USB drive security best practices and processes

RELATED CONTENT Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns College learns lessons in choosing the right NAC appliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Neil O'Connor Pose a Question Other Security UK Categories Meet all Security UK Experts Become an Expert for this site

ANSWERED January 2010:

I'm assuming here that the issue that you are trying to address is the use of unapproved USB devices and the threats they introduce to your environment. In summary the threats are:

• Importing a Trojan or unauthorised software via USB stick, leading to a loss of service.
  
• Importing copyrighted material (typically music or videos), breaching copyright and using up resources.
  
• Theft of company information by downloading onto a USB device.
  
• Downloading information onto a USB device and subsequently losing that device, leading to a disclosure of sensitive information and potential reputational damage.

There are a number of well-established products in the market geared toward ensuring USB drive security. In choosing a product, consider the following questions:

• Do you want to control and audit devices, or do you also want to be able to encrypt them using the same product? Some products will allow you to do both.How easy is it to centrally manage USB device permissions?
  
• Do you want to prevent unauthorised devices, or just receive an alert when an unauthorised device is introduced?

The answers to these questions will depend on the risk to your organisation and the procedures that will work for you. In my experience, it can be difficult to persuade businesses to adopt a complete lockdown of USB devices, particularly senior managers using iPhones (yes, these too are USB devices). So select a tool that offers the flexibility to manage exceptions if you cannot implement a strict policy, as is often the case.