• United States
by John Bumgarner and M. E. Kabay

Gone in a flash, Part 2

Oct 30, 20033 mins

* First steps in countering the threat posed by USB flash drives

In the last column, security expert John Bumgarner and I looked at the potential for data leakage introduced through the use of portable USB flash drives.

To counter the threats presented by USB flash drives, organizations need to act now. They need to establish a policy that outlines acceptable use of these devices within their enterprises.

* Organizations should provide awareness training to their employees to point out the security risk posed by these USB flash drives.

* The policy should require prior approval for the right to use such a device on the corporate network.

* Encrypting sensitive data on these highly portable drives should be mandatory because they are so easy to lose.

* The policy should also require that the devices contain a plaintext file with a contact name, address, phone number, e-mail address and acquisition number to aid an honest person in returning a found device to its owner. On the other hand, such identification on unencrypted drives will give a dishonest person information that increases the value of the lost information – a bit like labeling a key ring with one’s name and address.

* Physical security personnel should be trained to identify these devices when conducting security inspections of inbound and outbound equipment and briefcases.

Unfortunately, the last measure is doomed to failure in the face of any concerted effort to deceive the guards because the devices can easily be secreted in purses or pockets, kept on a string around the neck, or otherwise concealed in places where security guards are unlikely to look (unless security is so high that strip-searches are allowed). That doesn’t mean that the guards shouldn’t be trained, just that one should be clear on the limitations of the mechanisms that ordinary organizations are likely to be able to put into place.

Administrators for high-security systems may have to disable USB ports altogether. However, if such ports are necessary for normal functioning (as is increasingly true), perhaps administrators will have to put physical protection on those ports to prevent unauthorized disconnection of connected devices and unauthorized connection of flash drives.

Without appropriate security, these days your control over stored data may be gone in a flash.

Guest author John Bumgarner is President of Cyber Watch, Inc., a security consulting firm based in Charlotte, N.C. John has a rich background in national security and international intelligence and security work. He can be reached at