Shore up USB flash drive security

USB flash drives have become common devices in most organizations, thanks to their low cost and ease of use. But, however handy these devices may be, they can also serve as a tremendous source of data leakage. Mike Mullins discusses why USB flash drives can be such a high security risk, and he offers tips for locking down these devices in your organization.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Inexpensive and very useful, USB flash drives have become as common as writeable CD-ROM drives in most organizations. However, these drives can also be a tremendous source of data leakage from an organization's network.

Most organizations are diligent when it comes to maintaining proper file security that allows access to information only as needed. However, the problem is that some users need access to a lot of sensitive information, and they like to have that information available no matter where or how they've logged in.

This can apply to anyone from a department head to an enterprise administrator. Users often store the information they need, such as passwords or other corporate secrets, on these USB flash devices.

By default, Windows 2000, Windows XP, and Windows Server 2003 include the necessary device drivers to operate USB flash drives. Any user can stick a flash drive in his or her workstation as long as it has an open, enabled USB port. Pocket versions of these drives can transfer data at rates up to 24 MB per second, and they can store about 4 GB.

With these devices, corporations' biggest worry about data leakage is not that some disgruntled employee will copy data to the drive and sell it to a competitor—discontented workers can already do that with 3.5-inch floppy disks, writeable CDs, or any other removable media allowed on the network. The bigger risk involves the size of the device.

Because these devices are so small, they're an easy target for thieves, and they're also easier for users to lose or misplace. And that means that vital secrets can disappear before you know it.

While it may be tempting to ban the use of these devices altogether, that really isn't necessary. These common devices are extremely useful, and it's perfectly fine to allow them on your network.

But that doesn't mean you can neglect the inherent security concerns either. To better protect corporate data, take steps to add a layer of security to go with the information these handy devices can store.

If you operate a Windows domain with Windows 2000 and XP clients, you can typically configure Windows Encrypting File System (EFS) to encrypt user data on the fly. This works extremely well with laptops that travel outside of your company walls.

But according to Microsoft, EFS can't encrypt a file on removable media, such as a CD, floppy, or flash drive. That means you'll have to rely on a third-party application to do the encrypting for you.

You could deploy an application that resides on the workstation or network to handle the encryption. However, this option defeats the purpose of being able to use these devices no matter where your users find it necessary.

A better solution is to purchase devices that include built-in security features. Several USB flash drive manufacturers offer drives with these features, and the additional cost is minimal when you compare it to the extra layer of security provided by these features.

The best secure USB flash drives feature Advanced Encryption Standard (AES) symmetric encryption. This is one of the newest government- and corporate-grade encryption standards, and its complexity is more than sufficient to protect your data.

From my experience, I recommend both the Lexar JumpDrive Secure USB Flash Drive and the Kingston DataTraveler Elite. Both drives perform excellently under a variety of conditions, and they offer exceptional protection for corporate data if a user loses the drive.

Different manufactures offer different key lengths or implementations. Choose a USB flash drive with proper encryption complexity that's comfortable for your users.

When deploying these devices, make sure you update the company security policy to address their use in the organization. In addition, you might want to maintain a password database for the devices. Otherwise, if users forget their passwords, the cost of data recovery might not be equal to the corporate value of the data.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a network security administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox