Data leakage
The large storage capacity of USB flash drives relative to their small size and low cost means that using them for data storage without adequate operational and logical controls can pose a serious threat to information confidentiality, integrity, and availability. The following factors should be taken into consideration for securing USB drives assets:
- Storage: USB flash drives are hard to track physically, being stored in bags, backpacks, laptop cases, jackets, trouser pockets, or left at unattended workstations.
- Usage: tracking corporate data stored on personal flash drives is a significant challenge; the drives are small, common, and constantly moving. While many enterprises have strict management policies toward USB drives, and some companies ban them outright to minimize risk, others seem unaware of the risks these devices pose to system security.
The average cost of a data breach from any source (not necessarily a flash drive) ranges from less than $100,000 to about $2.5 million.
- customer data (25%)
- financial information (17%)
- business plans (15%)
- employee data (13%)
- marketing plans (13%)
- intellectual property (6%)
- source code (6%)
Examples of security breaches resulting from USB drives include:
- In the UK:
- HM Revenue & Customs lost personal details of 6,500 private pension holders
- In the United States:
- a USB drive was stolen with names, grades, and social security numbers of 6,500 former students
- USB flash drives with US Army classified military information were up for sale at a bazaar outside Bagram, Afghanistan.
- HM Revenue & Customs lost personal details of 6,500 private pension holders
- a USB drive was stolen with names, grades, and social security numbers of 6,500 former students
- USB flash drives with US Army classified military information were up for sale at a bazaar outside Bagram, Afghanistan.
Solutions
Since the security of the physical drive cannot be guaranteed without compromising the benefits of portability, security measures are primarily devoted to making the data on a compromised drive inaccessible to unauthorized users and unauthorized processes, such as may be executed by malware. One common approach is to encrypt the data for storage, and routinely scan drives for malware with an antivirus program, although other methods are possible.
Software encryption
Software solutions such as FreeOTFE and TrueCrypt allow the contents of a USB drive to be encrypted automatically and transparently. Also, Windows 7 Enterprise and Ultimate Editions and Windows Server 2008 R2 provide USB drive encryption using BitLocker to Go. The Apple Computer Mac OS X operating system has provided software for disc data encryption since Mac OS X Panther was issued in 2003.
Additional software can be installed on an external USB drive to prevent access to files in case the drive becomes lost or stolen. Installing software on company computers may help track and minimize risk by recording the interactions between any USB drive and the computer and storing them in a centralized database.
ConversionConversion EmoticonEmoticon