The worst military breach in U.S. history occurred almost a decade ago, in 2008, when a USB flash drive, containing malware, infected the network and resulted in the Department of Defense’s sensitive information being leaked. This event was a wake-up call for many in the cyber security space, and efforts have been made to expose the risks that these flash drives create.
Today, most IT pros understand that USB flash drives often carry malware infections and pose other security risks. Some organizations limit employees’ use of thumb drives for this reason; however, these small storage devices are still used in many other organizations, are larger in storage capacity, and are being expanded by black hat developers. In fact, security researchers Jakob Lell and Karsten Nohl have created a malware called BadUSB that can allow a USB device to completely take over a computer, redirect internet traffic or even invisibly alter files installed from the flash drive. USB Rubber Ducky is another example. Made famous in the show Mr. Robot, Rubber Ducky is a malicious USB that is recognized by a computer as a keyboard. Keyboards are trusted by operating systems, so the Rubber Ducky can share its malicious code with no issues.
Situations in Which USB Flash Drives Pose a Security Risk:
- When employees unknowingly share USB sticks that carry malware infections
- When employees pick up unknown thumb drives and plug them into their computers (Dropping USB flash drives with malware on them is a common tactic used by black hat developers).
- When employees leave the organization and still retain a USB holding sensitive information
- When USB flash drives are lost or stolen and information is leaked
But knowing that USB flash drives can pose a threat to your organization isn’t enough. You need to put proactive steps in place to ensure that potential security risks are identified and addressed quickly.
3 Steps to Secure USB Flash Drives
- Only allow employees to download company information onto hardware- and/or software- encrypted USB flash drives.
- Issue warnings to employees about using USB flash drives that they are unsure about.
- Deploy software or leverage corporate that only allows company-owned and/or recognized USB flash drives.
Organizations must have the above policies to detect which USB flash drives have corporate information on them and then enforce the secure data erasure of these flash drives.
Any USB flash drive that’s used by employees at your organization should be encrypted. There are several ways to perform encryption on USBs. Your first option purchasing USB flash drives that are hardware encrypted. Ensure that the encryption is Federal Information Processing Standard (FIPS) approved (FIPS PUB 140-2) to meet NIST guidelines for encryption.
Second, you can install paid specialized encryption software on your USB flash drive. There are a variety of options available on the market.
Third, you can use a free, open-source encryption tool such as VeraCrypt. You can install VeraCrypt as a portable program by plugging in your USB flash drive and launching the installation program. This creates a portable version of VeraCrypt onto your external drive. You can then produce any size vault on the external drive, but you must have an administrator-level password to access this vault. So this solution could be difficult to deploy across an entire organization.
Guidance Against Using Unfamiliar USB Flash Drives
You’d think that most individuals would know better than to pick up an unknown USB flash drive and plug it into their computers. But curiosity gets the best of all of us. Research presented by Blackhat shows that this danger is real. Researchers dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus. 98% of these drives were picked up! In addition, 45% of these drives were not only picked up, but individuals clicked on the files they found inside. Create a security policy for USB flash drives that includes a warning to employees: If you are unsure about what’s on it, don’t plug it in. The weakest point of security for any business is the human element, so advising employees not to use unknown or personal flash drives is imperative.
Deploying Known and Trusted Drives
There are many ways you can ensure employees at your organization are following USB flash drive best practices. Here are four options that can help you keep your data secure within the Windows Active Directory environment:
- Create a group policy setting to prevent installation of all devices not described by other policy settings. All other system components will function as normal, but new devices will be flagged (including USB flash drives).
- Create a group policy setting to allow specific USB devices based on their Hardware IDs. This setting will decide if employees can insert vendor-specific USB drives.
- Create a group policy setting to allow general devices based on their Device Class properties (e.g. SCSCIAdapter, Display, Processor). Do not include DiskDrive in these options (that label will cover USB flash drives). When users add a new piece of hardware, they will need to account for the category of the hardware (BadUSB and Rubber Ducky would still be allowed under this rule, so be careful here).
Specify that administrators may override device instillation restriction policies when necessary to allow for any exceptions to these rules.
Outside of Active Directory environments, you may also choose to utilize software that restricts access to USB flash drives only those that are company-owned and/or recognized. Examples of such software include BitLocker, DiskCryptor and VeraCrypt. These solutions allow the contents of a USB drive to be encrypted automatically and transparently.
Additional software can be installed on external USB flash drives to prevent access to files if the drives are lost or stolen. Installing software on your organization’s computers may help track and minimize risk by recording and storing USB flash drive data in a centralized database.
Ready to Get Started?
Here are the steps you need to take to make create and enforce USB flash drive security policies across your organization:
USB Flash Drive Security Action Plan
- Hire a white-hat firm or security firm to perform an audit of your network’s USB devices, or set up a team internally.
- Discover all the endpoints in your network, and determine who is using removable media devices / media on those endpoints. Use “audit mode” to collect the information without disrupting productivity.
- Centrally create and manage the encryption of these removable media devices.
- Implement the encryption of these devices and enforce USB security policies to ensure sensitive information is secured.
- Generate reports to show how your data protection policies safeguard your organization’s critical information and prevent unauthorized data access to lost or stolen removable media devices. These reports will help demonstrate compliance with external government and industry regulations and with internal security policies.
While it’s easy to remember to secure employee laptops and data center servers, don’t forget about the USB flash drives and other storage devices you may be leaving behind. Though antivirus scans and reformatting may offer some counter to malicious threats, software-based secure erasure is the only way to ensure your organization’s thumb drives are completely clean and free of any threats. It’s important to perform such erasure at end-of-life (resale, reuse or recycling), before and after sharing information with third-party vendors, after employees leave your company and anytime you aren’t sure what information a USB holds.
Blancco Removable Media Eraser permanently and verifiably erases data from USB flash drives, SD cards and other flash memory devices, providing a tamper-proof audit trail and regulatory compliance for your organization. Request a demo now.