Gone in a Flash: Small Devices Represent Big Security Risks for Organizations
They are tiny, smaller than a pack of gum, yet just one can hold a staggering amount of information. They are innocuous, inexpensive, and unlikely to raise red flags except in the securest of settings. And yet they can be surprisingly resilient, surviving accidents such as an unintended trip through a washing machine.
They are flash drives and, even in our astonishing age of computers, the promise they exhibit is remarkable. Those who once had to use their chin to balance a briefcase on top of a cardboard box of documents while negotiating a flight of stairs can now transfer the same data from one computer to another with a device that many use as a keychain, a tactic known as a "sneakernet."
Few would argue their merit, but they can be catastrophic to a company's security. They are easy to steal, easy to steal with, and easy to misplace (Stasiukonis, 2006). These little devices have caused huge messes, sometimes related to private employee information.
There's the case of the flash drive that contained 3,000 sensitive files of Idaho National Guard personnel and was stolen from a car (James, 2007). Hundreds of flash drives - some with sensitive military information including data on U.S. soldiers, confidential informants and a manual describing pain techniques - were found for sale at the bazaar outside the Air Force Base in Bagram, Afghanistan (Watson, 2006).
In June 2007, a backup device was stolen from the unlocked car of an intern for the state of Ohio. It contained the names and Social Security numbers of every state employee. Fortunately, the device was encrypted. Nevertheless, Gov. Strickland has asked the Ohio Highway Patrol to lead the investigation to recover it.
In January 2008, Dr. Theodore Nagel lost the flash drive on which he backed up his computer. The information was of a particularly delicate nature; Dr. Nagel is a fertility specialist at the University of Minnesota's Reproductive Medicine Center, and the drive contained medical records of 3,100 patients. Despite the university's regulations, Dr. Nagel neither kept the files on an encrypted drive nor utilized password protection (Murphy, 2008).
Such things happen, and probably more often than is reported.
Devices such as flash drives, laptops, iPods, cell phones and Blackberries are known to computer security experts as "endpoint security." For years, billions of dollars have been spent on firewalls and developing methods to prevent hackers from compromising systems, but generally this technology will not prevent someone in a company or government agency from stealing untold gigabytes of data by simply plugging a flash drive into a USB port (Sullivan, 2006). According to the 2007 Small and Medium Business State of Security Survey of 450 IT managers and employees, only 20% had taken measures to block the use of USB devices on their computers ("Study: SMBs Overconfident," 2007). Larry Poneman, a privacy expert at The Poneman Institute, said, "This has caught everyone by surprise. We were focusing on centralized data, we bought firewalls, intrusion detection systems, but we were forgetting about sneakernets … and at the end of the day that has become the next wave of security nightmares" (Sullivan, 2006).
Action is being taken by both organizations and manufacturers to protect endpoint security. Several vendors now offer advanced secure flash drives that require authentication, either biometric (such as a thumbprint) or a password, or both, a process known as two-factor authentication. Some devices, after a certain amount of failed password attempts, will erase the data. The higher-end drives, most of which still cost under $100, offer the current standard encryption, which is AES-256-bit (Schneider, 2008), a strength that even the National Security Agency announced was enough to protect classified information at the Top Secret level.
If a flash drive is not encrypted, inexpensive software is available to do the encryption. Centennial Software has developed a program called DeviceWall, which prevents information from passing through the USB port without managerial approval, and then only on select computers.
On the organizational end, many companies need to take further action to protect data devices. Some companies have banned the use of USB ports altogether. However, this can open the door to other problems. Vendors, for example, often want to remedy repairs via the USB port (Rogers, 2006). Other organizations, such as the state of Washington's Division of Child Support, use company- or government-owned flash drives exclusively on sanctioned computers and monitor the devices from a central location (Fonseca, 2008).
Columnist Kim Komando (2005) offers some basic but effective methods for protecting flash drives: Users should keep a close eye on their drives, be careful of viruses, and both encrypt and back up their data. Others also preach the gospel of encryption. Author Bob Sullivan (2006) says that encrypted company flash drives should be standard procedure.
Other possible strategies include formulating a "gadgets at the door" policy, which means prohibiting such devices from ever getting into secure areas. And then there's another rule of thumb offered up by Sullivan: "Data should never live longer than it is needed."
Of course, it's not always easy to know just how long some kinds of data are truly needed, so these types of guidelines have their drawbacks. Still, organizations should be thinking these matters through, especially when it comes to private and often sensitive personnel data.
Documents referenced in this TrendWatcher include the following:
Fonseca, B. (2008, March 24). Washington agency moves to plug flash drive security gap. Network World.
James, M. (2007, August 15). Theft compromises Idaho National Guard personal info. KTVB.
Komando, K. (2005, September 11). Take 4 steps to secure your thumb drive data. USA TODAY.
Murphy, E. (2008, January 30). Doctor loses flash drive with patient information. WCCO.
Noyes, K. (2007, June 15). Thieves boost info on 64,000 Ohio state workers. E-Commerce Times.
Rogers, J. (2006, December 5). Thumbs down on thumb drives. Dark Reading.
Schneider, I. (2008, March 1). 12 USB thumb drives keep your data secure. Information Week.
Stasiukonis, S. (2006, June 7). Social engineering, the USB way. Dark Reading.
"Study: SMBs Overconfident in Their Information Technology Security: Independent Research Commissioned by Websense Shows Disconnect Between Perceived and Actual Levels of Security Among Small to Medium Sized Businesses." (2007, August 27). PR Newswire.
Sullivan, B. (2006, April 13). Military thumb drives expose larger problem. Red Tape Chronicles.
Watson, P. (2006, April 25). Leaks of military files resume. Los Angeles Times.
They are flash drives and, even in our astonishing age of computers, the promise they exhibit is remarkable. Those who once had to use their chin to balance a briefcase on top of a cardboard box of documents while negotiating a flight of stairs can now transfer the same data from one computer to another with a device that many use as a keychain, a tactic known as a "sneakernet."
Few would argue their merit, but they can be catastrophic to a company's security. They are easy to steal, easy to steal with, and easy to misplace (Stasiukonis, 2006). These little devices have caused huge messes, sometimes related to private employee information.
There's the case of the flash drive that contained 3,000 sensitive files of Idaho National Guard personnel and was stolen from a car (James, 2007). Hundreds of flash drives - some with sensitive military information including data on U.S. soldiers, confidential informants and a manual describing pain techniques - were found for sale at the bazaar outside the Air Force Base in Bagram, Afghanistan (Watson, 2006).
In June 2007, a backup device was stolen from the unlocked car of an intern for the state of Ohio. It contained the names and Social Security numbers of every state employee. Fortunately, the device was encrypted. Nevertheless, Gov. Strickland has asked the Ohio Highway Patrol to lead the investigation to recover it.
In January 2008, Dr. Theodore Nagel lost the flash drive on which he backed up his computer. The information was of a particularly delicate nature; Dr. Nagel is a fertility specialist at the University of Minnesota's Reproductive Medicine Center, and the drive contained medical records of 3,100 patients. Despite the university's regulations, Dr. Nagel neither kept the files on an encrypted drive nor utilized password protection (Murphy, 2008).
Such things happen, and probably more often than is reported.
Devices such as flash drives, laptops, iPods, cell phones and Blackberries are known to computer security experts as "endpoint security." For years, billions of dollars have been spent on firewalls and developing methods to prevent hackers from compromising systems, but generally this technology will not prevent someone in a company or government agency from stealing untold gigabytes of data by simply plugging a flash drive into a USB port (Sullivan, 2006). According to the 2007 Small and Medium Business State of Security Survey of 450 IT managers and employees, only 20% had taken measures to block the use of USB devices on their computers ("Study: SMBs Overconfident," 2007). Larry Poneman, a privacy expert at The Poneman Institute, said, "This has caught everyone by surprise. We were focusing on centralized data, we bought firewalls, intrusion detection systems, but we were forgetting about sneakernets … and at the end of the day that has become the next wave of security nightmares" (Sullivan, 2006).
Action is being taken by both organizations and manufacturers to protect endpoint security. Several vendors now offer advanced secure flash drives that require authentication, either biometric (such as a thumbprint) or a password, or both, a process known as two-factor authentication. Some devices, after a certain amount of failed password attempts, will erase the data. The higher-end drives, most of which still cost under $100, offer the current standard encryption, which is AES-256-bit (Schneider, 2008), a strength that even the National Security Agency announced was enough to protect classified information at the Top Secret level.
If a flash drive is not encrypted, inexpensive software is available to do the encryption. Centennial Software has developed a program called DeviceWall, which prevents information from passing through the USB port without managerial approval, and then only on select computers.
On the organizational end, many companies need to take further action to protect data devices. Some companies have banned the use of USB ports altogether. However, this can open the door to other problems. Vendors, for example, often want to remedy repairs via the USB port (Rogers, 2006). Other organizations, such as the state of Washington's Division of Child Support, use company- or government-owned flash drives exclusively on sanctioned computers and monitor the devices from a central location (Fonseca, 2008).
Columnist Kim Komando (2005) offers some basic but effective methods for protecting flash drives: Users should keep a close eye on their drives, be careful of viruses, and both encrypt and back up their data. Others also preach the gospel of encryption. Author Bob Sullivan (2006) says that encrypted company flash drives should be standard procedure.
Other possible strategies include formulating a "gadgets at the door" policy, which means prohibiting such devices from ever getting into secure areas. And then there's another rule of thumb offered up by Sullivan: "Data should never live longer than it is needed."
Of course, it's not always easy to know just how long some kinds of data are truly needed, so these types of guidelines have their drawbacks. Still, organizations should be thinking these matters through, especially when it comes to private and often sensitive personnel data.
Documents referenced in this TrendWatcher include the following:
Fonseca, B. (2008, March 24). Washington agency moves to plug flash drive security gap. Network World.
James, M. (2007, August 15). Theft compromises Idaho National Guard personal info. KTVB.
Komando, K. (2005, September 11). Take 4 steps to secure your thumb drive data. USA TODAY.
Murphy, E. (2008, January 30). Doctor loses flash drive with patient information. WCCO.
Noyes, K. (2007, June 15). Thieves boost info on 64,000 Ohio state workers. E-Commerce Times.
Rogers, J. (2006, December 5). Thumbs down on thumb drives. Dark Reading.
Schneider, I. (2008, March 1). 12 USB thumb drives keep your data secure. Information Week.
Stasiukonis, S. (2006, June 7). Social engineering, the USB way. Dark Reading.
"Study: SMBs Overconfident in Their Information Technology Security: Independent Research Commissioned by Websense Shows Disconnect Between Perceived and Actual Levels of Security Among Small to Medium Sized Businesses." (2007, August 27). PR Newswire.
Sullivan, B. (2006, April 13). Military thumb drives expose larger problem. Red Tape Chronicles.
Watson, P. (2006, April 25). Leaks of military files resume. Los Angeles Times.