Defining and Enforcing a USB Drive Security Policy

USB drives present one of the most well-known, but least mitigated security threats in every day business and government operations. Their low cost and convenience, coupled with the difficulty in preventing their use, tends to create a “uh, yeah, I know it’s dangerous but, so what?” attitude among users. Sort of like driving without a seat belt. You know you could easily get killed or maimed in an accident, and all it would take to save yourself is a seatbelt, but oh, whatever… It doesn’t have to be this way.

The USB Drive Threat

The cyber threat from USB drives is multi-dimensional. They can be vectors of attack, bringing malware into endpoints. They can also be vehicles of data theft. USB drives also tend to get lost easily, potentially letting sensitive information out onto the street, literally.

The October, 2017 incident involving a lost USB stick at London’s Heathrow Airport provides a telling (and chilling) example of risk exposure from unencrypted portable memory devices. A member of the public found the USB stick on the sidewalk. When he opened the contents, he found detailed maps of the airport, including locations of security camera. The drive also contained secret information about the Queen’s route to the airport, security patrols and so forth. One could imagine the risk exposure if this data got into the wrong hands. And, perhaps it did. It’s impossible to know.

Regulations Governing USB Drive Use

Recognizing the cyber risk posed by USB memory drives, the US government has developed guidelines for their secure use. The Department of Defense (DoD) mandates that its vendors comply with controls specified in the NIST SP 800-171 publication. In particular, section 3.1.20 states “Limit use of organization portable storage devices on external systems.” Section 3.1.19 offers a related control, stating, “Encrypt CUI on mobile devices and mobile computing platforms.”

These controls are necessary for security in the government. Indeed, some of the worst security breaches affecting the government were performed through misuse of USB drives, e.g. Snowden and Manning. The issue that CISOs needs to confront, however, is how to define and enforce workable policies that actually implement these types of controls. Adherence to frameworks like NIST 800-171 can be uneven, especially in day-to-day business involving laptops and other loosely managed endpoints.

Elements of a USB Drive Security Policy

Devising a practical and effective security policy for USB drives—and making it work—requires taking a number of distinct steps. It may be possible to have a USB policy without these elements, but they make it a lot easier. An encrypted USB drive is a minimum. Kingston, for example, offers USB drives with encryption that meets FIPS guidelines. Thus, they are eligible for use in US government work.

Kingston drives are also made in the United States. Given that malware can be installed at the factory, foreign-made USB drives should be avoided in any sensitive data environment. It is naïve to assume otherwise.

An encrypted USB drive is a vital element of an information security policy governing USB drive use. It will largely mitigate the risk of data loss through theft of misplacement of the thumb drive. Yet, merely issuing encrypted drives is not enough to enable a robust security posture. “Think about this scenario,” said Kingston’s Ruben Lugo. “You could carefully issue encrypted thumb drives to employees but still leave itself exposed to data loss through use of unencrypted drives and unprotected USB ports on end points. In effect, you’ve locked the front door but left the back door open.”

Ruben Lugo

According to Lugo, effective policy definition and enforcement for USB drives requires a broader system of control over USB ports and drives in general. “It’s not realistic to remove or switch off all USB ports on all endpoints,” said Lugo. “It’s been tried. It failed. Either you won’t actually be able to find all of them, or you’ll push people into workarounds that are even less secure, like emailing files to home accounts.”

Instead, Lugo recommends an approach taken by many of Kingston’s large customers and government agency clients. Kingston makes possible a range of controls on USB drive use through its own management tools as well as those available through partners. Such management solutions give admins the ability to define and enforce USB port usage in general. For instance, the solution could facilitate and verify the installation of USB “kill utilities” that deny access to any USB drive that is not “white listed.” This control dramatically reduces the risk of data loss through unauthorized USB sticks.

Management solutions can also establish granular controls over individual users and their respective end points. “We can shut off your encrypted drive if your employment is terminated,” said Lugo. “You don’t have to be there. This way, we can avoid the next Heathrow moment.”