Thumb drives are too often the victims of convenience

Maybe you've seen them after you've given a PowerPoint presentation when people hand you a thumb drive and ask for a copy of your electronic slides. Or maybe you own one or more of the thumb-size devices and find them convenient to transfer files from one computer to another at work or home.

USB flash drives, also known by many other names, seem to be everywhere ' and that's the problem. Last year, vendors sold 85 million of the drives, according to market research firm Gartner, but few of those buyers thought about the drives' security implications.

A drive consists of a rewritable memory chip and standard USB plug mounted in a plastic case the size of a small pack of chewing gum. People with malicious motives can use it to swipe sensitive data from government computers or to infect them with software viruses and other malware.

A big security risk that such devices pose made news in October when a contract employee for Los Alamos National Laboratory was caught taking home a USB flash drive containing classified government information, in violation of lab policy.

Other reports earlier this year described an incident that involved stolen U.S. military flash drives containing records about operations and individual soldiers. The drives were being sold at a street market in Bagram, Afghanistan.

Adopting policies that outline the proper use of flash drives ' or ban them ' is the first step in addressing the risks portable storage devices present. But as the Los Alamos incident showed, written policies alone won't stop a careless or dishonest person from jeopardizing government data.

Controlling what users can and can't do with the portable storage devices has to be part of any security solution, experts say. The good news is that agencies have several immediate options for closing dangerous security holes.

'There is a spectrum of actions that can occur that can take some, a lot or all of discretion away from individual end users,' said Bruce Brody, vice president of information assurance at CACI International. Brody previously held posts as chief information security officer at the departments of Veterans Affairs and Energy.

Unintended consequences
Like many IT security risks, those associated with USB flash drives stem from actions originally intended to make life easier for users.

Starting about seven years ago with its Windows 2000 operating system, Microsoft allowed users to plug generic mass storage devices, such as flash drives, into their PCs' USB ports. The operating system automatically recognized the drives, without the user needing to load extra software to read or write data to the drives.

USB flash drives grew in popularity, especially as their prices fell and their capacities surpassed those of traditional portable storage options such as floppy disks and rewritable CDs. A single USB flash drive can hold as much as 8G.

'We originally thought USB storage was a terrific idea because it got our users away from the horrible floppy, and it was very easy for them to use and for us to administer,' said Joe Gabanski, network administrator for Lake Forest, Ill.

However, the honeymoon didn't last long. 'We started seeing these things getting lost, which is potentially dangerous,' Gabanski said. 'And as [capacities] get larger and larger, we realize you can pull a lot of data in a relatively small amount of time. Not to mention that on the newer ones you can put [software programs], which is a potential significant issue for things coming in.'

So what can IT managers do to ensure that their agencies are not hurt by careless or dishonest use of such devices? They have several options.

No ports, no problems
The most immediate ' and drastic ' step an agency can take to mitigate risks with USB flash drives is to eliminate the mechanism that the devices use to physically connect and transfer data: a computer's USB ports. IT managers can disable the ports by using operating system commands, disconnecting the port's wires inside the computer's case or putting glue in the port to block physical access. Even if a person violates a written policy and sneaks a USB flash drive into work, the device would be useless.

That is the option Los Alamos officials chose with some of the lab's computers in the wake of the recent data security incident, said Kevin Roark, a lab spokesman.

'The goal was to disable, either by disconnecting or blocking or otherwise disabling these specific types of ports in a specific computing environment,' Roark said. Los Alamos coupled those actions with a new lab policy forbidding the use of USB flash drives and other types of portable storage devices until the lab finds a long-term security solution, he said. 

Another way to solve the USB security problem is by replacing traditional desktop computers with thin clients. Such a solution can be expensive because product acquisition and software reconfiguration costs are high, Brody said. Thin clients are stripped-down computing terminals that typically have no ports and rely instead on a central server for most processing and data handling tasks. 

'With thin client, when an individual comes to a work location, the only thing that person has access to is a keyboard, a monitor and a mouse,' Brody said. 'Everything else that controls computing is locked behind some central door in that facility, so there's no access to removeable media.'

Encryption's the key for some
Not everyone wants to put glue in USB ports or banish flash drives. The portable drives are popular because they are cheap, convenient and useful. And USB ports do more than hook up storage devices. They can connect a computer to a keyboard, a mouse, printers and other peripherals.

If agency managers want to keep USB ports open and allow employees to use flash drives, one option is to encrypt the data that goes on the portable storage devices, making lost or stolen devices useless. There are two main ways to do this: host-based or device-based encryption.

Host-based endpoint encryption products are available from many vendors, including Credant Technologies, GuardianEdge Technologies, PGP, Pointsec Mobile Technologies, SafeNet and others. Another company offers an open-source solution called TrueCrypt. Many of those companies support government-approved Advanced Encryption Standard (AES) and comply with Federal Information Processing Standards (FIPS) 140-2 for cryptographic modules and the international Common Criteria standard.

The solutions allow a laptop or desktop PC to encrypt data before it is written to an attached portable storage device, such as a USB flash drive. An administrator can configure the products so encryption policies are always enforced and users cannot circumvent the process.

This past summer, the VA quickly deployed a departmentwide endpoint encryption solution following a widely reported incident in May in which an employee brought home a laptop and portable storage device containing records on 26.5 million veterans and their families. VA officials installed encryption software on laptops, but they also plan to include portable storage media such as flash drives as part of a broader security plan.

The Agriculture Department, meanwhile, is soliciting quotes for an endpoint encryption solution that would include portable USB storage and require as many as 150,000 licenses.

Alternatively, encryption software can reside in a USB flash drive. A benefit of that approach is portability.  Users can plug the device into any computer that can run the flash drive's encryption software and have full access to its encryption and decryption capabilities, said Nate Cote, vice president of product management at Kanguru Solutions.

Last summer, the company's KanguruMicro Drive AES became the first USB flash drive to achieve FIPS 140-2 certification. Other companies offering flash drives with device-based encryption, though not necessarily FIPS certification, include Advanced Media, Kingston Technology, Lexar Media and SanDisk. Some of those companies also offer biometric drives, which use a fingerprint scanner built in to the flash drive to authorize access to encrypted data. Users do not have to remember passwords.

 Encryption capabilities increase a flash drive's cost. For example, Kanguru's list price for an encryption-enabled 1G flash drive is $99 compared with only $35 for its 1G model without encryption. All the company's products are available at a discount for volume orders, Cote said.

USB flash drives with built-in encryption or biometric sensors account for less than 10 percent of the market, but that will change as more enterprises understand the risks of unprotected drives, said Joseph Unsworth, a principal analyst at Gartner.

Such growing concerns prompted an IT official in New York last summer to prohibit his employees from using any unencrypted flash drives.

'Employees can only use state-issued thumb drives with encryption going forward,' said William Pelgrin, the director of the New York State Office of Cyber Security and Critical Infrastructure Coordination.

That directive also requires employees to bring in any older USB flash drives they have been using for state business. A security officer cleans the drives of all data and bans those drives from the workplace. 

Pelgrin said a statewide policy in New York based on similar rules and procedures will go into effect in the first quarter of 2007.

Port control
Encryption is a good way to safeguard data from prying eyes if a flash drive is lost or stolen. But what if you can't trust all employees with unsupervised access to a high-capacity, portable storage device? Insider data thefts happen often.

Endpoint control software might be the desired solution. Software from companies such as Msystems ' which SanDisk now owns ' Safend and SecureWave help administrators enforce the secure use of desktop and laptop PCs and the portable storage devices that connect to them through USB and other ports.

'Our approach is to focus on enabling what you want to occur and disabling or preventing those things that you do not want to occur,' said Dee Liebenstein, director of product management at SecureWave. 

So, for example, IT managers could use the software to give only certain employees permission to write data to only certain types of USB flash drives, perhaps those that the organization issued and that support encryption. Any nonapproved drives would be denied access to the system.

Some endpoint control products also provide an audit trail on user activity. That audit information could help managers assess the risk to data if a particular portable storage device is lost or stolen.

The need to track how, where and by whom flash drives are used is why Lake Forest, Ill., deployed SecureWave's Sanctuary Device Control software last summer on more than 300 of its desktop, laptop and tablet computers. Gabanski said the first step was to identify the specific USB flash drives that would be authorized to work with city computers and to begin keeping records of how people used those drives.  

'This was a quick and easy way for us to get a control on things,' Gabanski said.