When portable media meant a manila file folder, the risk to its contents was minimal. When it shifted to a 5.25-inch floppy disk that stored 360 kilobytes of data, the risk grew — but not significantly. Of course, 360KB is enough to store some sensitive or confidential information. But the risk has grown exponentially for today’s portable media, because you can store exponentially more data. A USB drive smaller than one’s thumb can hold 8 gigabytes and is easier to lose, misplace or steal.
But if sales of USB drives to the federal government are any indication, the convenience of portability is winning out against the potential risks. In our feature “Focus on Security: Closed-Door Policy”, addresses security challenges that USB flash drives and other removable media pose, and examines how to mitigate the risks and take proactive steps to manage their use by employees. Here’s a short list that details some measures your information technology department can take to lock down access to USB flash drives and protect data.
Create a Written Policy: The first step in reining in the use of USB drives and other portable media is to define your agency’s policy in a written document. Letting users know when, if and under what conditions the use of USB flash drives is acceptable will raise user awareness of risks and reduce your exposure. Letting users bring in unauthorized storage devices and attach them to computer resources on the internal network exposes your agency to threats that bypass most, if not all, of the layers of security in place to protect the network.
Encrypt Flash Drives: To prevent the compromise of data if a USB drive is lost or stolen, implement security measures on the drive itself, such as encrypting the data. Numerous federal memoranda and regulations address the encryption issue and require 256-bit Advanced Encryption Standard encryption for USB flash drives.
Restrict Data and USB Port Access: If Microsoft Windows is your agency’s standard operating system, IT administrators can use Group Policy to restrict or deny access to prevent computers on the network from reading data from or writing data to USB flash drives or other removable media entirely. There are also additional tools that disallow users from accessing USB ports with unauthorized devices. With Windows Rights Management Services (WRMS), IT administrators can also exert a high level of control over access rights for data on the network. WRMS can deny groups or individuals the ability to view or modify files, and also whether they can forward or print files. Additionally, these rights can be changed even after data has been downloaded and taken offsite. These measures will ensure that unencrypted USB drives can’t tap into your network computers.
Deploy Antimalware Tools: The drives also pose a malware risk. Users might bring in compromised drives and unwittingly infect the network with a virus, worm or other malware. A desktop-level antimalware utility should scan and detect threats before allowing a file on the USB flash drive to execute. If your written policy restricts unauthorized drives, this provides another layer of protection against rogue drives infecting the whole network.
Educate End Users: Most users know not to download executable e-mail attachments from senders they do not know. Wage a similar education campaign for USB drives and create a process for reporting lost or stolen media. If users lose a USB drive containing gigabytes of sensitive financial or employee data, they need to know how to report it as quickly as possible so that the agency can respond and prevent or reduce the damage caused by compromised information.
The drives are in use, so make them safe and effective tools — not a new weak point on your network.
Editor in Chief