Beating the USB burglars

Policies are needed to counter removable media risks, say John Rostern and Jared Landin


Policies are needed to counter removable media risks, say John Rostern and Jared Landin

You see them everywhere: digital cameras, USB flash drives, mobile phones, MP3 players and iPods. All are easily connected to any PC, and all are capable of storing vast amounts of data, including anything accessible from any PC within your organisation.

The number of devices and the ease with which they interface with PCs has created serious risks to the confidentiality, integrity and availability of information. The threat of "information leakage" associated with these devices has become tangible and demonstrable.

And it is not just the potential for misappropriation or theft of data that is cause for concern. Given that these devices allow for a two-way exchange of information, the ability to transfer viruses, Trojans and worms onto the corporate network could cause rapid and widespread disruption.

Although the most significant threat posed by removable media is theft of information, it is a question of when, rather than if, other vulnerabilities will be exploited.  One such threat, described at the Black Hat Briefings in August, involves USB-based root kits that could allow an unauthorised individual to take complete control of a system, overriding security controls. 

Whatever the risk, the mitigation strategies remain the same.  But while removable media pose significant security threats, most security managers admit to not actively monitoring or preventing their use. 

High cost to business

According to the 2005 Computer Crime and Security Survey, published by the Computer Security Institute and the FBI, damage caused by the theft of proprietary information cost responding companies more than £17m in the past 12 months.

The increased availability and prevalence of removable media represents an avenue for theft that is frequently left unsecured. A recent study of 100 IT managers in the UK noted that:

  • Removable media is not controlled: 84% of businesses do not have security policies to prevent employees  using removable media on the network.
  • Data security is critical: 94% of respondents confirmed that data security is key to the success of their businesses.
  • Employees pose security risks: 49% believe employees are taking unnecessary risks with critical corporate data.
  • Businesses unsure of data integrity: although businesses rely on data for competitive advantage, 42% have no idea whether removable media has been used for theft.
  • Removable media are widely used: 85% of respondents use removable media devices throughout the company, with data being transported home by staff.

An effective overall security architecture will incorporate a combination of technical and procedural elements to provide effective countermeasures to emerging threats posed by removable media. The rapid pace of technological change demands a security strategy that is fluid.

The following should be considered:


Manage the use of removable media and communicate the policy to all staff members. Policies and procedures should be part of the organisation's overall security policy and be aligned with appropriate human resources policies.


Staff who handle sensitive information should be made aware of the security implications of removable media. Creating a security-aware workforce will improve monitoring, oversight and compliance at grass-roots level.


Consider implementing strong encryption for both data in motion and data at rest. Centrally administered schemes based on a public key infrastructure and/or digital certificates provide enterprise-level key management.

Device hardening

Implement baseline security configurations at the operating system or hardware level that restrict or prohibit the use of devices such as USB flash drives.

Disabling the USB port at either the physical or logical level can provide an additional layer of security. Combine effective technical controls with well-defined policies.

John Rostern and Jared Landin are directors of technology risk management at accounting and consultancy group Jefferson Wells


Read more on IT risk management