A Simple Guide to Securing USB Memory Sticks
by William Lynch - Senior Consultant for CTG's Information Security Services Practice - Wednesday, 2 February 2005.
Loss of Confidentiality

Perhaps the greatest benefit of the USB memory stick is also its greatest security risk. Because of its convenient small physical size and large logical size compared it predecessor, the floppy disk, more data can find its way to the USB Memory stick. Some of this data is likely to be confidential and becomes a risk if the media is lost. An executive who uses a memory stick to transfer a customer database from his desktop to laptop could potentially subsequently lose the memory stick. If the stick then finds its way into the hands of a competitor, then the company has suffered a much greater loss than simply the replacement cost of the memory stick. In a similar scenario, if a healthcare professional loses a memory stick containing patient records, then there are legal liability issues associated with HIPAA regulations.

There are two primary ways to mitigate the risk of loss of confidential data, mainly avoidance and encryption. With an avoidance strategy, no data is stored on the memory stick that can be considered private. Clearly, this strategy is severely limiting, not the least of which is determining exactly what constitutes private data. An ideal encryption strategy allows any data to be stored on the memory stick but renders the data useless without the required encryption key, which is usually a strong password, but can also be a biometric such as a thumb print. Some USB memory sticks include their own proprietary encryption algrithms and formats, but often the encryption used is either unproven or inadequate, and the memory sticks are more expensive. However, encryption software is available from many vendors that can be used to protect data on the memory stick. One of these, Cryptainer LE for Windows from Cypherix Software is available in a lightweight version, free of charge that will be explored later on

Using Encryption to Safeguard Data on USB Memory Sticks

As discussed above, one of the best ways to safeguard against confidentiality loss is through the use of encryption. Many commercial encryption products are available today, but this article will focus on Cryptainer LE from Cypherix Software because it is free (as in beer) for both personal AND commercial use, and the product is ideally suited for USB memory sticks.

How Cryptainer LE Works

Cryptainer LE functions as a driver for Win32 systems that allows the operating system to view a single encrypted file as a virtual disk. Essentially, once the virtual disk is mounted it is available to Windows just as if it were any other type of disk. A small program is required to mount the encrypted disk and that program can be included on the USB memory stick as well. The portable version does not require installation and can reside on the memory stick as well, making Cryptainer LE a self-contained encryption system.

Unlike some other vendors who might implement a weak or obsolete encryption algorithm such as single-DES in their free or trial products, Cypherix uses strong encryption via the Blowfish algorithm. Blowfish is a highly efficient algorithm developed by cryptography expert Bruce Schnier and trusted by even the most paranoid of the security conscious community, the OpenBSD project. Provided that the password selected as the key is securely chosen, data encrypted by Cryptainer LE is about as secure as it gets, figuratively speaking.

Using Cryptainer LE to Create an Encrypted Disk

First, download Cryptainer LE from here. Then, install using the defaults. Once the installation is complete and the program is launched, it will prompt to create the first encrypted disk.

From the display, replace the path for the Cryptainer volume with the path of the USB memory stick. The Cryptainer volume size can also be increased from 10 MB to 25 MB.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th