Twelve Security Best Practices for USB Drives

Tuesday, February 07, 2012

Kelly Colgan


By Ondrej Krehel, Identity Theft 911

How do most corporate data breaches happen? Lost laptops and USB drives.

Now many businesses have some kind of security practice in place for lost corporate computers, whether it’s encrypted drives with remote wipe, or a call lost-and-reporting procedure.

But how many have USB drive best practices on the books?  Not many.

Yet USBs, because of their size, are more likely to be lost than laptops or smartphones.

And loaded with sophisticated malware and virus, USB drives have been used to penetrate some of the world’s most sensitive networks, from the Department of Defense on down.

So how do you prevent against lost data or network intrusions associated with USB storage devices or thumb drives?

Here are the best practices for designing your company’s USB drive policy:

1. Enable USB functionality on a need-to-have basis. Disable storage devices on computers with access to sensitive information. It will limit exposure and reduce the risk of unauthorized data being transferred away from your organization.

2. If your business needs USB drives, issue devices that provide whole drive encryption and are passphrase protected.

3. Make sure those drives have remote management options, such as remote wipe or remote lock. Drives like those from Iron Key have remote administration tools that also enforce strong passwords, have strict re-entry limits, disable portable applications and, believe it or not, even self-destruct.

4. Look for drives that provide event logging and geotagging, so information on what computer, and where, is retained on every use.

5. Enforce USB scanning on all corporate computers whenever a thumb drive is plugged in. This can help ensure no malware or malicious programs are on the drive. Allow only corporate signed and approved applications to be run from the drive.

6. Regularly audit USB devices to ensure that only documents in compliance with acceptable usage are being stored. This is a snatch and scan. It only takes of few of these kinds of trips around the office before everyone is very aware of the seriousness of the new USB policy.

7. Perform regular backups of USB devices internally, including encryption keys, for data recovery purposes. Ensure that backups are properly safeguarded, and have separate procedures and security controls for backup of encryption keys. It’s also another excellent way to monitor what information is being moved to and from the device.

8. Test data recovery procedures to ensure that the corporate security office can unlock and access any USB drive, even if an end user or malware maliciously disables the USB drive.

9. Ensure that mobile devices with USB storage cards—such as digital cameras and SD Card readers—have the same controls as any USB drive.

10. If possible, issue USB devices with unique serial numbers tagged in the firmware, as well as etched on the outside cover.

11. Know your assets. Have a precise count of the USB devices at your organization. List them by owner and use. Ban use of all personal USB devices, without question, on any work computers or for any work use.

12. If a USB device is lost, take a look at that latest secure backup to review what was lost and the potential risk. Consider recovering the drive through those geotagging features or wiping, or destroying the device with remote administration tools.

Portable and mobile storage devices are significant players in most corporate offices. Ensuring proper protection with a best practices policy and strict enforcement offers significant risk reduction—and can prevent long nights on data breach investigations.

  Ondrej Krehel, Chief Information Security Officer, Identity Theft 911 Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Possibly Related Articles:
Encryption Storage malware Best Practices USB Drives Backups Data Loss Prevention Security Audits Attacks geo-location Hardware Security Flash Drive Ondrej Krehel
Post Rating I Like this!
Thomas Mitchell You may want to check out MetaDefender for Media (MD4M) at
I think this is the ideal solution to protect your organization against the risk of data loss associated with external devices such as USB drives, CDs and other media. MD4M scans your media using up to 10 antivirus engines (from AVG, CA, ESET and others) as well as your own custom engines (such as Data Loss Prevention), and it also allows control over the flow of data in and out of an organization. After analysis, you can decide how the file is handled – whether it should be quarantined, allowed to enter/leave the organization, etc.
As far as I know, MD4M is available either as a kiosk or as standalone software to run on your own scanning station.

I hope this helps.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.