USB flash drive security
Encyclopedia
Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive
products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage.
An increasing number of portable devices are used in business, such as laptop
s, notebook
s, universal serial bus (USB
) flash drives, personal digital assistant
s (PDAs), advanced mobile phones and other mobile devices.
Companies in particular are at risk when sensitive data are stored on unsecured USB flash drive
s by employees, who use the devices to transport data outside the office. The consequences of losing drives loaded with such information can be significant, and include the loss of customer data, financial information, business plans and other confidential information, with the associated risk of reputation damage.
Therefore the following should be taken into consideration for securing USB drives assets:
The average cost of a data breach from any source (not necessarily a flash drive) ranges from less than $100,000 to about $2.5 million.
A SanDisk
survey characterized the data corporate end users most frequently copy:
Examples of security breaches resulting from USB drives include:
and TrueCrypt
allow the contents of a USB drive to be encrypted automatically and transparently. Also, Windows 7 Enterprise and Ultimate Editions and Windows Server 2008 R2
provide USB drive encryption using BitLocker to Go. The Apple Computer
Mac OS X
operating system has provided software for disc data encryption since Mac OS X Panther was issued in 2003 (see also: Disk Utility
).
Additional software on company computers may help track and minimize risk by recording the interactions between any USB drive and the computer and storing them in a centralized database.
Hardware systems may offer additional features, such as the ability to automatically overwrite the contents of the drive if the wrong password is entered more than a certain number of times. This type of functionality cannot be provided by a software system since the encrypted data can simply be copied from the drive. However, this form of hardware security can result in data loss if activated accidentally by legitimate users, and strong encryption algorithms essentially make such functionality redundant.
As the encryption keys used in hardware encryption are typically never stored in the computer's memory, technically hardware solutions are less subject to "cold boot
" attacks than software-based systems. In reality however, "cold boot" attacks pose little (if any) threat, assuming basic, rudimentary, security precautions are taken with software-based systems.
A few noteworthy solutions that could have been compromised in this way - though all subsequently fixed - include:
The manufacturers of these products reacted immediately and a patch was made available by three of the four companies (Kingston offered a replacement drive using a different security architecture to affected users) before the above became public, and their customers were not at risk if the customer had applied the patch before their device was attacked.
(where Internet connectivity is allowed) or as behind-the-firewall solutions.
USB flash drive
A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...
products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage.
An increasing number of portable devices are used in business, such as laptop
Laptop
A laptop, also called a notebook, is a personal computer for mobile use. A laptop integrates most of the typical components of a desktop computer, including a display, a keyboard, a pointing device and speakers into a single unit...
s, notebook
Notebook
A notebook is a book or binder composed of pages of notes, often ruled, made out of paper, used for purposes including recording notes or memoranda, writing, drawing, and scrapbooking....
s, universal serial bus (USB
Universal Serial Bus
USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....
) flash drives, personal digital assistant
Personal digital assistant
A personal digital assistant , also known as a palmtop computer, or personal data assistant, is a mobile device that functions as a personal information manager. Current PDAs often have the ability to connect to the Internet...
s (PDAs), advanced mobile phones and other mobile devices.
Companies in particular are at risk when sensitive data are stored on unsecured USB flash drive
USB flash drive
A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...
s by employees, who use the devices to transport data outside the office. The consequences of losing drives loaded with such information can be significant, and include the loss of customer data, financial information, business plans and other confidential information, with the associated risk of reputation damage.
Major dangers of USB drives
The uncontrolled use of USB drives is a major danger since it represents a significant threat to information security and confidentiality.Therefore the following should be taken into consideration for securing USB drives assets:
- Storage: USB flash drives are usually put in bags, backpacks, laptop cases, jackets, trouser pockets, or are left at unattended workstations.
- Usage: tracking corporate data stored on personal flash drives is a significant challenge; the drives are small, common, and constantly moving. Many enterprises have strict management policies toward USB drives, and some companies ban them outright to minimize risk.
The average cost of a data breach from any source (not necessarily a flash drive) ranges from less than $100,000 to about $2.5 million.
A SanDisk
SanDisk
SanDisk Corporation is an American multinational corporation that designs, develops and manufactures data storage solutions in a range of form factors using the flash memory, controller and firmware technologies. It was founded in 1988 by Dr. Eli Harari and Sanjay Mehrotra, non-volatile memory...
survey characterized the data corporate end users most frequently copy:
- customer data (25 %)
- financial information (17 %)
- business plans (15 %)
- employee data (13 %)
- marketing plans (13 %)
- intellectual property (6 %)
- source code (6 %)
Examples of security breaches resulting from USB drives include:
- In the UK:
- HM Revenue & Customs lost personal details of 6,500 private pension holders
- In the United States:
- a USB drive was stolen with names, grades, and social security numbers of 6,500 former students
- USB flash drives with US Army classified military information were up for sale at a bazaar outside Bagram, Afghanistan
Solutions
Since the security of the physical drive cannot be guaranteed without compromising the benefits of portability, security measures are primarily devoted to making the data on a compromised drive inaccessible. One common approach is to encrypt the data for storage, although other methods are possible.Software
Software solutions such as FreeOTFEFreeOTFE
FreeOTFE is an open source on-the-fly disk encryption computer program for PCs running Microsoft Windows, and personal digital assistants running Windows Mobile . It creates virtual drives, or disks, to which anything written is automatically encrypted before being stored on a computer's hard or...
and TrueCrypt
TrueCrypt
TrueCrypt is a software application used for on-the-fly encryption . It is free and open source. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device .- Operating systems :TrueCrypt supports Microsoft Windows, Mac OS X, and...
allow the contents of a USB drive to be encrypted automatically and transparently. Also, Windows 7 Enterprise and Ultimate Editions and Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
provide USB drive encryption using BitLocker to Go. The Apple Computer
Apple Computer
Apple Inc. is an American multinational corporation that designs and markets consumer electronics, computer software, and personal computers. The company's best-known hardware products include the Macintosh line of computers, the iPod, the iPhone and the iPad...
Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
operating system has provided software for disc data encryption since Mac OS X Panther was issued in 2003 (see also: Disk Utility
Disk Utility
Disk Utility is the name of a utility created by Apple for performing disk-related tasks in Mac OS X. These tasks include:*the creation, conversion, compression and encryption of disk images from a wide range of formats read by Disk Utility to .dmg or—for CD/DVD images—.cdr, which is identical to...
).
Additional software on company computers may help track and minimize risk by recording the interactions between any USB drive and the computer and storing them in a centralized database.
Hardware
Some USB drives offer embedded hardware encryption, although these cost significantly more. Microchips within the USB drive carry out automatic transparent encryption.Hardware systems may offer additional features, such as the ability to automatically overwrite the contents of the drive if the wrong password is entered more than a certain number of times. This type of functionality cannot be provided by a software system since the encrypted data can simply be copied from the drive. However, this form of hardware security can result in data loss if activated accidentally by legitimate users, and strong encryption algorithms essentially make such functionality redundant.
As the encryption keys used in hardware encryption are typically never stored in the computer's memory, technically hardware solutions are less subject to "cold boot
Cold boot attack
In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine from a completely "off" state...
" attacks than software-based systems. In reality however, "cold boot" attacks pose little (if any) threat, assuming basic, rudimentary, security precautions are taken with software-based systems.
Compromised systems
The security of encrypted flash drives is constantly tested by individual hackers as well as professional security firms. At times (as in January 2010) data on flash drives that have been positioned as secure were found to have a bug that potentially could give access to data without knowledge of the correct password.A few noteworthy solutions that could have been compromised in this way - though all subsequently fixed - include:
- SanDisk Cruzer Enterprise
- Kingston DataTraveler BlackBox
- Verbatim Corporate Secure USB Flash Drive
- Trek Technology ThumbDrive CRYPTO
The manufacturers of these products reacted immediately and a patch was made available by three of the four companies (Kingston offered a replacement drive using a different security architecture to affected users) before the above became public, and their customers were not at risk if the customer had applied the patch before their device was attacked.
Management
In commercial environments, where most secure USB drives are used, a central management system may provide IT organizations with an additional level of IT asset control. This can include initial user deployment and ongoing management, password recovery, data backup, and termination of any issued secure USB drive. Such management systems are available as software as a serviceSoftware as a Service
Software as a service , sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally and are typically accessed by users using a thin client, normally using a web browser over the Internet.SaaS has become a common...
(where Internet connectivity is allowed) or as behind-the-firewall solutions.
See also
- Health Insurance Portability and Accountability ActHealth Insurance Portability and Accountability ActThe Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...
(HIPAA) (Moving confidential data requires encryption.) - AloahaAloahaAloaha is a privately owned company with offices in Ibbenbueren, Germany. Their document and security products have been used extensively in various areas.- Overwiew :Aloaha manufactures a range of secure USB flash drives in sizes ranging from 4 GB to 32 GB...
- Cruzer EnterpriseCruzer EnterpriseDeveloped by SanDisk, the Cruzer Enterprise is an encrypted USB flash drive. This secure USB drive imposes a mandatory access control on all files, storing them in a hardware-encrypted, password-protected partition...
- Data remanenceData remanenceData remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...
- IronKeyIronKeyIronKey is an Internet security and privacy company located in Sunnyvale, California that was formed in 2005 by David Jevans, with the stated aim of providing security and privacy solutions to both consumers and enterprises. IronKey's founding was partially funded by the U.S...
- MXI Security
- Kingston TechnologyKingston TechnologyKingston Technology Company, Inc. is an American privately held, multinational computer technology corporation that develops, manufactures, sells and supports flash memory products and other computer-related memory products. Headquartered in Fountain Valley, California, USA, Kingston Technology...
External links
- ‘Analysis of USB flash drives in a virtual environment’, Derek Bem and Ewa Huebner, Small Scale Digital Device Forensics Journal, Vol. 1, No 1, June 2007.
- Dataquest insight: USB flash drive market trends, worldwide, 2001–2010, Joseph Unsworth, Gartner, 20 November 2006.
- 'Computerworld Review: 7 Secure USB Drives, Bill O'Brien, Rich Ericson and Lucas Mearian, March 2008