Also known as secure thumb drive, secure memory stick, secure pen drive, secure jump drive, secure flash drive, secure USB key etc., secure USB drives are used to protect the data stored on them from leaking to unauthorized users. USB Flash Drive products have been on the market since 2000, and are increasing in use exponentially. As both consumers and businesses have an increased demand for these drives, so manufactures are producing faster devices with greater storage levels. An increased number of portable devices are used in business, such as laptops, notebooks, universal serial bus (USB) flash drives, personal digital assistants (PDAs), advanced mobile phones and other mobile devices. Companies in particular are at risk when sensitive data stored is stored on unsecured USB flash drives by employees using them to traveling with data and take work home. The consequences of losing drives loaded with such information can be significant, and include the loss of customer data, financial information, business plans and other confidential information, with the associated risk of reputation damage. Major dangers of USB drives The uncontrolled use of USB drives is a major danger since it represents a significant threat to information confidentiality. Therefore the following should be taken into consideration for securing USB drives assets: * Storage: USB flash drives are usually put in bags, backpacks, laptop cases, jackets, trouser pockets or are left on unattended workstations. * Usage: corporate data are stored on personal non-secure drives and move constantly. As USB drives gain wider acceptance among IT departments in organizations, the likelihood of security breaches and data loss increases. Many enterprises have strict management policies toward USB drives, and some companies ban them outright to minimize risk. The average cost per breach ranges from less than USD 100 000 to about USD 2.5 million , corporate end users most frequently copy: # customer data (25 %), # financial information (17 %), # business plans (15 %), # employee data (13 %), # marketing plans (13 %), # intellectual property (6 %) and # source code (6 %) to USB drives. Examples of security breaches as a result of using USB drives include: * In the UK: ** a laptop with data of some 2000 people with individual savings accounts (ISA) was stolen from a HM Revenue & Customs employee ** HM Revenue & Customs lost personal details of 6500 private pension holders ** nine NHS trusts lost patient records kept on disk; details of 1 500 students were lost in the post ** details of three million British learner drivers were lost * In the United States: **a USB drive was stolen with names, grades and social security numbers of 6 500 former students ** USB flash drives with US Army classified military information were up for sale at a bazaar outside Bagram, Afghanistan. Solutions Software Software solutions such as FreeOTFE and TrueCrypt allow the contents of a USB drive to be encrypted automatically. This software can be carried on the same USB drive, and run without having to install it on a host computer. Such software solutions may be used with any USB drive - turning cheap, commonly available USB drives into secure storage systems. Other software solutions may help minimize risk by allowing corporations to record the interactions between the drive and the PC or server and record them in a centralized database. Hardware Some USB drives offer embedded hardware encryption, although these do cost significantly more. Chips within the USB drive carry out automatic encryption Hardware systems may offer additional features, such as the ability to automatically overwrite the contents of the drive if the wrong password is entered more than a certain number of times. This type of functionality cannot be provided by a software system, as the encrypted data can simply be backed up before trying multiple passwords - then restoring it if the wrong password is attempted, resetting the device to the same position it was in before attacking it. However, this form of hardware security is likely to present more of a hazard to the users data rather than increase security, because of the risk of it being activated accidently by legitimate users, and the fact any strong encryption algorithm would make such funtionality redundant anyway. Retailers of secure USB drives include: SanDisk, Kingston Technology, Lexar, IronKey and Kanguru Solutions Management In an commercial environment, in which most secure USB drives will be used <ref name=ENISA/>, a central management system may provide IT organizations with an additional level of IT asset control. This may include initial user deployment and ongoing management, password recovery, data backup, and termination of any issued secure USB drive. Such management systems are available as Software as a Service and behind-the-firewall solutions.
|
|
|