USB flash drives, pen drives, portable hard disks—these tiny,

high-capacity storage devices have a thousand and one uses. They have rendered

most other types of portable storage—floppy disks, ZIP drives, and even

rewritable CDs—pretty much obsolete. Their high capacity and high reliability

(with no moving/mechanical parts to fail), combined with extreme ease of use

makes them the ultimate in portable storage. You rarely need to install drivers

for them, making them true plug and play devices. At the time of this writing,

a 2GB


USB2 flash drive will set you back £37—that’s pretty affordable!

There is no question that USB portable storage has changed

the way people view portable media and the way in which people work.

Previously, 3.5″ floppy disks were used to cart work back and forth; any

IT support staff can tell you that these were less than reliable, and trying to

explain to users why their disks had become corrupted was no easy task! Any

files over the 1.4-MB limit of a floppy disk would require either a ZIP drive,

or later, a writable CD to transfer. The ZIP drive was awkward to carry around,

requiring drivers to be installed on most PCs, which was often not allowed by the

Windows policies in place. CDR/RW was a great improvement but the media was

delicate and still gave some compatibility issues with older CDROM drives not

being able to read the new disks. USB Flash drives saved us all; however, they

do now present administrators with a new set of problems, and re-present older

issues. 

An interesting report in the

Los Angeles Times a few weeks back highlighted one major security issue

which has been created with the introduction of USB storage. I’m sure we would

all imagine military security to be of a high standard when compared to small

businesses or even large corporations—how shocking it is, then, to see that

reporters bought USB flash devices from a bazaar 200 yards outside of the Bagram

military base in Afghanistan. These devices (stolen from the base by cleaners

and other local workers) contained documents marked “Secret,” which

named suspected militants, documented U.S. efforts to remove Afghan government

officials, and a classified briefing on “man portable counter-mortar

radar” now being used in Iraq. One device also listed over 700 service

members with their social security details, opening them up to identity theft. 

This highlights the greatest danger posed by plug and play

portable storage—data loss. While the spread of viruses and the theft of data

also pose an issue, there are clear and simple methods to deal with these

problems. Virus outbreaks are handled by ensuring that on-access scanning is

enabled on corporate machines and virus definitions are kept up to date. Data

theft can be hampered by making sure that all machines are password-protected

and locked while not in use (including once the screensaver has been

activated). Data loss, however (e.g., lost or stolen USB drives which contain

sensitive information) is much harder to deal with. One solution is to make

sure that users are equipped with secure


storage devices. These devices have encryption/conditional access programs

included, which require a password to access the contained data. If lost or

stolen, these will be pretty much useless to the new ‘owner’. The real problem

is that unless you equip every user with once of these devices, someone will

still use their own unsecured device (even if you do equip everyone, they may

still use their own devices). There are only two ways to stop this—both pretty

drastic. 

  1. USB

    locks – these little devices basically blank off USB ports, meaning

    that users can’t plug in unauthorised devices. This means, however, that

    if you authorise them to use one USB device, they can basically use any. I’m

    also sure than any smart and determined user would find a way to remove

    these by themselves. 

  1. Windows

    Group Policy – This addition to the Windows Group Policy will allow

    administrators to disable removable media. This seems like a more sensible

    approach as it still allows USB devices like mice to be used. It will also

    mean administrators can exclude certain users from the restrictions.

All things considered, USB storage has been a godsend for

both administrators and end users—however, it is important to be aware of the

risks that they pose and to educate our users.

What is your company’s policy on the usage of USB

media? How do you control its use? It would be interesting to hear your

experiences and opinions.