​USB Sticks, But Securely

Author: Sven Radavics, General Manager – APAC, Imation Mobile Security (IronKey)

Small, light, easy to handle: USB flash drives are a popular way to exchange data, take work home and store documents. The sticks can also constitute a serious security risk if files stored on them are unencrypted and unprotected – the result is a potential risk of data loss.

A study at the end of 2014 by the UK-based research firm, Vanson Bourne demonstrated the extent of the problem. The survey of 1,000 office workers in Germany and the UK found that nearly 40 percent of those polled had lost a mobile device in a public place or it was stolen from them, or that they personally knew someone that this happened to.

Three-quarters of lost devices, such as laptops, mobile phones and USB flash drives contained business data - including confidential e-mails (37%), confidential files (34%) and customer data (21%). Around one in ten had lost financial data or access data such as login and password information and this then exposed even more confidential information to the risk of a data breach.

While three-quarters of all respondents had brought digital files home from work, only a few USB devices included standard security measures such as encryption, protect data with a password or remote wipe to protect the data from unauthorised access. In Germany, the USB stick was the most popular way to take work out of the office: 40 percent of respondents said that they store digital files on the go on a USB stick.

Safety risks associated with standard USB Sticks

While a laptop is usually equipped at least with a password and security software, securing sensitive data on a standard USB stick is less straightforward. This is due to the construction of the USB stick. Even if files are encrypted with encryption software before transfer to the USB stick, the key is usually stored in the same memory space. Security experts joke that you might as well hang the front door key next to the front door: If the USB stick falls into the hands of an attacker, he has relatively little difficulty accessing the crypto key and thus the encrypted information.

With password protection there is a similar problem. Files can be protected with a password, but this in turn also sits in the same storage area on the stick as the data to be protected and thus is exposed to the risk of a brute-force attack. Even mechanisms that block access in case an incorrect password is entered several times, can be avoided - clever hackers can manipulate the counting mechanism.

Fortunately, special highly secure USB flash drives are available on the market, even meeting the strict requirements of the US government and the US military. What these devices have in common are in-built security features such as authentication mechanisms - such as a password or biometric information - and encryption mechanisms. But even here there are big differences: it’s worth checking the details.

What is different with highly secure USB drives?

Following rigorous testing on hardware and software security, The US National Institute of Standards and Technology (NIST) awards the so called FIPS certification with four different security levels, with level 1 being the lowest, level 4 is the highest level of security. The tests examine, next to the authentication and encryption technologies used, how these mechanisms are implemented in the product. They also check the physical safety: How easily can I open the stick or access the memory chip?

While some USB devices with FIPS 140-2 Level 2 standard save their cryptographic keys as readable plain text or disguised text in flash memory - with the associated risks - devices designed for greater safety store the key in a separate Kryptochip module. And this is protected, for example, with a metal mesh and a self-destroying mechanism so it’s tamper-proof.

Secure storage devices often have particularly stable housing and tamper protection circuits that make all critical security parameters stored in plain text unreadable when the product case is opened. The security level 3 further requires that operations with plain text security parameters are physically separated from other operations, so use other ports or logically segregated interfaces.

Companies considering the use of secure USB sticks should pay attention to a number of additional features in addition to the FIPS certification: How easy it is to handle the stick? Which device management options are available? Can security policies, for example, to password management be defined and enforced? Does the device offer advanced protection features such as remote password reset or remote wipe in case of theft or loss? And: How robust is the device - for example would it survive a 60 degree wash cycle?

Read more: Australian executives more concerned, engaged with email security issues than overseas peers: Mimecast

There remains the question of new methods of attack such as BadUSB that manipulates the firmware of a device with malicious code. The most advanced USB flash drives also offer protection against this: Here, the firmware is protected against unauthorised access with a digital signature.

Companies that allow their employees to store data on USB sticks should be aware of the security risks involved and consider how big would the financial loss and reputational damage be in the event of data loss. The switch to high-security devices can certainly pay off.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?


Join the CSO newsletter!

Error: Please check your email address.

Tags encrypted​USB Stickssecurity measurescustomer datadata lossencryption softwareCSO AustraliaUSB flash drivesgermanyaptopsmobile phonesusb securityVanson Bournedata breach

More about Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sven Radavics

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place