The ease of use, portability, and convenience of USB drives have been proven to increase productivity. However, a BYOD (bring your own device) policy is a critical threat to any organization, even more so to law enforcement since most of these drives are unencrypted. These can pose a significant security risk to an agency when anything more valuable than public data is stored. Any loss of personally identifiable information (PII) can necessitate a legally required process involving forensic investigation, determining if a breach of PII data occurred, and notification of entities about a potential breach.
USB drives’ extreme portability means they are very susceptible to being lost, accessed, or misappropriated. When that happens, there is a reasonably good chance that data stored on the device will end up in the wrong hands, thus risking the privacy and security of users, companies, and government organizations.
Best practices and what to look for
The safest, most reliable means to store and transfer personal, classified, sensitive data is to have a company policy of standardizing the use of hardware-based encrypted USB drives. Cybersecurity experts agree that the use of an encrypted USB flash drive is the most effective means for keeping confidential information what it was intended to be—confidential.
When you consider the costs and consequences of a data breach, losing a drive, forgetting a drive somewhere or getting it stolen against the low purchase price of a non-encrypted drive, it is clear the benefits of an encrypted drive is the most cost-efficient way to manage threats and reduce risks. The minimal investment for encrypted USB drives will cost exponentially less than risking a potential data breach, exposure, damage to your department’s reputation and, enormous possible fines.
Hardware vs Software Encryption.
USB drive encryption can be done either through the device’s hardware or software. A hardware-centric / software-free encryption approach to data security is the best defense against data loss, as it eliminates the most commonly used attack methods such as brute-force, sniffing, firmware hijacking, and memory hash attacks due to the self-contained nature of security inside the drive. Since hardware-encrypted drives come encrypted right out of the box, users just have to set a password and are good to go. This provides the ultimate convenience to ensure quick and easy deployment. This same software-free method also provides comprehensive compatibility with most OS’ or embedded equipment possessing a USB port.
Software-based encrypted drives are designed differently. They share a computer’s resources with other programs which means the encryption/decryption is not done on the USB drive like hardware encryption but instead is done through a software program on the host device. To access the data, a software program must be run on the computer to decrypt the data. Because of this computer-based encryption process, the USB drives themselves are vulnerable and can be susceptible to attacks mentioned above. In some cases, there are compatibility issues with older operating systems that may make the data inaccessible. Since software encryption requires the encryption to be installed on each drive manually, this can cause inconvenience and deployment delays.
FIPS Certification.
FIPS certification is an indication that the encryption on the USB drive is very robust. The Federal Information Processing Standards (FIPS) are U.S. government standards for information technology and computer security. The FIPS program is run by the National Institute of Standards (NIST). NIST FIPS 140 is the cryptography standard program required by the U.S. federal government for the protection of sensitive data. All products using cryptography in use by civilian and military U.S. federal agencies must comply with FIPS 140. The current FIPS version is 140-2.
Obtaining FIPS 140 validation requires a rigorous testing process by an accredited testing laboratory. The results are then reviewed by NIST which issues a FIPS 140 validation certificate. FIPS 140-2 Level 3 means that the drive meets all the encryption requirements and additionally is tamper-evident and tamper-proof.
TAA Compliance
Depending on the types of work and other federal agencies that your department interfaces with, TAA Compliance may be required for your USB drives. The Trade Agreement Act (TAA) (19 U.S.C. & 2501-2581) was created in 1979 and requires that the U.S. Government (including GSA) acquire only U.S. made or certain “designated country” end products.
USB drives can be covered by this legislation, meaning USBs must be either manufactured or “substantially transformed” in the U.S. or a TAA-compliant country.
How to implement an effective policy
You have purchased encrypted USB drives for your department. What are the next steps?
Training & Education.
Education should always be the first line of defense and explaining the different threat scenarios associated with USB drives may go a long way toward modifying bad USB usage behaviors. All departments have training programs, and data/cybersecurity should be an ongoing part of these programs. All new and current employees should be trained as part of your company’s orientation and ongoing training. Establish a training program that educates employees on acceptable and unacceptable use of USB drives and the dangers of using BYOD items. Take users through actual breach incidents and other negative consequences that occur when using non-encrypted USBs.
Establish & Enforce USB Drive Policies.
Your organization should institute policies for the proper use of electronic portable storage media. Here are three steps to begin the process.
- Identify those individuals and groups needing access to and/or download sensitive and confidential data on encrypted USB drives, then set a policy that allows them access.
- Document policies for your IT team and end-users.
- Mandate that everyone attends training and sign an agreement post-training to understand the acceptable-use policies and the implications of not following guidelines.
If you don’t have the right policies in place, USB drives can potentially be the downfall of your data security strategy. Setting a policy is the first step and an incredibly important one.
Manage Authorized USB Drives and Block Unapproved Devices.
Implementing a USB usage strategy is beneficial in ensuring only approved USB devices can be used in sensitive environments. This can be achieved through endpoint security software (whitelisting/blacklisting USB drives within your departments) or enforcing a written policy agreement. If you do not manage authorized drives, sensitive data can be copied onto these unauthorized devices and shared with outsiders, which opens the possibility that your department could be the next statistic for data loss or theft.
Data security and consumer privacy are not only concerns for businesses but law enforcement as well. Identifying cost-effective ways to mitigate the risk is paramount as cybercriminals become more sophisticated, and department resources are stretched. Departmental and other sensitive data needs to be stored on encrypted USB drives whenever someone has to transport the data to mitigate any risk of a data breach, data loss, and liability. In the case of law enforcement, exposing sensitive data or evidence may jeopardize ongoing investigations and require investigations into the USB drive loss.
Hardware encrypted drives can be an inexpensive solution. When lost, these drives allow someone who finds these drives to enter a set number of wrong passwords in a row. After that limit is met, the drive wipes out its encryption key and the encrypted data can no longer be retrieved. When such drives are lost, it is reasonable to assume that a breach has not occurred, and no forensics and no notifications will be required. That is peace of mind.
Richard Kanadjian | Business Manager of Kingston Technology’s Encrypted USB Unit
Richard Kanadjian is currently the Business Manager of Kingston Technology’s Encrypted USB unit. He joined Kingston in 1994 and has served the company in a variety of roles for both the Flash and DRAM divisions. Among his many positions, Mr. Kanadjian was a field applications engineer in the company’s strategic OEM division, where he helped build relationships with leading PC and chipset manufacturers. Prior to his current role, Mr. Kanadjian was part of the SSD product engineering department helping develop and support Kingston’s enterprise SSDs on both a technical and customer level.