The security risks associated with the use of removable storage devices—especially USB thumb drives—keep government IT managers up at night. The US Department of Defense (DOD) had actually banished flash drives and other removable storage devices in November 2008 when it was discovered that the source of a virus spreading through military networks was a USB thumb drive. Last February, DOD lifted its two-year-old ban on flash drives and other removable storage media, but imposed the most draconian restrictions on their use.
Under the department's new rules, only authorized personnel can use portable storage media, and the drives must be government-procured and owned and can only be deployed in mission-critical operations. In addition, users and devices are subject to random audits.
Despite the formidable security risks, USB thumb drives and other removable storage have the undeniable utility of being small, portable and inexpensive. Navy Department chief information officer Robert Carey, head of a DOD "Tiger Team" charged with setting removable-media policy, has acknowledged that USB thumb drives are extremely useful for data transfers between computers, including operating system patches and antivirus updates, especially in constrained areas, such as on the battlefield or aboard ships.
But the USB thumb drive problem extends beyond well beyond DOD. These flash drives "have become ubiquitous," said Karen Scarfone, a computer scientist in the US National Institute of Standards and Technology's computer security division. "I think users tend to think of them as harmless. They don't understand the security risks of using those devices."
USB thumb drive encryption not enough
In the last two years, industry has stepped up to improve the security of flash-drive use, said Scarfone, co-author of NIST's Guide to Storage Encryption Technologies for End User Devices (.pdf) (Special Publication 800-111), which addresses removable-media security issues.
For example, a range of vendors now offer software that provides centrally administered and policy-driven control over access to removable storage media and encryption of the data they contain.
"Any sort of managed solution is going to be preferable in terms of security," she said, adding that fully encrypting the data on the drive is an important step but it has be coupled with an authentication mechanism that restricts access to the data. "If you don't require authentication, the encryption doesn't do any good," she said.
When encrypting the data on a drive, you should also encrypt the file name, said Joseph Balasanti, vice president of marketing for WinMagic Inc., a firm that works with Defense Department agencies on data security. "You could learn a lot about what a file contains simply by the name you give it," he said.
Current best practices for protecting data on portable storage devices embrace full disk encryption plus a key management system, Balasanti said. In addition, "you want to have a central methodology of installing, configuring, deploying and managing these encryption agents," he said. When keys are managed by a server and then synchronized with Active Directory, only authorized users can use portable devices to share data, he said.
The latest software also will let managers "white list" USB flash drives by brand, model and serial number so that only those devices will work on authorized machines, Balasanti said.