A vast majority of today’s workforce use USB memory sticks, they offer unequalled convenience for transferring data. In most situations, if the data is not confidential, a standard USB stick quite acceptable, but what do you use if your data is sensitive?
There are many different types of secure portable devices on the market, with different target certain security levels and users. Finding an acceptable level of security - choosing the appropriate device - will depend on your needs: a government organisation or high security business will be looking for sophisticated levels of protection, while the average user may simply want to be more secure transferring data via a USB device.
This review deals with products more suitable for the average user, someone who doesn’t want to leave their personal data vulnerable. But it is still relevant to IT departments and managers who issue USB devices to employees - we’ve all had occasion to borrow a colleague’s memory stick to transfer our files.
In this review, we look at six secure USB memory sticks to discover how suitable they are for an office environment, and some of the typical risks they should address.
Some USB sticks ship with built in security policies, but these policies are not always validated by a recognised authority. They level of security may be quite acceptable, but it is probably a better option to prioritise products that comply with any of the more widely accepted standards. FIPS (Federal Information Processing Standard - USA) and AES (Advanced Encryption Standard) are two of the main ones. A product with security compliance to these standards will meet your needs. All the products discussed here comply with one of these encryption methods.
Obviously, security is the most important factor in choosing a secure USB stick. So you’d be forgiven for assuming that files (stored or deleted) on a secure device were indeed secure. We undertook some very basic tests using just one freely available open source file recovery product to discover that secure is not always what we assume. The testing revealed some important weaknesses for some devices, while others provide a robust level of file protection.
How we tested
It is important to consider how these devices would be used in an office or home environment. In most offices it is common behaviour to lend USB sticks to colleagues. To interrogate weaknesses related to this behaviour we set up three simple tests.
Firstly, we created two MS Word documents - one that we opened from its location within the device under test (if possible), the second document was copied to the device without being opened. Both files were then deleted and the device’s password was changed. This mimic’s the possible behaviour of someone who has given their USB stick to another party. We then plugged the device in to a separate computer and scanned it without logging in to the device’s security/password system. No trace of the deleted files should be detected. We wanted to see if files stored in or even deleted from the secure area of the device could be seen by anyone if they were to just pick up the device if for instance it had been dropped in the street. The obvious hopeful outcome of this test was that no files would be found ensuring privacy.
For the second test we logged in (using the new password) and rescanned the device to see if we could recover the deleted files. Our aim here was to find out if deleting files from the secure area of the device really did delete them in a secure manner or in the same way as a normal file is deleted and thus easily recoverable once logged in.
The third and final test was to reset or format the device using the options provided in the device menu, and then rescan one last time. This should also remove any trace of the files. If you were planning on giving away your USB stick to a colleague, this method would be commonly used to ensure no data is left behind.