USB Flash Drive Security

Understanding the Risks Associated with USB Memory Sticks

Since their introduction the USB memory stick has been hailed by those fed up with the shortcomings of the floppy. Their small physical size, satisfactory speed and ever-increasing storage capacity makes them the most convenient device to use for transferring files from one place to another. However, these very features can introduce new security risks and amplify risks that already existed with floppy disks. The primary risks associated with USB memory sticks can be identified as:

• Virus Transmissions - Data sharing opens up an avenue for viruses to propagate
• Corruption of data - Corruption can occur if the drive is not unmounted cleanly
• Loss of data - All media is susceptible to data loss
• Loss of media - The device is physically small and can easily be misplaced
• Loss of confidentiality – Data on the lost physical media can be obtained by others

Virus Transmissions

Whenever files are transferred between two machines there is a risk that viral code or some other malware will be transmitted, and USB memory sticks are no exception. Some USB memory sticks include a physical switch that can put the drive in read-only mode. When transferring files to an untrusted machine a drive in read-only mode will prevent any data (including viruses) to be written to the device. If files need to be transferred from an untrusted machine, the only countermeasure is to immediately scan the memory stick before copying files from it.

Loss of Confidentiality

Perhaps the greatest benefit of the USB memory stick is also its greatest security risk. Because of its convenient small physical size and large logical size compared it predecessor, the floppy disk, more data can find its way to the USB Memory stick. Some of this data is likely to be confidential and becomes a risk if the media is lost. An executive who uses a memory stick to transfer a customer database from his desktop to laptop could potentially subsequently lose the memory stick. If the stick then finds its way into the hands of a competitor, then the company has suffered a much greater loss than simply the replacement cost of the memory stick. In a similar scenario, if a healthcare professional loses a memory stick containing patient records, then there are legal liability issues associated.

There are two primary ways to mitigate the risk of loss of confidential data, mainly avoidance and encryption. With an avoidance strategy, no data is stored on the memory stick that can be considered private. Clearly, this strategy is severely limiting, not the least of which is determining exactly what constitutes private data. An ideal encryption strategy allows any data to be stored on the memory stick but renders the data useless without the required encryption key, which is usually a strong password, but can also be a biometric such as a thumb print. Some USB memory sticks include their own proprietary encryption algrithms and formats, but often the encryption used is either unproven or inadequate, and the memory sticks are more expensive. However, encryption software is available from many vendors that can be used to protect data on the memory stick.

Using Encryption to Safeguard Data on USB Memory Stick

As highly portable media, USB flash drives are easily lost or stolen. All USB flash drives can have their contents encrypted using third party disk encryption software such as FreeOTFE and TrueCrypt or programs which can use encrypted archives such as ZIP and RAR. Some of these programs can be used without installation. The executable files can be stored on the USB drive, together with the encrypted file image. The encrypted partition can then be accessed on any computer running the correct operating system, although it may require the user to have administrative rights on the host computer to access data. Some vendors have produced USB flash drives which use hardware based encryption as part of the design, thus removing the need for third-party encryption software.

• Next >