Secure USB Flash Drives: What Price Protection?
October 2009 by Jason Holloway of SanDisk Enterprise Division
The cost of USB-borne virus infections can be high, as Ealing Council has found. So how do organisations avoid both data leaks and malware infections from USB drives? By Jason Holloway of SanDisk Enterprise Division.
How many times have you used a USB flash drive at your offices? Hundreds? Thousands? Their sheer convenience makes usage almost second nature. But as often happens with IT security, whenever a device or platform becomes popular, it also becomes a target for malicious exploits – making it a security risk that can prove costly.
The high cost of taking a security risk was discovered by UK local government organisation, Ealing Council when in May this year, an employee inadvertently used an infected memory stick.
The council’s own report detailed what happened next: ’At the point the memory stick was plugged in the virus (believed to be a Conficker variant) attacked the host PC. It blocked connections to anti-virus and Microsoft Support websites and attempted to establish connections with 500 internet sites chosen at random from a selection of 25,000 … It then started propagating itself across the network.’
The result was several days’ disruption to IT services and major recovery costs, as well as lost revenues from departments being unable to process transactions. The total bill was over £500,000 (more than $800,000).
The stick and the carrot
That’s a hefty price to pay for simply using a memory stick. The automatic – and understandable – reaction to this would be to simply ban the use of portable media devices. After all, in late 2008 the US Army’s networks were hit by the Agent.btz worm, triggering a ban on the use of all removable storage. And of course, there’s the added risks of the USB flash drive being lost or stolen, with the potential for a data breach.
But there’s also a considerable incentive to keep using flash drives. Employees need the tools and information to be able to work flexibly and efficiently – and when used and secured properly, flash drives provide that.
So to ensure the viability of flash drives as a business productivity tool, organisations must ensure that USB flash drives can only be used in compliance with corporate security policies, and with industry and government regulations for data protection.
This means prohibiting the use of all personal, non-authorised USB devices, and instead providing staff with a more secure USB flash drive that proactively protects against both malicious infection and the risks of data leakage.
It also means supporting the drives with intelligent device management, data monitoring and central policy enforcement, to meet business and regulatory demands. Let’s take a closer look at how these needs can be met, and security risks mitigated, without paying a high price for protection.
To stop malware spreading via flash drives, every file that is saved or copied to the drive must be scanned. Furthermore, the host PC must also be scanned whenever the drive is inserted. This demands an anti-virus engine on the flash drive itself so that when the flash drive connects to the host Windows PC, its memory is scanned to stop transfer of infected files to the drive. If the host is infected, the secure USB drive automatically shuts down. Also, when a file is saved or copied from a PC to the drive, it’s also scanned.
To stop data loss and leakage via USB flash drives, the key weapon is hardware-based encryption and password protection, again integrated with the drive. This makes it extremely difficult for unauthorised users to access data if the drive is lost or stolen. Furthermore, when used in combination with virus scanning, automated encryption and password protection offer a formidable defense against security risks.
The USB drive must impose mandatory access control on all files, storing them in a 100% private partition that is AES 256-bit, hardware-encrypted and password-protected. The drive locks down when a specified number of incorrect password attempts are made. This secures all stored data in the event of drive loss or theft.
Management software must coordinate the complete lifecycle of the drives, from initial user deployment to password recovery, data backup, and remote drive termination.
Desirable management features include: automatic mapping of drives to users; centralised control and distribution of security policy settings; full audit tracking of secure USB drive use, even when used outside of the network; remote installation of new software and updates to secure USB drives; scheduled and automatic backup of secure USB drive contents; compliance reporting using built-in and customized reports; and optional assignment of software tokens, which authenticate against RSA secured applications.
So by deploying USB security at multiple tiers, it’s possible to protect data and networks against infections and losses while retaining the flexibility of the drives for authorised employees. Security always comes at a price, but it’s modest compared with the costs of dealing with a major security breach.