Worried about security
issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Inexpensive and very useful, USB flash drives have become as
common as writeable CD-ROM drives in most organizations. However, these drives can
also be a tremendous source of data leakage from an organization’s network.

Most organizations are diligent when it comes to maintaining
proper file security that allows access to information only as needed. However,
the problem is that some users need access to a lot of sensitive information,
and they like to have that information available no matter where or how they’ve
logged in.

This can apply to anyone from a department head to an
enterprise administrator. Users often store the information they need, such as
passwords or other corporate secrets, on these USB flash devices.

By default, Windows 2000, Windows XP, and Windows Server 2003
include the necessary device drivers to operate USB flash drives. Any user can
stick a flash drive in his or her workstation as long as it has an open,
enabled USB port. Pocket versions of these drives can transfer data at rates up
to 24 MB per second, and they can store about 4 GB.

With these devices, corporations’ biggest worry about data
leakage is not that some disgruntled employee
will copy data to the drive and sell it to a competitor—discontented workers
can already do that with 3.5-inch floppy disks, writeable CDs, or any other
removable media allowed on the network. The bigger risk involves the size of
the device.

Because these devices are so small, they’re an easy target
for thieves, and they’re also easier for users to lose or misplace. And that
means that vital secrets can disappear before you know it.

While it may be tempting to ban the use of these devices
altogether, that really isn’t necessary. These common devices are extremely
useful, and it’s perfectly fine to allow them on your network.

But that doesn’t mean you can neglect the inherent security
concerns either. To better protect corporate data, take steps to add a layer of
security to go with the information these handy devices can store.

If you operate a Windows domain with Windows 2000 and XP
clients, you can typically configure Windows
Encrypting File System (EFS) to encrypt user data on the fly. This works
extremely well with laptops that travel outside of your company walls.

But according to Microsoft, EFS can’t encrypt a file on
removable media, such as a CD, floppy, or flash drive. That means you’ll have
to rely on a third-party application to do the encrypting for you.

You could deploy an application that resides on the
workstation or network to handle the encryption. However, this option defeats
the purpose of being able to use these devices no matter where your users find
it necessary.

A better solution is to purchase devices that include
built-in security features. Several USB flash drive manufacturers offer drives
with these features, and the additional cost is minimal when you compare it to
the extra layer of security provided by these features.

The best secure USB flash drives feature Advanced Encryption
Standard (AES) symmetric encryption. This is one of the newest government- and
corporate-grade encryption standards, and its complexity is more than
sufficient to protect your data.

From my experience, I recommend both the Lexar JumpDrive Secure USB Flash Drive
and the Kingston DataTraveler Elite. Both
drives perform excellently under a variety of conditions, and they offer exceptional
protection for corporate data if a user loses the drive.

Different manufactures offer different key lengths or
implementations. Choose a USB flash drive with proper encryption complexity
that’s comfortable for your users.

When deploying these devices, make sure you update the company
security policy to address their use in the organization. In addition, you
might want to maintain a password database for the devices. Otherwise, if users
forget their passwords, the cost of data recovery might not be equal to the
corporate value of the data.

Mike Mullins has
served as a database administrator and assistant network administrator for the
U.S. Secret Service. He is a network security administrator for the Defense
Information Systems Agency.