USB flash drives put proprietary data at risk

These devices, which are about the size of a lipstick tube, are easily transportable and can store a large amount of information. Because of their convenience, few people consider these devices to be a threat to an organization. But when organizations and their leadership begin to look more closely at the way these are used, they may change their opinion. The risks flash drives pose may warrant some preventative methods and tracking systems to prevent loss of proprietary information.

Convenient danger

A one gigabyte USB flash drive has the storage equivalent of 694 floppy disks. And a 16GB drive stores the equivalent of more than 10,000 floppy disks. This makes it easy to transfer large amounts of data from one location to another. But this is where the problem begins.

If businesses allow their employees to use these devices indiscriminately, what types of proprietary information is being moved to these devices? Financial data? Personnel records? Health care information? Client lists? Business plans? Research and development materials?

And where is this information being transported once it has been copied to a USB device? Is it now stored on a home computer where the organization that actually owns the data can no longer control its dissemination?

Or worse yet, has it been given to a competitor or the media?

USB flash drives are readily available, and once people recognize that a 1GB drive can be purchased for less than $20, and all new computers are built with USB ports installed, they begin to realize the possible threats these devices pose.

The threat to proprietary and confidential information is not the only risk flash drives present to an organization. It is possible to run applications on these devices, such as encryption programs, data destruction programs and file transfer programs.

Internet browser and e-mail applications have been developed for USB drives, which allow people to surf the Internet and send and receive e-mail without leaving any trace of their activities on the host computer.

Even more frightening is the fact that a hostile application, USB Hacksaw, has been written and can retrieve documents from USB drives plugged into targeted machines and transmit them to an e-mail account.

To make matters worse, USB flash drives are being created in a wide range of shapes and sizes – they can be embedded in pens, watches, pocket knives and stuffed animals. Some are shaped like a thumb or a piece of sushi, making it difficult to identify them, even if they are sitting on an employee’s desk.

Because these devices can be used to steal proprietary information and can be compromised by hostile applications, and because it is hard to identify unauthorized applications, organizations should start taking steps to control their use.

Preventing information loss

One step all organizations can take is to make sure employees have access to only the data they need to perform their job responsibilities. For example, a data-entry person should not have unrestricted access to financial information or product design materials.

Another simple step an organization can take is to tell employees they cannot remove proprietary information from the workplace. Such language can be added to the employee agreement and policies for acceptable computer use.

Organizations also can use software developed to allow them to control access to flash drives, CDs and DVDs. Two such products are DeviceWall from Centennial Software and DeviceLock from SmartLine Inc.

Companies also can use document lifecycle management applications, which can control files and track when they leave the firm’s immediate control. Restrictions can be added to documents to prevent editing, printing or forwarding of files. Expiration dates can be added to documents so that after a specified date, the documents can no longer be opened. Adobe Acrobat provides this functionality and several enterprise products exist, such as those offered by LiquidMachines or incorporated into products like EMC’s Documentum.

A free tool that provides an excellent example of these concepts is Informative Graphics Net-It Now! which can be downloaded from www.bravaviewer.com/

downloadreader.htm.

Organizations that have not implemented any controls over the use of USB devices should not panic. It is often possible to identify that an employee stole information through the use of computer forensics. Not only is it possible to identify what material was copied to a USB device, it is often possible to identify the make, model and serial number of the device that was used.

Regardless of where an organization stands in relation to threats posed by USB flash drives, leadership should keep in mind that the devices will become smaller and less expensive while their storage capacities will increase. Because of this, all organizations should begin to control how the drives are used in the workplace.

John R. Mallery is a managing consultant and member of the forensic and dispute consulting division of BKD LLP in Springfield. He may be reached at jmallery@bkd.com.[[In-content Ad]]