By Greg Cornfield (05 May 2008)
Recently, in a medical clinic in Hong Kong, a USB drive containing the personal data of 665 patients went missing. The daily papers and the TV news headlines reported that the USB drive was stolen. Perhaps the focus should have been on why someone was carrying around the private data of 665 patients on an unencrypted USB drive.
The moral of this story is: Do not load - or allow anyone else in your organization to load - any private, personal or important data onto an unprotected USB drive.
If you still don't think there is a risk, consider this:
77% of corporate end users use personal flash drives for work-related purposes, but, when asked to estimate what percentage of the workforce uses personal flash drives, corporate IT respondents reckoned that only 35% did.
In a US-based study in April 2008, storage company Sandisk discovered that:
* 25% of people used flash drives to hold customer records
* 17% used it to hold financial information
* 15% used it for business plans
* 13% to hold employee records
* 13% marketing plans
* 6% intellectual property
* 6% source code
The survey suggests that the portability of USB flash drives presents a significant risk of data loss.
Approximately 12% of corporate end users reported finding a flash drive in a public place. And when asked to pick the three most likely actions they would take if they found a flash drive in a public place, 55% said they would check out what was on it.
This is of particular concern, considering that during a security audit in June 2006 at a financial organization in the US, several USB drives were left in places where they would be easily found, employee car park, etc. The drives were loaded with a trojan horse. In every case where an employee found one of these USB drives the first thing they did was to plug them into their PC as soon as they got to their desk.
And as you would have it, all the PC’s that were infected with the virus immediately started emailing confidential information back to the company running the audit!!
What are the risks?
The primary risks associated with USB memory sticks can be identified as:
* Loss of media - The device is physically small and can easily be misplaced.
* Virus Transmission - Data sharing opens up an avenue for viruses to propagate.
* Data corruption - Corruption can occur if the drive is not unmounted cleanly.
* Loss of confidentiality – Data on the lost physical media can be obtained by others.
* Loss of data integrity - if data is updated on the USB drive how do you ensure it is updated on the live version of the data that should be maintained on a secure server, or how do you ensure the data of the USB drive is the latest version.
Even if you use a USB drive with built-in hardware encryption you would still have the risks of virus transmission, possible corruption of data and loss of data integrity.
So what is the better solution?
* Preferably do not keep any private, personal or confidential data on a USB drive. If you have to, make sure it is encrypted and read-only.
* Protect your PC by disabling the USB ports. Depending on the hardware and system software there are several ways to do this. The solutions are readily available on the Web.
If would be inordinately more difficult for someone to “steal” your confidential data if some simple, basic but sensible precautions are taken.