Yes, one USB drive can cause HAVOC

By Ruben Lugo of Kingston Technology

The wizardry one USB drive can cause and provide. Whether it’s accidentally lost, carelessly left behind or maliciously programmed and placed somewhere, it is sure to be found. A single USB drive has the potential to do some serious spoiling or add a layer of security outside the firewall if you have a standard or policy.

Ouch

USB drives have capacities ranging from a minuscule 256MB to a titanesque 2TB. Its portability and extremely easy ability to be connected to various networks make it super susceptible to being lost and breached. And that leads to the possibility of critical, important, classified, sensitive – pick any dire-sounding adjective of your choice – data landing in the hands of some not so well-meaning individuals.

Codependency of Cybersecurity &Physical Security

Security professionals face a number of issues with breached data. Due to the interrelated nature of cybersecurity and physical security, the failure of one directly impacts the other. A perfect example of this was the discovery in the fall of 2017 of an unencrypted USB flash drive in West London containing sensitive and secret information regarding Heathrow Airport.

The 76-folder/174-document drive detailed measures employed at Heathrow to protect the Queen, a timetable of security patrols, maps pinpointing CCTV cameras, the types of ID needed to access restricted areas, documentation of the ultrasound system used by Heathrow security to check perimeter fences and runways for breaches; and, a discussion regarding the type of threat the airport could face. Fortunately – by chance – an honest individual found it and gave it to the proper authorities. Unfortunately, this means a complete redesign of strategy, security details, and access rights. Not an easy task when the reality of the total scope is realized.

Security experts say a critical factor in the Heathrow incident was the USB drive’s lack of encryption. Blocking or prohibiting employees from ALL USB PORTS MAY NOT BE PRACTICAL AND MIGHT LOWER PRODUCTIVITY AS WELL AS LIMIT OVERALL WORK EFFICIENCY. A BETTER WAY, EXPERTS SAY, IS FOR COMPANIES AND ORGANIZATIONS TO INSIST EMPLOYEES use encrypted USB drives, by implementing a standard with a company policy which would combine the productivity advantages of allowing USB access while protecting the information at the same time.

A standard or company policy for USB devices extends cybersecurity beyond the firewall and helps manage the port which can be considered “endpoint security.” User access and priority to the ports can be assigned by employee or group profile, or can even be more granular by allowing access from only certain types of encrypted drives.

BYOD (Bring Your Own Device) has become a standard operating procedure at many companies and organizations. But all it takes is one unencrypted USB drive to negate the millions of dollars spent on cybersecurity. A workforce can stay efficient when threats are reduced and risks are managed by deploying self-contained encrypted USB drives.

And governments react

It stands to reason that sooner or later various government entities around the world would step in and initiate or strengthen cybersecurity regulations to protect data, whether it is inside the firewall or out. A common requirement is that data – both “at- rest” and “in-transit” − be encrypted. Two of note are the European Union’s General Data Protection Regulation (GDPR) and New York State’s 23NYCR500 cybersecurity requirements concerning financial services companies.

Replacing a 1995 directive, GDPR creates new safeguards and requirements to strengthen data protection rights for individuals within the EU. After a two-year phase-in period, a compliance deadline of May 25, 2018 marks completes implementation and strict enforcement for companies to comply. Noncompliance after that date can result in companies receiving astronomically high expensive fines. It is applicable to both EU and non-EU organizations, which process data of EU residents.

The New York regulation demands financial services companies protect customer information and related IT systems. It requires each company to assess its specific risk profile and design a program to address and manage its risks efficiently and timely. Thus, it must ensure the safety and soundness of the institution while also protecting customers’ personal information. It applies to every organization in New York state that processes corporate/personal data and took effect on February 15, 2018.

Hardware-based encryption

Secure, encrypted USB flash drives are an essential pillar of a comprehensive data loss prevention (DLP) strategy. Of these, the most effective are drives where the encryption is implemented in the device’s hardware in order to combat ever-evolving threats.

A USB drive with hardware-based encryption is an excellent, self-contained solution in protecting data from breaches, while also meeting evolving governmental regulations. They are an ideal solution for applications ranging from small-business owners to the military and all branches of government. Such devices that meet tough industry security standards offer the ultimate security in data protection to confidently manage threats and reduce risks.

Hardware-based encrypted USB drives are self-contained and don’t require a software element on the host computer. No software vulnerability eliminates the possibility of brute-force, sniffing, and memory hash attacks.

They have digitally signed firmware that cannot be altered as well as a physical layer of protection. These drives come epoxy-dipped as a fundamental while other options feature epoxy-filled cases that prevent access to physical memory. In contrast, a USB drive with software encryption uses software that runs on the host computer and has no physical layer of security making it extremely vulnerable to attacks.

Top-of-the-line hardware-based encrypted USB drives use AES 256-bit encryption in XTS mode. This ensures that anyone who finds such a drive cannot access the information, as the drive wipes itself clean after 10 attempts of a brute force attack or password guessing.

Hardware-based encryption requirements

• Self-contained and physically located on the encrypted drive
• The encrypted USB contains a random number generator to generate an encryption key, which the user’s password unlocks
• Increased performance by off-loading encryption from the host system
• Safeguard keys and critical security parameters within crypto-hardware
• Authentication takes place on the hardware
• Cost-effective in medium and larger application environments, easily scalable
• Does not require any type of driver installation or software installation on host PC
• Protects against the most common attacks, such as cold boot attacks, malicious code, brute force attack

In addition to the Heathrow Airport incident, below are a few other ‘lost’ USB flash drive events.

• In early 2016, St. Luke’s Cornwall Hospital (SLCH) in Cornwall, N.Y. suffered a potential healthcare data breach after a USB thumb drive was stolen from its facility. Potentially affected information included patient names, medical record numbers, dates of service, types of imaging service received, and administrative-type information used for internal business purposes. While Social Security numbers and electronic medical records were not included, the personal data of 29,156 individuals were allegedly affected.
• A 2016 research project conducted by Google, the University of Illinois Urbana-Champaign, and the University of Michigan randomly spread 297 unencrypted USB drives around the Urbana-Champaign campus. 290 of the drives (98 percent) were removed from their drop locations. Drives were plugged into finders’ computers within a median time of 6.9 hours. The researchers suspect that the ‘finders’ initially acted altruistically to try and find the drives’ owners, but their curiosity soon took over, as they proceeded to open other files, including one labeled “vacation photos.” Whatever their reason for opening the files, the study points out that individuals coming across an unattended USB drive will open it. If it is an unencrypted drive, the ‘loser of the drive’ risks having all manner of valuable data exposed, stolen, or lost for good.
• In July 2015, police in Brighton, Sussex England stumbled upon a stolen USB drive holding personal data of 13,000 customers of Barclays Bank. Authorities came upon it while arresting an individual for another matter. Information contained on the drive included names, dates of birth, addresses, occupation, salaries, debts, insurance policies, mortgages, and passport and national insurance numbers. It was feared that thieves may have made multiple copies of the sensitive files.
• In 2013, health-care provider Kaiser Permanente notified nearly 50,000 patients that a USB flash drive containing their personal data was missing. The flash drive contained the name, medical record number, date of birth, and medication of patients obtaining health care at the company’s Anaheim, California facility.
• In July 2013, U.S. Securities and Exchange Commission employees’ Social Security numbers were exposed after a former worker unwittingly downloaded sensitive human resources data to a thumb drive. The worker allegedly downloaded information inadvertently from agency personnel files that included employee names, birthdays, and Social Security numbers onto a USB drive before taking a new job with another federal agency.

About the Author

Ruben Lugo is the Strategic Product Marketing Manager for Kingston’s Encrypted USB line, including the globally respected IronKey, Enterprise SSD’s, NVMe solutions and Server Premier DRAM solutions for today’s high-performance servers. As a solution, technology and security enthusiast with over 18 years’ experience, Mr. Lugo leverages his unique expertise from the CE, AV and IT Networking industries. He’s contributed to the initiation of new trends in technology from launching the first reliable wireless high definition audio video distribution system to high-bandwidth fiber optic networking solutions.