​USB Sticks, But Securely

Author: Sven Radavics, General Manager – APAC, Imation Mobile Security (IronKey)

Small, light, easy to handle: USB flash drives are a popular way to exchange data, take work home and store documents. The sticks can also constitute a serious security risk if files stored on them are unencrypted and unprotected – the result is a potential risk of data loss.

A study at the end of 2014 by the UK-based research firm, Vanson Bourne demonstrated the extent of the problem. The survey of 1,000 office workers in Germany and the UK found that nearly 40 percent of those polled had lost a mobile device in a public place or it was stolen from them, or that they personally knew someone that this happened to.

Three-quarters of lost devices, such as laptops, mobile phones and USB flash drives contained business data - including confidential e-mails (37%), confidential files (34%) and customer data (21%). Around one in ten had lost financial data or access data such as login and password information and this then exposed even more confidential information to the risk of a data breach.

While three-quarters of all respondents had brought digital files home from work, only a few USB devices included standard security measures such as encryption, protect data with a password or remote wipe to protect the data from unauthorised access. In Germany, the USB stick was the most popular way to take work out of the office: 40 percent of respondents said that they store digital files on the go on a USB stick.

Safety risks associated with standard USB Sticks

While a laptop is usually equipped at least with a password and security software, securing sensitive data on a standard USB stick is less straightforward. This is due to the construction of the USB stick. Even if files are encrypted with encryption software before transfer to the USB stick, the key is usually stored in the same memory space. Security experts joke that you might as well hang the front door key next to the front door: If the USB stick falls into the hands of an attacker, he has relatively little difficulty accessing the crypto key and thus the encrypted information.

With password protection there is a similar problem. Files can be protected with a password, but this in turn also sits in the same storage area on the stick as the data to be protected and thus is exposed to the risk of a brute-force attack. Even mechanisms that block access in case an incorrect password is entered several times, can be avoided - clever hackers can manipulate the counting mechanism.

Fortunately, special highly secure USB flash drives are available on the market, even meeting the strict requirements of the US government and the US military. What these devices have in common are in-built security features such as authentication mechanisms - such as a password or biometric information - and encryption mechanisms. But even here there are big differences: it’s worth checking the details.

What is different with highly secure USB drives?

Following rigorous testing on hardware and software security, The US National Institute of Standards and Technology (NIST) awards the so called FIPS certification with four different security levels, with level 1 being the lowest, level 4 is the highest level of security. The tests examine, next to the authentication and encryption technologies used, how these mechanisms are implemented in the product. They also check the physical safety: How easily can I open the stick or access the memory chip?

While some USB devices with FIPS 140-2 Level 2 standard save their cryptographic keys as readable plain text or disguised text in flash memory - with the associated risks - devices designed for greater safety store the key in a separate Kryptochip module. And this is protected, for example, with a metal mesh and a self-destroying mechanism so it’s tamper-proof.

Secure storage devices often have particularly stable housing and tamper protection circuits that make all critical security parameters stored in plain text unreadable when the product case is opened. The security level 3 further requires that operations with plain text security parameters are physically separated from other operations, so use other ports or logically segregated interfaces.

Companies considering the use of secure USB sticks should pay attention to a number of additional features in addition to the FIPS certification: How easy it is to handle the stick? Which device management options are available? Can security policies, for example, to password management be defined and enforced? Does the device offer advanced protection features such as remote password reset or remote wipe in case of theft or loss? And: How robust is the device - for example would it survive a 60 degree wash cycle?

Read more: Australian executives more concerned, engaged with email security issues than overseas peers: Mimecast

There remains the question of new methods of attack such as BadUSB that manipulates the firmware of a device with malicious code. The most advanced USB flash drives also offer protection against this: Here, the firmware is protected against unauthorised access with a digital signature.

Companies that allow their employees to store data on USB sticks should be aware of the security risks involved and consider how big would the financial loss and reputational damage be in the event of data loss. The switch to high-security devices can certainly pay off.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?


Join the CSO newsletter!

Error: Please check your email address.

Tags encrypted​USB Stickssecurity measurescustomer datadata lossencryption softwareCSO AustraliaUSB flash drivesgermanyaptopsmobile phonesusb securityVanson Bournedata breach

More about Technology

Show Comments