USB flash drives are small solid-state memory sticks that are about the size of your thumb and can hold anywhere from 1MB to 1GB of data. They’re incredibly lightweight, very portable and compatible with any PC equipped with a USB port and running Windows, Mac or Linux.
Flash drives have fast transfer rates, include no moving parts and don’t require a separate power source or batteries. Just stick the flash drive into the USB port of your PC and Windows Plug and Play immediately recognizes it as an additional drive. You can then copy the files you need to take with you, unplug the device from the PC, and you’re ready to go. Flash drives hold more data than a floppy, are more portable than ZIP drives and other remote storage devices, and less fragile than CD-RW disks.
However wonderful these new devices are, like any other technology, they do have a dark side. You don’t have to be an administrator to install one of these devices, and you can’t manage USB devices via Group Policy. In other words, short of disabling all of the USB ports, they are difficult to defend against.
In the past, disreputable people used floppy disks to spread viruses and to add or remove data from your environment. Flash drives open an all-new avenue to infect computer environments. With their large capacities, imagine the number of viruses that could be released on your network.
Adding to this point, anyone could install unauthorized or illegal software and/or copyrighted materials into your organization. People now have a virtually undetectable medium to introduce applications, audio, video, pornography and any number of other things that violate security policies and applicable laws.
Flash drives also provide a simple way to remove data. Corporate espionage is a largely underreported problem in the United States and Europe. Attackers, corporate spies and disgruntled employees steal data every day and, in many cases, these are crimes of opportunity.
With a Flash Drive, any unattended and unlocked PC with an active USB port becomes an opportunity. A little social engineering can give an attacker physical access to a PC long enough to steal data or plant spyware.
Disgruntled employees can take home sensitive data in a few minutes. Exactly how fast? At 1/Mb per second, a person can copy a 60Mb file to a flash drive in a mere 60 seconds.
Data theft is only one side of the coin. The other is data loss. Vendors have begun responding to this problem by manufacturing flash drives with built-in security features. There are a number of open source encryption packages that can encrypt flash drive data to keep data secure should the device be lost or stolen.
Since these devices are very compact, people tend to lose them more frequently than larger removable media. This means that the potential for the loss of large amounts of data greatly increases when users are issued flash drives.
We’ve found flash devices wedged in the seats of mass transit trains. One of the devices contained all of the owner’s personal and financial information (QuickBooks, credit card numbers, etc.). Of course, we returned the drives to the owners so they didn’t experience the pain an identity theft victim normally goes through.
Rreduce the Risks
Start with a small training class to let your employees know about the risks that the flash drives pose. You’ll find that many people are initially more concerned with the novelty factor than its high potential for misuse. This is an opportunity to change that mindset.
Establish and enforce desktop policies. Don’t allow employees access to information that is not essential to their duties. If you can take it a step farther, disable USB or any other ports that aren’t needed. You’ll get complaints at first, but this is much easier to digest than a full-blown security event.
One last, but very important point. Be sure that your anti-virus solution is configured to provide real-time scans of removable media when present.
Currently, several big name AV vendors offer this capability, but not in the default settings.
USB flash drives are wonderful and, with due diligence, can be invaluable tools in your business. Like any new technology, if you weigh all of the risks and enforce the appropriate controls, you should be able to enjoy the benefits without becoming an unfortunate statistic.
Adapted from enterpriseitplanet.com.
| Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today! |
