nearly impossible to track, and most companies have no idea when they have been lost or stolen?

There's no easy way to answer that question, but it is worth noting that there are technologies, both hardware and software, which are helping enterprises to secure data stored on thumb drives. These technologies differ in effectiveness and transparency to the user, but in the end, securing data at rest on thumb drives isn't rocket science -- and it can be done on an enterprise level or in an ad hoc fashion.

Thumb drive manufacturers have been including “security” software on their products for a couple of years, but the functionality has been limited, and typically only provides basic encryption of files stored on the device. Last year, we saw more sophisticated thumb drives that perform file encryption at the hardware level -- such as the eye-catching IronKey -- but the cross-platform functionality and read/write speeds vary greatly, as we saw in the recent reviews from Information Week. Only a few thumb drives offer enterprise-level management features.

Some organizations are attempting to secure their data by completely disallowing all thumb drives, but that isn't a decision that many organizations are ready to make -- there are many legitimate uses for these little babies. The real question is how to secure the data that the users place on the drives -- not how to prevent data from being written to the drive.

One solution is to take a hybrid approach, using a software product that only allows usage of thumb drives with pre-defined serial numbers in conjunction with an IronKey to handle the encryption. Some antivirus suites, like Symantec's Endpoint Protection (SEP) 11, already offer this type of capability. Pair that control with company-issued IronKeys (or a similar product), and you can almost eliminate the panic that's caused by the accidental exposure of these devices (provided the user didn't write the password on the device).

One disadvantage of the IronKey products: They aren't cheap. If your users are prone to losing thumb drives, a smarter investment might be to purchase cheaper thumb drives and rely on a software-only solution to handle the security. Lumension Security Sanctuary Device Control and Credant Mobile Guardian for External Media are two solutions that can transparently encrypt data that is copied to thumb drives -- without any special hardware or interaction from the user.

If you're on a very tight budget -- and if you have a high level of trust in your users and don’t need an enterprise solution -- cheap thumb drives and the open-source TrueCrypt technology could be the way to go. Once you've trained your users and done the initial setup, the data stored in encrypted TrueCrypt volumes on the thumbdrives would be secure -- and you've got a solution that works equally well for Windows, Linux, and Mac OS X.

Each of these approaches has its own pros and cons, depending on the level of user interaction you need, the hardware and software costs you can afford, and the centralized management capabilities you require. As with most security solutions, when it comes to protecting sensitive information from accidental disclosure, there definitely is no "one size fits all."

If you aren't doing any of these approaches, though, take a closer look at all of them and make a move soon. It's a lot cheaper to implement portable drive security than it is to notify thousands of customers that their data has been breached.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Credant Technologies
  • IronKey Inc.
  • Lumension Security
  • Symantec Corp. (Nasdaq: SYMC)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
    Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-4095
    PUBLISHED: 2019-12-10
    IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
    CVE-2019-4244
    PUBLISHED: 2019-12-10
    IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
    CVE-2019-4521
    PUBLISHED: 2019-12-10
    Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
    CVE-2019-4663
    PUBLISHED: 2019-12-10
    IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245...
    CVE-2019-19251
    PUBLISHED: 2019-12-10
    The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.