Latest news
A Simple Guide to Securing USB Memory Sticks
by William Lynch - Senior Consultant for CTG's Information Security Services Practice - Wednesday, 2 February 2005.
Loss of Data
Although most USB memory sticks have no moving parts and thus are considerably less prone to mechanical wear than their older and larger counterparts, loss of data can still be an issue. Aside from mechanical failure, data can be lost by accidental erasure, or overwritten. No write capable media device is immune to this risk. The best safeguard against loss of data is frequent and proper backups, as with any other media type. Because of their propensity for physical loss USB memory sticks are best suited as intermediary storage, so it isn't advisable to store the only copy of an item on the memory stick.
Loss of Media
Data loss can occur if the memory stick is physically lost. Untethered drives are most at risk of being physically lost because their lightweight nature allows them to slip out of pockets unnoticed. To protect against physical loss of the device, it’s advisable to have the device tethered to something, preferably a keychain. Some devices have lanyard-style tethers, but use these with caution as the lanyard may only tether the drive cap and not the drive itself, which leaves the drive at risk of falling away unnoticed. Drives tethered to a keychain are less likely to be permanently lost because they are attached to another item that the user has presumably already learned not to lose.
Loss of Confidentiality
Perhaps the greatest benefit of the USB memory stick is also its greatest security risk. Because of its convenient small physical size and large logical size compared it predecessor, the floppy disk, more data can find its way to the USB Memory stick. Some of this data is likely to be confidential and becomes a risk if the media is lost. An executive who uses a memory stick to transfer a customer database from his desktop to laptop could potentially subsequently lose the memory stick. If the stick then finds its way into the hands of a competitor, then the company has suffered a much greater loss than simply the replacement cost of the memory stick. In a similar scenario, if a healthcare professional loses a memory stick containing patient records, then there are legal liability issues associated with HIPAA regulations.
There are two primary ways to mitigate the risk of loss of confidential data, mainly avoidance and encryption. With an avoidance strategy, no data is stored on the memory stick that can be considered private. Clearly, this strategy is severely limiting, not the least of which is determining exactly what constitutes private data. An ideal encryption strategy allows any data to be stored on the memory stick but renders the data useless without the required encryption key, which is usually a strong password, but can also be a biometric such as a thumb print. Some USB memory sticks include their own proprietary encryption algrithms and formats, but often the encryption used is either unproven or inadequate, and the memory sticks are more expensive. However, encryption software is available from many vendors that can be used to protect data on the memory stick. One of these, Cryptainer LE for Windows from Cypherix Software is available in a lightweight version, free of charge that will be explored later on
Using Encryption to Safeguard Data on USB Memory Sticks
Although most USB memory sticks have no moving parts and thus are considerably less prone to mechanical wear than their older and larger counterparts, loss of data can still be an issue. Aside from mechanical failure, data can be lost by accidental erasure, or overwritten. No write capable media device is immune to this risk. The best safeguard against loss of data is frequent and proper backups, as with any other media type. Because of their propensity for physical loss USB memory sticks are best suited as intermediary storage, so it isn't advisable to store the only copy of an item on the memory stick.
Loss of Media
Data loss can occur if the memory stick is physically lost. Untethered drives are most at risk of being physically lost because their lightweight nature allows them to slip out of pockets unnoticed. To protect against physical loss of the device, it’s advisable to have the device tethered to something, preferably a keychain. Some devices have lanyard-style tethers, but use these with caution as the lanyard may only tether the drive cap and not the drive itself, which leaves the drive at risk of falling away unnoticed. Drives tethered to a keychain are less likely to be permanently lost because they are attached to another item that the user has presumably already learned not to lose.
Loss of Confidentiality
Perhaps the greatest benefit of the USB memory stick is also its greatest security risk. Because of its convenient small physical size and large logical size compared it predecessor, the floppy disk, more data can find its way to the USB Memory stick. Some of this data is likely to be confidential and becomes a risk if the media is lost. An executive who uses a memory stick to transfer a customer database from his desktop to laptop could potentially subsequently lose the memory stick. If the stick then finds its way into the hands of a competitor, then the company has suffered a much greater loss than simply the replacement cost of the memory stick. In a similar scenario, if a healthcare professional loses a memory stick containing patient records, then there are legal liability issues associated with HIPAA regulations.
There are two primary ways to mitigate the risk of loss of confidential data, mainly avoidance and encryption. With an avoidance strategy, no data is stored on the memory stick that can be considered private. Clearly, this strategy is severely limiting, not the least of which is determining exactly what constitutes private data. An ideal encryption strategy allows any data to be stored on the memory stick but renders the data useless without the required encryption key, which is usually a strong password, but can also be a biometric such as a thumb print. Some USB memory sticks include their own proprietary encryption algrithms and formats, but often the encryption used is either unproven or inadequate, and the memory sticks are more expensive. However, encryption software is available from many vendors that can be used to protect data on the memory stick. One of these, Cryptainer LE for Windows from Cypherix Software is available in a lightweight version, free of charge that will be explored later on
Using Encryption to Safeguard Data on USB Memory Sticks
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
