What are USB flash drive security best practices?

RELATED CONTENT Data protection How to detect if machines have been infected with Trojans, keyloggers Are iPhone encryption features on the way? How to protect employees' personal information and passwords What should be part of an employee termination checklist? Are there keylogger monitors that can effectively spot malware? Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Ken Munro Pose a Question Other Security UK Categories Meet all Security UK Experts Become an Expert for this site

ANSWERED May 2009:
Easy. Don't allow the use of USB devices :-)

More seriously; as mice and keyboards now invariably use USB interfaces, totally disabling USB ports is now impractical. And of course, USB sticks can be a very useful form of portable storage.

Instead, you need to implement proper USB flash drive security and device management so that you can control how the storage devices are used. Fortunately, many commercially available USB access control products allow you to define what types of USB device are permitted by which user.

The solutions let you apply granular access controls that restrict the use of USB ports. For example, you could allow regular staff to use USB keyboards and mice, but also prevent any use of USB hard drives, iPods, USB memory keys etc. -- in other words, the kind of device that could be used to pinch or copy data.

If USB use is required for a genuine business purpose, then consider having a process by which senior IT staff can write data to USB keys on controlled machines. Further ensure that only strongly encrypted USB keys are permissible for use, so the occasional, inevitable loss presents no significant issue.

Finally, keep an audit log of what's on which USB key. Ensure, too, they are returned to IT and wiped. Bold staff members who want to export the contents of your CRM can still do so if they follow the required process -- but at least you'll have a log of it.