In-depth

Sticking security where the sun don't shine

Davey isn't a big fan of USB sticks. And, from a security standpoint, it's easy to see why.

computer security

COMMENT: I was somewhat saddened to learn that security vendor Sophos had purchased a job lot of USB sticks from a lost property auction and discovered that security is still not a priority for, well, pretty much anyone it seems.

OK, first things first, let's get the fact that the lost property auction in question was in Australia and the sticks in question were lost on a public transport system. I mention this as you may argue that there's a huge difference between the average consumer approach to securing data on these thumb-drives and the average enterprise-level security strategy employed. My response is, sadly, far too many enterprise employees are carrying, and losing, such devices complete with unencrypted data for me to agree with you.

Advertisement - Article continues below

Indeed, from the largest enterprises - NHS data disasters anyone? - to the smallest of SMEs, when it comes to USB thumb drives it would appear that security is being stuck where the sun doesn't shine.

Quite apart from the small point that nobody needs to be carrying data around in their pockets on a device so vulnerable to loss or theft when much more secure alternatives to transporting data exist to do so without encrypting that device, and the data upon it, is tantamount to ITSec suicide.

Advertisement
Advertisement - Article continues below

Despite all of that, the Sophos study found that 100 per cent of the 50 lost USB sticks it purchased through the auction system contained unencrypted data. What's more, the researchers also found that 66 per cent contained malware.

Now, given that many employees seem quite happy to throw a bit of data onto a thumb drive to take work home with them, either in breach of existing security policies or because no such security procedures relating to the transport of data via mobile devices exists, one has to assume that malware being introduced to the corporate network via such a device is a real possibility. Yet another reason why, I would suggest, it is time to start taking USB sticks very seriously indeed.

Advertisement - Article continues below

Whenever I am asked about the subject, I always return the same three questions:

1. What data are you thinking of moving around like this?

2. What encryption methods are you thinking of using?

3. What on earth are you thinking?

The last one usually catches people by surprise, as they often haven't considered that the very same employees thinking about dumping data insecurely onto a thumb drive have a smartphone in their pocket, or a netbook in their bag, which could happily connect to a very secure VPN and grab the data from there without creating the same huge potential security hole.

Sure, USB sticks are cheap but in terms of security they are also pretty nasty. I'd rather see them included in a list of NOT ALLOWED ITEMS in an acceptable use policy document and confiscated on sight if spotted in the workplace. I admit this is unlikely to happen, so it usually ends up coming back to question number two and exploring the lack of encryption.

Advertisement - Article continues below

But it isn't just the encryption, or lack of, that's a problem. The management of these devices is also at fault. If your employees are going to use thumb drives no matter what, and sometimes it pays to be practical about such things, then much better they do so with your approval and under your control. By which I mean some kind of system which enables central management of the devices in terms of device auditing and data encryption as well as the ability to remotely wipe them clean of all data if lost or stolen.

If you are a large enterprise (other than the NHS, experience would suggest) then you probably already have something capable of doing this, and if not then you will surely have the budget to buy one in. At the smaller end of the enterprise equation, where the USB stick problem is most obvious, cost is an issue that is always thrown in my face when talking about security. Luckily, there are some reasonably low-cost solutions available which I have covered before for sister title PC Pro and are worth a look.

I'd still be happier if everyone took my stick it where the sun don't shine advice and did away with the problem of USB thumb drives altogether though...

Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/privacy/355211/google-releases-location-data-to-showcase-effectiveness-of-coronavirus
privacy

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

2 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020