Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
Home » Resources » Small Storage Medium, Big Risk: USB Flash Drive Security Tips
Find out what can happen when you don’t follow security best practices for USB flash drives and how you can ensure your data is safe from hackers. Follow our flash drive security action plan to starting securing your data today.
Katie Moss Jefcoat
Katie has launched and supported marketing campaigns for B2B technology companies since 2011. From 2016 to 2021, Katie served Blancco in the roles of content manager and senior product marketing manager, communicating the features and benefits of Blancco products, evaluating market and competitive trends, supporting sales enablement, and representing the voice of the customer.
The worst military breach in U.S. history occurred almost a decade ago, in 2008, when a USB flash drive, containing malware, infected the network and resulted in the Department of Defense’s sensitive information being leaked. This event was a wake-up call for many in the cyber security space, and efforts have been made to expose the risks that these flash drives create.
Today, most IT pros understand that USB flash drives often carry malware infections and pose other security risks. Some organizations limit employees’ use of thumb drives for this reason; however, these small storage devices are still used in many other organizations, are larger in storage capacity, and are being expanded by black hat developers. In fact, security researchers Jakob Lell and Karsten Nohl have created a malware called BadUSB that can allow a USB device to completely take over a computer, redirect internet traffic or even invisibly alter files installed from the flash drive. USB Rubber Ducky is another example. Made famous in the show Mr. Robot, Rubber Ducky is a malicious USB that is recognized by a computer as a keyboard. Keyboards are trusted by operating systems, so the Rubber Ducky can share its malicious code with no issues.
But knowing that USB flash drives can pose a threat to your organization isn’t enough. You need to put proactive steps in place to ensure that potential security risks are identified and addressed quickly.
Organizations must have the above policies to detect which USB flash drives have corporate information on them and then enforce the secure data erasure of these flash drives.
Any USB flash drive that’s used by employees at your organization should be encrypted. There are several ways to perform encryption on USBs. Your first option purchasing USB flash drives that are hardware encrypted. Ensure that the encryption is Federal Information Processing Standard (FIPS) approved (FIPS PUB 140-2) to meet NIST guidelines for encryption.
Second, you can install paid specialized encryption software on your USB flash drive. There are a variety of options available on the market.
Third, you can use a free, open-source encryption tool such as VeraCrypt. You can install VeraCrypt as a portable program by plugging in your USB flash drive and launching the installation program. This creates a portable version of VeraCrypt onto your external drive. You can then produce any size vault on the external drive, but you must have an administrator-level password to access this vault. So this solution could be difficult to deploy across an entire organization.
You’d think that most individuals would know better than to pick up an unknown USB flash drive and plug it into their computers. But curiosity gets the best of all of us. Research presented by Blackhat shows that this danger is real. Researchers dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus. 98% of these drives were picked up! In addition, 45% of these drives were not only picked up, but individuals clicked on the files they found inside. Create a security policy for USB flash drives that includes a warning to employees: If you are unsure about what’s on it, don’t plug it in. The weakest point of security for any business is the human element, so advising employees not to use unknown or personal flash drives is imperative.
There are many ways you can ensure employees at your organization are following USB flash drive best practices. Here are four options that can help you keep your data secure within the Windows Active Directory environment:
Specify that administrators may override device instillation restriction policies when necessary to allow for any exceptions to these rules.
Outside of Active Directory environments, you may also choose to utilize software that restricts access to USB flash drives only those that are company-owned and/or recognized. Examples of such software include BitLocker, DiskCryptor and VeraCrypt. These solutions allow the contents of a USB drive to be encrypted automatically and transparently.
Additional software can be installed on external USB flash drives to prevent access to files if the drives are lost or stolen. Installing software on your organization’s computers may help track and minimize risk by recording and storing USB flash drive data in a centralized database.
Here are the steps you need to take to make create and enforce USB flash drive security policies across your organization:
While it’s easy to remember to secure employee laptops and data center servers, don’t forget about the USB flash drives and other storage devices you may be leaving behind. Though antivirus scans and reformatting may offer some counter to malicious threats, software-based secure erasure is the only way to ensure your organization’s thumb drives are completely clean and free of any threats. It’s important to perform such erasure at end-of-life (resale, reuse or recycling), before and after sharing information with third-party vendors, after employees leave your company and anytime you aren’t sure what information a USB holds.
Blancco Removable Media Eraser permanently and verifiably erases data from USB flash drives, SD cards and other flash memory devices, providing a tamper-proof audit trail and regulatory compliance for your organization. Request a demo now.