NCSC CERTIFIED USB Flash Drive Security: ADISA CERTIFIED FOR SSD EAL2+ COMMON CRITERIA Best Practices

USB Flash Drive Security 101 Steps to Tighter USB Security 1. Educate employees about the risks of USB drives and require them to never plug in a USB USB Flash Drive Security: device that they are unsure about. We recommend the following steps to increase the security protocols when using USB drives: 2. Allow only software encrypted USB drives to be used to store and transfer company data. 1. Perform an audit on current USB devices in the organization. This can be done internally or outsourced to a specialized security firm if there’s a large inventory. Best Practices 3. Implement company software that only works with approved flash drives. 2. Scan network for removable media devices to determine where USB devices are used in the When thinking about a device that hackers are Discussing the Risks of Using Unknown Flash Drives organization. likely to compromise, a laptop or mobile phone 3. Create an encryption process for all removable devices and implement it. may come to mind. But one of the most Even if the intention was to look for evidence to return it to its rightful owner, plugging in an unknown 4. Require regular reporting to ensure safeguard policies are in place. common targets in the cyber hacking space is USB device and clicking on files poses several cyber security threats. Not only could a flash drive be When a USB device reaches its end of life cycle, clear all sensitive data before scrapping/re- often overlooked due to its tiny, manufactured to perform a scripted malware attack on the computer, it could even fry the computer 5. keychain-friendly size: a USB flash drive. port itself. cycling/donating.

USB flash drives are popular for easily storing and When educating employees about potential USB threats, the most important policy to drive home is Use WipeDrive for Privacy Protection transferring large amounts of data, which is exactly this: if you don’t know what’s in it, don’t use it. why they are such a hotspot for malicious entities. So Now that we’ve gone over the precautions of using a USB stick, don’t much so, that in 2008, the worst military breach in US The Encryption Advantage forget the final step of USB drive security. Simply tossing the device in the history occurred when a malware-containing USB flash drive infected a network and leaked trash is not enough to protect from data theft. If a USB drive is ready to sensitive information. Referred to as a “network administrator’s worst fear,” this cyber-attack was a Most IT professionals are well aware of the importance of be retired, make sure to use a secure media sanitization software to clear wakeup call for many professionals in the cyber security space.1 using encrypted devices. So it will come to no surprise that any remaining data. WipeDrive is the only data destruction solution USB flash drives should be included in this list. To ensure software that has been successfully evaluated to the EAL 2+ Standard. After the attack, widespread efforts were made to expose potential risks and protect against all USB drives in an organization are encrypted, there are The EAL 2+ certification is required by the US Department of Defense, several options: network intrusions associated with USB storage devices. But as new, even more damaging malware Department of State, and Homeland Security. Contact our Sales Team at continues to be developed, it is crucial to be as proactive as possible to protect information on a • Purchase hardware encrypted USB flash drives. (801) 224-8900 to learn more about WipeDrive. USB device from third-party access and from becoming a transport for malware. (Make sure the encryption standards meet NIST guidelines for encryption.) Examples of Thumb Drive Security Risks • Install encryption software on existing USB drives. • Use open-source encryptions programs. Many of these Much like a phishing scam that makes its way through an email contact list, a flash drive has the programs, including VeraCrypt, are highly secure and potential to spread malware from computer to computer without the original USB owner even HIPAA compliant, but do require additional steps. realizing. Here are other common ways in which USB flash drives become a security threat: • An employee plugging in an unknown USB drive into their computer Setting Up Windows Group Policies • A stolen or lost USB drive that ends up in the wrong hands One of the best ways to ensure employees are following best practices with USB drives is to utilize • An employee who leaves the organization and takes a USB drive with organization data Active Directory in Windows to create group policies that prevent or limit unrecognized hardware installations. Group policies can be created to flag new devices while still allowing approved devices. With how easy it is to leak sensitive information via USB drive, it’s understanding why many companies choose to ban USB drives altogether. But there’s no need to throw the baby out with Additional software can be installed to block the use of non-company-approved USB drives, such the bath water. With proper USB drive security best practices, organizations can enjoy the best of as VeraCrypt or BitLocker. Other software can block access to files in a USB drive if the drive is lost both worlds. or stolen.

Sources: 1. https://www.cnet.com/news/bad-flash-drive-caused-worst-u-s-military-breach/

www.WhiteCanyon.com | [email protected] | 1 (801) 224-8900 NCSC CERTIFIED USB Flash Drive Security: ADISA CERTIFIED FOR SSD EAL2+ COMMON CRITERIA Best Practices

USB Flash Drive Security 101 Steps to Tighter USB Security 1. Educate employees about the risks of USB drives and require them to never plug in a USB device that they are unsure about. We recommend the following steps to increase the security protocols when using USB drives: 2. Allow only software encrypted USB drives to be used to store and transfer company data. 1. Perform an audit on current USB devices in the organization. This can be done internally or outsourced to a specialized security firm if there’s a large inventory. 3. Implement company software that only works with approved flash drives. 2. Scan network for removable media devices to determine where USB devices are used in the Discussing the Risks of Using Unknown Flash Drives organization. 3. Create an encryption process for all removable devices and implement it. Even if the intention was to look for evidence to return it to its rightful owner, plugging in an unknown 4. Require regular reporting to ensure safeguard policies are in place. USB device and clicking on files poses several cyber security threats. Not only could a flash drive be When a USB device reaches its end of life cycle, clear all sensitive data before scrapping/re- manufactured to perform a scripted malware attack on the computer, it could even fry the computer 5. port itself. cycling/donating.

When educating employees about potential USB threats, the most important policy to drive home is Use WipeDrive for Privacy Protection this: if you don’t know what’s in it, don’t use it. Now that we’ve gone over the precautions of using a USB stick, don’t The Encryption Advantage forget the final step of USB drive security. Simply tossing the device in the trash is not enough to protect from data theft. If a USB drive is ready to Most IT professionals are well aware of the importance of be retired, make sure to use a secure media sanitization software to clear using encrypted devices. So it will come to no surprise that any remaining data. WipeDrive is the only data destruction solution USB flash drives should be included in this list. To ensure software that has been successfully evaluated to the EAL 2+ Standard. all USB drives in an organization are encrypted, there are The EAL 2+ certification is required by the US Department of Defense, several options: Department of State, and Homeland Security. Contact our Sales Team at • Purchase hardware encrypted USB flash drives. (801) 224-8900 to learn more about WipeDrive. (Make sure the encryption standards meet NIST guidelines for encryption.) • Install encryption software on existing USB drives. • Use open-source encryptions programs. Many of these programs, including VeraCrypt, are highly secure and HIPAA compliant, but do require additional steps.

Setting Up Windows Group Policies

One of the best ways to ensure employees are following best practices with USB drives is to utilize Active Directory in Windows to create group policies that prevent or limit unrecognized hardware installations. Group policies can be created to flag new devices while still allowing approved devices.

Additional software can be installed to block the use of non-company-approved USB drives, such as VeraCrypt or BitLocker. Other software can block access to files in a USB drive if the drive is lost or stolen.

Sources: 1. https://www.cnet.com/news/bad-flash-drive-caused-worst-u-s-military-breach/

www.WhiteCanyon.com | [email protected] | 1 (801) 224-8900 NCSC CERTIFIED USB Flash Drive Security: ADISA CERTIFIED FOR SSD EAL2+ COMMON CRITERIA Best Practices

USB Flash Drive Security 101 Steps to Tighter USB Security 1. Educate employees about the risks of USB drives and require them to never plug in a USB device that they are unsure about. We recommend the following steps to increase the security protocols when using USB drives: 2. Allow only software encrypted USB drives to be used to store and transfer company data. 1. Perform an audit on current USB devices in the organization. This can be done internally or outsourced to a specialized security firm if there’s a large inventory. 3. Implement company software that only works with approved flash drives. 2. Scan network for removable media devices to determine where USB devices are used in the Discussing the Risks of Using Unknown Flash Drives organization. 3. Create an encryption process for all removable devices and implement it. Even if the intention was to look for evidence to return it to its rightful owner, plugging in an unknown 4. Require regular reporting to ensure safeguard policies are in place. USB device and clicking on files poses several cyber security threats. Not only could a flash drive be When a USB device reaches its end of life cycle, clear all sensitive data before scrapping/re- manufactured to perform a scripted malware attack on the computer, it could even fry the computer 5. port itself. cycling/donating.

When educating employees about potential USB threats, the most important policy to drive home is Use WipeDrive for Privacy Protection this: if you don’t know what’s in it, don’t use it. Now that we’ve gone over the precautions of using a USB stick, don’t The Encryption Advantage forget the final step of USB drive security. Simply tossing the device in the trash is not enough to protect from data theft. If a USB drive is ready to Most IT professionals are well aware of the importance of be retired, make sure to use a secure media sanitization software to clear using encrypted devices. So it will come to no surprise that any remaining data. WipeDrive is the only data destruction solution USB flash drives should be included in this list. To ensure software that has been successfully evaluated to the EAL 2+ Standard. all USB drives in an organization are encrypted, there are The EAL 2+ certification is required by the US Department of Defense, several options: Department of State, and Homeland Security. Contact our Sales Team at • Purchase hardware encrypted USB flash drives. (801) 224-8900 to learn more about WipeDrive. (Make sure the encryption standards meet NIST guidelines for encryption.) • Install encryption software on existing USB drives. • Use open-source encryptions programs. Many of these programs, including VeraCrypt, are highly secure and HIPAA compliant, but do require additional steps.

Setting Up Windows Group Policies

One of the best ways to ensure employees are following best practices with USB drives is to utilize Active Directory in Windows to create group policies that prevent or limit unrecognized hardware installations. Group policies can be created to flag new devices while still allowing approved devices.

Additional software can be installed to block the use of non-company-approved USB drives, such as VeraCrypt or BitLocker. Other software can block access to files in a USB drive if the drive is lost or stolen.

Sources: 1. https://www.cnet.com/news/bad-flash-drive-caused-worst-u-s-military-breach/

www.WhiteCanyon.com | [email protected] | 1 (801) 224-8900