The Simple Things Part Four – Removable Media
Everywhere you look in todays media, both in the infosec industry and mainstream media, there is yet another case of X thousands of records being lost on a memory stick by one organisation or another, and the trend seems to be getting worse. This is either because people are getting more careless (possibly) or the media is getting better at reporting it (probably). Either way, the brand and reputational damage alone is significant to any company, no matter its size.
There are two elements to this that are worth exploring:
Firstly, the prevalence of USB sticks is a part of the problem, they have become a simple commodity. They are on sale in newsagents, supermarkets and petrol stations, and are in peoples pockets, on their key rings and in hand bags. As a result it has become very natural to share files, photographs and anything else using them, and that familiarity has drifted into the workplace, especially when they are handed out at trade shows and demanded from IT departments. The problem is that they are not even basically secured, and that has become acceptable to the average person in the street.
Secondly, the media has found the “loss” of data a rich source of column inches to help sell their newspapers. The ironic part however is that in many cases when you read the back half of the story away from the headline, it transpires that the memory stick was in fact encrypted and would take the collective might of at least North Korea five years to break into.
So we have a dichotomy; a prevalence of unencrypted memory sticks in the marketplace, and the tendency therefore to assume that all memory sticks are insecure and report them as such.
The solution in a BYOS environment is simple – only buy encrypted memory sticks! It only needs to be a one time investment (my personal preference is the IronKey), and relegate all of your old memory sticks to the bin (or your favourite computer recycling facility of course). If cost is an issue (and they are more expensive, then use something like TrueCrypt (www.truecrypt.org) to encrypt your existing sticks and an be sure to keep using it. trueCrypt even has a portable mode that allows the executable to reside on a smaller unencrypted partition of the drive allowing it to be used on other systems.
By making a habit of only using encrypted portable media we all move one step closer to the concept of BYOS.