The proliferation of USB data sticks presents formidable problems for information security, and many information security managers have declared this as their number #1 concern. Furthermore, less than 20% of companies have effective safeguards in place.
The threats are significant. Not only could an ill-intentioned employee escape with the entire corporate “crown jewels” on a single USB data stick, but these devices have become the third most prevalent source of virus transfers, behind websites and emails. Furthermore, a number of organisations have suffered a negative impact on reputation recently when data sticks containing personal ID-related information has been lost.
Delegates attending this week’s Security Management and Coordination Course have produced a set of procedures, which they believe if followed, will significantly reduce the risks presented by these devices. Their suggestions are as follows:
1. There should be a policy which forbids employees bringing personal USB flash drives onto site.
2. Those issued with laptops should undertake not to use personal, or other users’, USB devices in their laptops – especially if those users are from outside the company.
3. Companies should use enterprise-wide software to manage access to all USB ports. This should be extended to laptops when not physically connected to the corporate network.
4. Companies should issue USB flash drives to users on a need basis. These should be engraved, serial numbered and accounted for.
5. There should be destruction procedures for all old devices.
6. The capacity of devices should not exceed that which is consistent with operational requirements. Excess capacity should be blocked by special software.
7. Software should be used to block the types of files transferable to the devices. Databases and .xls files, for example, should be blocked from transfer as a matter of course.
8. Devices should have password or biometric access as standard.
9. Devices should offer encryption, preferably “on the fly” by default.
10. There should be loss reporting and “damage limitation” procedures.
11. When not in use, devices should be secured.
12. The network should be able to identify and alarm, in real time, when somebody attempts to use an unauthorised USB device in a controlled port.
13. Consideration should be given to RFID tracking of devices when on site.
14. There should be spot checks on authorised users to ensure compliance.
15. There should be “sheep dip” procedures on a spot-check or demand basis for users who take devices off site.
If you have more suggestions please contact us!
