LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search |

Last Updated December 10, 2003

USB Flash Drives: Useful Device or Security Threat?

USB Flash drives are pocket sized ultra portable storage devices (about the size of a highlighter pen) that hold 8Mb - 1GB of data that can be instantly accessed from any PC with a USB port.  The introduction of these devices into corporate networks offers users a convenient alternative to floppy disks and ZIP drives, but also they present a security challenge to network administrators. You don't have to be an administrator to use one of these devices in Windows 2000/XP, and you can't manage USB devices via Group Policy. Are USB Flash Drives a useful tool for sharing data, or a way for malicious users to bypass network security policies and put your data at risk? 

HomeSecurity
 
An introduction to Flash Drives
If you're fed up with floppy drives, ZIP disks, and CD-R's as a removable storage medium for transporting your files, you'll love USB Flash drives. Think of it as a floppy disk on steroids - except it's not a disk. Flash drives are small solid state memory sticks that are about the size of a highlighter pen and can hold anywhere from 1Mb to 1GB of data. They're incredibly light weight, very portable (some models function as keychains) and they are compatible with any PC equipped with a USB port and running Windows 2000/XP, Mac OS 9-10X or Linux 2.4.17. (Windows 9x PC's require a one time driver installation). USB Flash Drives have fast transfer rates (1Mb/sec), no moving parts, and they don't require a separate power source or batteries. Just stick the flash drive into the USB port of your PC and Windows plug and play will immediately see it as an additional drive. Then copy the files you need to take with you, unplug the device from the PC and you're ready to go. Flash drives hold more data than a floppy, are more portable than ZIP drives and other remote storage devices, and more convenient (and less fragile) than CD-RW disks. In short, USB Flash Drives may just be the perfect removable storage medium. And they're affordable. (Current prices range from $30 for a 16Mb module to $159.00 for 256Mb)


Sony's MicroVault

The Upside
For users and administrators, USB Flash Drives have a thousand uses. You can transport large files with you to a colleague's or client's remote office and access the data without worrying about compatibility. Employees can take work home with them, or travel with just their data instead of lugging a laptop around. And unlike a CD-R disk, you can edit the document or data stored on the Flash Drive as many times as you like. Administrators and help desk personnel can use Flash Drives as a portable toolkit that includes recovery tools, drivers, system updates, and diagnostic utilities. You can also backup files (or a user's registry) to the Flash Drive before editing the live version. Because these devices have no moving parts, they're more durable than other forms of removable media in environments that produce a lot of dust or humidity. Our demo even survived a cycle in the laundry with the data intact!

The Dark Side
As Alfred Nobel found out, whatever can be used for good can also be used for evil. And in this case, the USB Flash Drives small size and large storage capacity can make it a dangerous tool in the wrong hands. You don't have to be an administrator to install one of these devices in Windows 2000/XP, and you can't manage USB devices via Group Policy. These devices present two primary threats to your network: the introduction of malicious software and data theft/loss. And short of disabling all of the USB ports in your environment, they are impossible to defend against. 

  • Viruses
    In the 1980's, floppy disks where the primary vector for spreading computer viruses because that is how most people shared data. In the late 80's and early 90's, Bulletin Board Systems (BBS) became the primary source for infections. After 1995, almost all new viruses where being spread via e-mail, or by sharing files over the web. Network administrators have been able to respond to this threat by installing antivirus software on their e-mail servers and restricting internet sites on their firewalls, but the use of USB Flash Drives can bypass these safeguards entirely. Users can either bring in infected documents from home, or take home a business document to an infected PC, update it, and return it to a corporate file server. Unless your antivirus policies are very aggressive, and you actively scan all files stored on your network, Flash Drives can present a new vector for computer viruses that is nearly impossible to defend against. Most AntiVirus software operates "reactively" to threats and can only identify viruses that have been previously identified.  A virus writer could theoretically "seed" a corporate environment with a few of these devices preloaded with a new virus in the hopes that a curious user will pick it up, and look at (open) the files on it making your company company ground zero for the next worldwide outbreak.
  • Malicious software
    In addition to viruses, users could bring in unauthorized software or data files from home that didn't previously fit on a floppy disk. This includes shareware programs, software pranks, MP3 files, video clips, pornography, and other inappropriate files that affect productivity and violate corporate policies. Even worse is the prospect of spyware or keystroke loggers that could enable users (or worse hackers) to capture passwords or other sensitive information.
      
  • Data Theft
    Corporate espionage is a largely underreported problem in the United States and Europe, and your company doesn't have to be a defense contractor to be a target. Hackers, corporate spies, and disgruntled employees steal data everyday, and in many cases these are crimes of opportunity. With a Flash Drive, an opportunity becomes any unattended and unlocked PC with a USB port. A little social engineering can give a hacker physical access to a corporate PC long enough to steal data, or plant spyware. Disgruntled employees can take home client lists, sales forecasts,  or research data in a few minutes. (At 1/Mb per second, a user can copy a 120Mb file to a flash drive in 2 minutes.) 
  • Data Loss
    The portability of these USB Flash Drives also opens another door - the potential for lost data that could fall into the wrong hands. Most of these devices have little or no security features and if you happen to lose your Flash Drive during your morning commute, anyone you picks up the device may be able to access data on it. These devices can also be quickly stolen off a desk, or "borrowed" and later returned to the office once the data has been copied. Vendors have begun responding to this problem by manufacturing Flash Drives with built in security features. Sony's MicroVault comes with free software that allows you to create a password protected security zone that can protect up to 80% of the available space on the device. (We use the extra unsecured space to include a text file with our contact information in case the device is lost.) Trek's Thumbrive Touch model integrates biometric security by including a fingerprint reader sensor that performs enrollment and verification of the user. DiskonKey's Flash Drive features an ARM7 32bit processor that acts like a mini-PC and offers data encryption. All this security comes at a price - some of these devices are 2 to 10 times the price of a standard unsecured flash drive.

Treks Thumbdrive Touch Model with Biometric fingerprint scanner

 
Protecting your Network
Restricting these devices in your environment will be next to impossible. USB Flash Drives are getting cheaper every day and will probably be in the $5 -$20 range in the next few years. Their small size allows for easy concealment anywhere on the body or in a bag. When held in the palm of our hand, we even managed to get our Sony MicroVault through a metal detector without incident. So what can you do about USB flash drive security?
  • Educate your users
    Flash Drives are already the "must have" toy for the gadget junkies, and as prices continue to fall, they'll probably become the premium corporate promotional giveaway of choice. You can't stop the tide, but you can educate your users early on as to the risks these devices can present, and establish a policy for taking data out of the office, or bringing files in from home. 
  • Educate your security personnel
    If your security guards caught an unauthorized person walking through your corporate offices, would they know what to look for? Flash Drives are so small and unobtrusive, they are easily concealed and could even slip by unnoticed in plain sight. The people in charge of physical security for your environment need to know what these devices look like, how they work, and what risks they present. You may also wish to consult your legal department as to the legalities of searching and seizing these devices if found.
  • Enforce the lock desktop policy 
    Many companies already configure their desktops to automatically lock when unattended for a few minutes, but often this interval is set anywhere from 10 - 20 minutes. In higher risk environments this should be 5 minutes or less. Yes, it's annoying and your users will hate it for the first few months, but it's essential for any workstation where a user account has access to sensitive data. 
  • Update the antivirus policy
    You should configure antivirus software to scan all attached drives and removable media, and get your users into the habit of scanning files before opening them.
  • Use only secure devices
    If your company issues these devices to employees or approved them for purchase, make sure you include devices with security features for users that have access to potentially sensitive data. (accounting, payroll, legal, sales, R&D, etc.) Make sure to use encrypted usb drives for crucial data. Be sure to enforce the use of the security features in these devices and train your users if necessary. 
  • Include return information
    In the event your flash drive is lost or misplaced, including a small readable text file that includes return information could help you get it back. You may want to consider NOT including your company name in the file, and simply refer to a phone number or P.O. Box. You may also want to include a legal disclaimer that clearly identifies the information on the drive as confidential and protected by law.
  • Restrict the USB ports on desktops
    You can't manage USB devices using Group Policy in Windows 2000/XP, but you can disable the USB ports or use a 3rd party tool called SecureNT. When disabling USB ports, you'll need to make sure any peripherals in use (such as keyboards, mice, PDAs, and scanners) use legacy ports instead of USB ports. In most corporate networks, printers are assigned to specialized network print servers and may not be an issue. A more feasible compromise would be to only lock out desktops that have access to sensitive data, or are in areas accessible to the public.  (i.e. a bank's branch office PCs should have USB ports disabled, but the secured corporate office is less of a risk.) SecureWave's SecureNT software allows businesses to control end-user access to I/O devices such as the floppy drive, Memory-sticks, PDAs, USB external storage, CD-ROM, serial and parallel ports, as well as many other Plug and Play devices. 

 


Send us your feedback!
If you have any questions, comments, or suggestions that would help us improve this page, please drop us a line and let us know!

 

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.