In-depth

Sticking security where the sun don't shine

Davey isn't a big fan of USB sticks. And, from a security standpoint, it's easy to see why.

computer security

COMMENT: I was somewhat saddened to learn that security vendor Sophos had purchased a job lot of USB sticks from a lost property auction and discovered that security is still not a priority for, well, pretty much anyone it seems.

OK, first things first, let's get the fact that the lost property auction in question was in Australia and the sticks in question were lost on a public transport system. I mention this as you may argue that there's a huge difference between the average consumer approach to securing data on these thumb-drives and the average enterprise-level security strategy employed. My response is, sadly, far too many enterprise employees are carrying, and losing, such devices complete with unencrypted data for me to agree with you.

Indeed, from the largest enterprises - NHS data disasters anyone? - to the smallest of SMEs, when it comes to USB thumb drives it would appear that security is being stuck where the sun doesn't shine.

Quite apart from the small point that nobody needs to be carrying data around in their pockets on a device so vulnerable to loss or theft when much more secure alternatives to transporting data exist to do so without encrypting that device, and the data upon it, is tantamount to ITSec suicide.

Advertisement
Advertisement - Article continues below

Despite all of that, the Sophos study found that 100 per cent of the 50 lost USB sticks it purchased through the auction system contained unencrypted data. What's more, the researchers also found that 66 per cent contained malware.

Now, given that many employees seem quite happy to throw a bit of data onto a thumb drive to take work home with them, either in breach of existing security policies or because no such security procedures relating to the transport of data via mobile devices exists, one has to assume that malware being introduced to the corporate network via such a device is a real possibility. Yet another reason why, I would suggest, it is time to start taking USB sticks very seriously indeed.

Whenever I am asked about the subject, I always return the same three questions:

1. What data are you thinking of moving around like this?

2. What encryption methods are you thinking of using?

3. What on earth are you thinking?

The last one usually catches people by surprise, as they often haven't considered that the very same employees thinking about dumping data insecurely onto a thumb drive have a smartphone in their pocket, or a netbook in their bag, which could happily connect to a very secure VPN and grab the data from there without creating the same huge potential security hole.

Sure, USB sticks are cheap but in terms of security they are also pretty nasty. I'd rather see them included in a list of NOT ALLOWED ITEMS in an acceptable use policy document and confiscated on sight if spotted in the workplace. I admit this is unlikely to happen, so it usually ends up coming back to question number two and exploring the lack of encryption.

But it isn't just the encryption, or lack of, that's a problem. The management of these devices is also at fault. If your employees are going to use thumb drives no matter what, and sometimes it pays to be practical about such things, then much better they do so with your approval and under your control. By which I mean some kind of system which enables central management of the devices in terms of device auditing and data encryption as well as the ability to remotely wipe them clean of all data if lost or stolen.

If you are a large enterprise (other than the NHS, experience would suggest) then you probably already have something capable of doing this, and if not then you will surely have the budget to buy one in. At the smaller end of the enterprise equation, where the USB stick problem is most obvious, cost is an issue that is always thrown in my face when talking about security. Luckily, there are some reasonably low-cost solutions available which I have covered before for sister title PC Pro and are worth a look.

Advertisement
Advertisement - Article continues below

I'd still be happier if everyone took my stick it where the sun don't shine advice and did away with the problem of USB thumb drives altogether though...

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019