Blog / All I want for Christmas is a USB!
“Good Security“; what sort of things come to mind, when people think about having good “Electronic Security“?
Good Passwords – Everyone knows that one.
Keep Servers in a locked place – Obvious, since they’re expensive.
Track and Encrypt your Mobile Devices – Also, fairly obvious.
Okay, this is all well and good, but what about something a little less obvious?
How about keeping track of USB drives that your company purchases?
There’s a good reason I’m asking that. It’s because loosing a USB stick with sensitive information can be a costly affair.
Healthrow Airport got fined £120,000 pounds ($200,000 CAD) for loosing track of a USB stick that had sensitive information on it.
Now then, I realize that this happened in the UK and not Canada, but the truth of the matter is that our Data Protection laws and theirs, are similar in a lot of ways.
Not only did they lose an important USB stick, but the data was not encrypted or password-protected in any way. If something like this occurred in Canada, it would be a violation of PIPEDA and DPA, so it would need to be treated as a “Breach of Security Protocols“, and could lead to fines and litigation.
USB sticks are very small, so they are easy to conceal (and misplace.)
They can store a HUGE amount of information (1TB usb stick)
They can also be compromised to load malicious software (Stuxnet)
Often, USB sticks are treated as something a company can purchase and forget about. They’re so cheap, it’s hardly worth the effort to keep track of them (less then $10.00 each, depending on the size.) However, the EU GDPA legislation has laid the groundwork for Privacy Regulation worldwide, and many countries are updating their Personal Privacy Regulations to similar standards.
Some often-overlooked questions when it comes to Computer Security:
Where are all your company’s USB sticks?
Do you use USB sticks to transfer sensitive information?
If so, is it encrypted or password–protected?
Are there procedures in place to help promote good behaviour?
How many USB sticks does your company have?
How many USB sticks SHOULD your company have?
Probably the most important questions on that list are the last 2. Since USB sticks are considered disposable, many organizations don’t keep track of how many they purchase and lose. Their use is worth keeping track of, as is your inventory.
The question of how to handle USB devices is nothing new; neither is how to treat or manage them. As an example, the US Army doesn’t allow USB devices onto their bases at all. This came as a surprise to some Salespeople in a company I used to work for, as most of the swag they had intended to give out as freebies at a Sales thing, were confiscated at the entrance to the base. That happened around a decade ago, so USB is something the US army has been concerned about for some time.
Now then, I’m not advocating this level of paranoia. It’s an extreme approach to the problem but, it does acknowledge the potential Security Risk presented by small, portable storage devices.
Something I do as part of a Security Audit is to take a look at the historic activity of USB devices on an organization’s computers.
Yeah, that can be done. The devices that get connected to a computer are something that can be monitored and tracked in real time, even with just a little software. I also do this as part of a Security Audit, to see if there’s any unusual-looking activity.
Awareness and monitoring: That’s my mantra; just about every time.
If you have any questions about Device Security, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.