Security Risks Associated With Portable Storage Devices
by Lisa Dozois - Originally published in issue 1 of (IN)SECURE Magazine - Monday, 20 June 2005.

GFI LANguard Portable Storage Control - control entry and exit of data via USB sticks and other devices. Download a free trial.

It seems that nearly every new electronic device on the market today comes equipped with data storage and transfer capabilities. From USB sticks to smart phones, MP3 players to hand-held PCs and iPods, the portability of data has reached new levels of simplicity as the prices of these devices continue to fall while storage capacities continue to rise.

There is no question that USB Flash Drives and their electronic counterparts are a valuable addition to the road warrior's toolbox. The ability to easily transport data between client and company sites, not to mention taking work home for the weekend, make these devices almost irresistible.

Portable storage devices are also handy for making quick backups of important documents and even system registry files. Unlike CD/ROM disks, the stored data can be edited and saved over and over again.

Yes, today's portable personal storage devices have revolutionized the concept of "sneaker net", but are the rewards worth the risks?

These electronic conveniences have created a nightmare for data security managers and have spawned an entire sub industry that is aimed squarely at portable data storage security.

Old Risks and New

Portable data storage devices provide the same functionality as floppy disks, hard drives and CD/ROM and, therefore, are subject to the same virus and spyware risks as their more traditional counterparts. This is a particularly onerous threat for organizations that allow their employees to transfer data between company and home or remote computers.

While most threat-savvy IT departments have complete virus and spyware protection enabled within the enterprise, most organizations have little control over the protection of employees' home computers or computers that employees use at client and vendor sites. With new virus and spyware threats appearing every day, it is entirely possible that the organization's anti-virus and spyware systems may be unaware of the latest threat which has just been introduced by an employee.

Portable storage devices are also subject to your standard day-to-day perils such as mechanical or electronic failure, damage from being dropped or being exposed to harsh environmental conditions or just plain getting lost or stolen. The latter two circumstance create a whole new threat level if sensitive data happens to be stored on the missing device.

The term "Business Intelligence" takes on a new and dark meaning when the stealth capabilities of portable storage devices are factored into the equation.

Corporate spies are more common that you may think they are and it's a relatively simple task for a dishonest employee or visitor to transfer company phone books, customer lists, product and pricing lists or other sensitive and potentially damaging data to their electronic device before leaving for the day. The profit potential for these wayward employees is huge. You don't have to look any further than the recent case of the AOL employee who sold 93 million AOL members' email addresses to spammers for $52,000 and later sold another list for $100,000, to get an idea of what people are willing to pay for the valuable data that your employees have access to every day.

Short of actually conducting body cavity searches at the employee exit, there is no secure way to ensure that illegally obtained valuable data isn't sharing an employee's commute home. Even with body cavity searches, security personnel could never have the time to thoroughly examine every portable electronic device that employees and visitors carry with them onto the premises every day.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th