USB Drive Security Best Practices

In our increasingly digital world, USB drives remain a convenient way to transport and store data. However, the use of these devices in corporate networks introduces several security concerns.

This blog post will cover USB security best practices to equip you with the knowledge to safeguard your company’s valuable information against the security risks of removable media devices such as flash drives.

Software to Protect Against USB Drive Security Vulnerabilities

Book a Demo Contact Sales

What Are Removable Media Devices?

“[Removable media is a] portable device that can be connected to an information system (IS), computer, or network to provide data storage. These devices interface with the IS through processing chips and may load driver software, presenting a greater security risk to the IS than non-device media, such as optical discs or flash memory cards. Portable Storage Devices also include memory cards that have additional functions aside from standard data storage and encrypted data storage, such as built-in Wi-Fi connectivity and global positioning system (GPS) reception.” – National Institute of Standards and Technology (NIST)

Removable media devices—also known as portable storage devices—consist of a variety of compact devices that can connect to another device to transmit data from one system to another.

The following are examples of removable media:

USB portable storage devices (“Jump Drive”, “Data Stick”, “Thumb Drive”, “Flash Drive”, etc)
SDHC, SDXC & SD cards
External hard drives and external solid-state drives
R/W Compact Disk or DVD media
Mobile devices such as tablets, smart devices, cameras, and portable media that support a data storage function such as player-type devices with internal flash or hard drive-based memory.
eSATA (External Serial Advanced Technology Attachment) devices
Floppy disks

Why Are USB Flash Drives So Dangerous?

USB flash drives, those ubiquitous thumb-sized data carriers, offer undeniable convenience. But their portability and ease of use come with a hidden cost: security vulnerabilities. In today’s digital world, where sensitive information can be easily accessed, understanding the dangers of USB flash drives is critical.

Easily Lost & Stolen

The small size of USB thumb drives makes them easy to transport—but also easy to lose or steal. This downfall increases the risk of data loss, leaks, and breaches, which comes at a significant cost to organizations.

For example, a senior systems control engineer at the Sellafield nuclear plant was fired after she dropped USB sticks containing sensitive information in a car park. After further investigation, it was found that the employee downloaded unencrypted sensitive data onto her personally owned USB drive, which poses a significant risk to nuclear safety, the threat of terrorism, and overall national security.

In the Sellafield incident, the employee also used their personal storage device on both their personal computer and computers owned by the nuclear plant, risking the introduction of malware into highly sensitive systems.

Data Security Risks

Data loss, leakage, and breaches can have serious consequences, depending on the nature of the information lost. It can lead to financial losses, productivity issues, legal problems, and even the closure of business operations.

Employee Data Theft & Data Leakage

A 2018 study from cybersecurity software company McAfee found that USB drives are the number one data exfiltration vector in European and Asia-Pacific countries.

This is of little surprise; portable storage devices are, after all, portable, and thus easy to conceal and hard to detect.

These devices can store terabytes of data, making them capable of storing millions of database records, spreadsheets, and other proprietary information. So long as there’s an available port, data can be readily exfiltrated, leading to a serious data breach.

This is of special concern when an employee leaves an organization and takes confidential information with them. With unrestricted access to USB ports, a soon-to-be-ex-employee can easily transfer data to a USB stick on the way out.

Blocking USB access limits the potential insider threat risks when someone leaves an organization and takes confidential information with them unknowingly or intentionally.

FREE GUIDE & CHECKLIST
How to Keep Data Safe When Offboarding Employees

data theft prevention - a guide to offboarding employees - CurrentWare

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

Click the button below to learn the best practices for managing insider threat risks during offboarding & gain access to a checklist of key cybersecurity items you must include in your offboarding process.

Get Access Now

Data Loss

Nobody should ever trust portable storage devices to be the only copy of important data.

USB drives are at a greater risk of physical damage and corruption than a standard SSD or hard drive that spends most of its life stationary in a computer. As discussed before, their small stature makes them far too easy to misplace or steal.

If the only (or most recent) copy of important data is on a portable storage device, it’s at a far greater risk of being lost due to hardware failures and physical loss of the device.

Malware Distribution

USB devices can be used to transmit malware or even cause physical damage to hardware. Devices such as the USB Killer, a niche USB device designed to look like a flash drive, rapidly damage sensitive electrical components with rapid charge/discharge cycles when inserted into a USB port.

Threat actors can use USB devices to stealthily infect computers with malware by executing a “payload” when the USB device is connected. The payload is malicious software designed to perform a set of malicious functions, such as leaking sensitive data, installing spyware to stealthily monitor user activity, deleting/corrupting files, or executing a command to install other malware onto the now-compromised system.

Even seemingly innocuous Microsoft Office and PDF files can be used to deliver malware!

Malicious Macros in Office Files
- Attackers often embed malicious macros (small scripts) within Office files (e.g., Word documents).
- When a user opens the file and enables macros, the script runs, allowing the malware to execute.
- To protect against this, disable macros by default in Office programs.
PDFs with Embedded Malware
- PDFs can contain links or attachments that lead to malicious websites or files.
- Upon user interaction (e.g., clicking a link), the PDF may download a payload (malware) from the internet.
- Users should be cautious when opening PDFs from unknown sources.
Polyglot Files
- Hackers use polyglots—files with two different formats (extensions)—to deceive victims.
- For example, a file can appear as a .PDF but actually contain a Word document.
- In one instance, a .PDF hosted a Word document with a VBS macro that downloaded MSI malware when opened in Microsoft Word.

Piracy & Shadow IT

A failed software compliance audit can cost your organization as much as $150,000 in fines per violation. Your corporate risk management strategy needs to include preventative measures against piracy in the workplace.

Here’s how unmanaged USB devices pose piracy risks:

Ease of Transfer: USB drives allow for easy transfer of large files, including copyrighted software. Employees with unauthorized software on their personal USBs can introduce it to company computers, violating licensing agreements and exposing the company to legal repercussions.
Software Sharing: Pirated software can be easily shared between colleagues through USBs. This can lead to the use of unlicensed software throughout the company, increasing the risk of audits and fines.

Pirated software is one of many examples of shadow IT. Shadow IT—also known as Stealth IT, Client IT, or Fake IT—is any system, solution, or software that an organization’s employees use without the knowledge and approval of their IT department.

Shadow IT poses a unique threat to cybersecurity as the technologies used are not appropriately managed to identify and mitigate the associated risks that can put corporate data at risk.

Unapproved Applications: Employees might use USBs to install unauthorized applications on company computers. These applications could have security vulnerabilities or compatibility issues, creating a risk to the company’s network.
Data Exfiltration: Shadow IT often involves transferring sensitive data to personal USB drives. This data could be accidentally lost or stolen, leading to a data breach.
Bypassing Security Measures: Some USBs come with pre-loaded software that can bypass security measures on company computers. This can allow unauthorized access to sensitive data or the introduction of malware.

Back to Table of Contents

How to Mitigate the Risks of Removable Media

This section will cover the USB drive security best practices your organization needs to implement to mitigate the risks of removable media when a more secure alternative data transfer method isn’t readily available or practical.

For the best results, implement a defense-in-depth approach that utilizes multiple layers of security controls to safeguard information systems and data. With an appropriate mix of physical, technical, and administrative security controls, you can better protect against data security threats.

Monitor & Restrict USB Devices With Data Loss Prevention Software

Monitoring data flow is crucial for detecting malicious or negligent insider threats, particularly when users with access to sensitive data have access to removable media.

CurrentWare’s file transfer monitoring software AccessPatrol helps mitigate the risks of removable media by providing several functionalities:

USB Blocking: AccessPatrol can completely block removable media devices like USB drives, external hard drives, and SD cards from being used on computers. This prevents data from being physically transferred out of the system.
File Transfer Monitoring: It monitors file activity and can generate alerts whenever someone tries to transfer sensitive data to removable media. This allows IT personnel to investigate suspicious activity promptly.
Policy Enforcement: AccessPatrol allows you to set up policies for what types of files can be transferred and by whom. For example, you can block the transfer of files with specific extensions (like .doc or .pdf) or keywords in the filename.
Detection of Renamed Files: It uses file signatures to identify the original file type even if renamed with a different extension. This prevents users from bypassing DLP policies by simply changing the file format.

By combining these features, AccessPatrol makes it significantly more difficult for unauthorized users to steal sensitive data through removable media. It also gives IT better visibility and control over data movement within the organization.

Case Study
Viking Yachts Stops an Employee From Stealing Their Intellectual Property

A departing employee was caught stealing classified files! If we didn’t have AccessPatrol we would never have known.

As Viking Yachts grew, their network administrator Vincent Pecoreno was responsible for supporting over 530 users and 1500 devices across multiple geographic locations, making visibility a challenge without the right tools in place.

Once equipped with CurrentWare’s user activity monitoring and data loss prevention solutions, Viking Yachts had the insights they needed to protect their sensitive data.

Read their case study to learn more about how Vincent used CurrentWare to detect a data theft attempt from a soon-to-be-ex-employee.

Read the Case Study

Use Read Only Mode

Ensuring that connected USB devices are forced into read-only mode prevents modifications from being made by users who connect unauthorized storage media such as CDs, DVDs, and flash drives to their workstations.

Restricted Data Modification: With Read-Only Mode enabled, users can access files on the removable media device but cannot modify them. This means they can’t copy data from the computer to the device or make any changes to existing files on the device.
Prevents Accidental Data Loss: Read-Only Mode helps prevent accidental deletion or modification of sensitive data on the removable media. This can be helpful in situations where authorized users need to access data from the device but shouldn’t be able to alter it unintentionally.
Mitigates Malware Risks: In some cases, malware might attempt to copy itself onto removable media to spread to other computers. Read-Only Mode can prevent this by stopping the malware from writing to the device.

You can ensure that USB storage devices are read-only using USB control software such as AccessPatrol

USB Encryption & Password Protection

Ensure that all removable media and devices are encrypted. This will render any data useless to unauthorized users should the device be lost or stolen.
Consider centrally managing encryption solutions to ensure consistent data protection across the organization.
Encrypt your data before transferring it to a USB drive. This scrambles the data, making it unreadable without a decryption key. Consider encrypted USB drives or software encryption tools.
Highlight how AP is compatible with Bitlocker

USB encryption refers to the process of scrambling data stored on a USB flash drive or external hard drive with a password or key. This makes the data unreadable by anyone who doesn’t have the decryption key, even if they physically possess the USB drive.

Most flash drives are unencrypted by default. This means anyone who finds or steals the USB drive can access all of its information with just a computer. This could be anything from personal documents and financial records to sensitive work files.

There are two main ways to achieve USB encryption:

Software Encryption:

This method utilizes software applications to encrypt the contents of the USB drive. Popular operating systems like Windows (BitLocker) and macOS (Disk Utility) have built-in encryption tools. Third-party software offering similar functionalities is also available.

Hardware Encryption:

This approach uses a USB drive with a built-in encryption chip. Encryption happens on the device itself, often offering additional security features like a physical keypad for entering the password.

You set a password during the initial setup on the drive itself. Whenever you connect the drive, you need to enter the password using the built-in keypad or software interface to access the data.

Examples of hardware-encrypted USB devices include Kingston IronKey, the Kanguru Defender, and the SanDisk Extreme Pro SSD

Benefits of USB Encryption:

Data Security: By encrypting files, you can rest assured knowing that only those with the encryption key can view the contents of the drive should it get lost or stolen.
Compliance: Encryption is often mandatory for businesses handling sensitive data to comply with regulations and industry standards.

Provide More Secure Alternatives

Rather than directly relying on USB drives, which have inherent security risks, a more secure alternative mitigates these risks by promoting data transfer methods that offer greater control and encryption.

Best alternatives to USB drives for transferring sensitive data:

Network Share Drive: A network share drive is a basic storage location on a centralized server within a company’s network. Users can access these drives by mapping them to their computers. Access control lists (ACLs) are typically used to manage user permissions to limit the risk of overprivileged data access
Cloud Storage Services: Cloud storage platforms like Dropbox or Google Drive allow remote access and file sharing with robust encryption options. This eliminates the need to physically transport data and keeps it within a controlled environment. That said, you still need to block access to unauthorized cloud storage to protect your data.
Managed File Transfer (MFT) Solutions: MFT software facilitates secure file transfers between authorized users and systems. These solutions offer features like access control, encryption in transit and at rest, and audit trails for tracking activity.
Internal Filesharing Platforms: Organizations can establish internal file-sharing platforms on their own network. This allows for secure collaboration and data exchange within a controlled environment, eliminating the need for external drives.

While some scenarios might necessitate occasional USB drive usage, employing secure alternatives as the primary data transfer method significantly reduces the attack surface and strengthens your overall data security posture.

Removable Media Policies & User Training

Free removable media policy template from CurrentWare

FREE DOWNLOAD
Removable Media Policy Template

Set data security standards for portable storage
Define the acceptable use of removable media
Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

A removable media policy—also known as a USB device usage policy, portable storage device policy, or removable storage device policy— is a type of information security policy that dictates the acceptable use of portable storage devices such as USB flash drives, external hard drives, and tape drives.

These policies serve as a critical administrative security control for managing the risks of portable storage devices. They establish the security responsibilities of users, explain the importance of USB security, and provide guidelines for protecting sensitive data when using portable storage devices.

Removable media policies for ISO 27001 & other frameworks commonly include:

Security requirements for removable media devices
The company’s stance on the use of personal storage devices and using company-provided storage devices for personal use
Administrative requirements for obtaining and returning authorized portable storage devices
Policies and procedures for managing third-party storage devices
Responsible use expectations for users
Data handling procedures for removable storage

Antivirus Software / Malware Scanning

Scanning all storage devices before connecting them to your network can help protect against malware or virus infections from external sources. Ensure that any antivirus or anti-malware software installed on the computer is up to date to detect any potential threats before they cause damage.

This is often achieved with what is known as a Sheep Dip. In a cybersecurity context, a Sheep Dip—also known as a Footbath—is a dedicated computer or sandbox environment that is used to test a removable media device for malware. A sheep-dip computer is the first line of defense against malware from USB drives and other portable storage mediums.

The term “Sheep Dip” refers to a method farmers use to prevent the spread of parasites in a flock of sheep. During a sheep dip, farmers will dip all of their sheep one after another in a trough of pesticide to prevent infestations to the rest of their flock.

Similarly, the practice of sheep dipping removable media devices acts as an essential layer of security by preventing potentially infected storage devices from connecting to networked computers without prior inspection.

A computer that is used for sheep dipping will be airgapped (not connected to the internet or the local area network) to prevent malware from infiltrating the network through the sheep-dip computer.

The sheep-dip computer will have an up-to-date antimalware system (virus scanner) to scan removable media devices for malicious software before allowing them onto a networked computer.

New malware threats emerge constantly. Even with antivirus software, there’s always a risk of encountering a “zero-day” attack, where the malware is so new it hasn’t been detected yet. USB drives can be a vector for such attacks, so it’s critical to layer your cybersecurity defenses.

Back to Table of Contents

Disable Autorun & Autoplay

The Autorun feature causes removable media such as CDs, DVDs, and USB drives to open automatically when they are inserted into a drive. Disabling Autorun can prevent malicious code on an infected USB drive from opening automatically.

You can disable AutoPlay and Autorun using Windows Settings, Group Policy, and Registry. To learn more, see How To Disable AutoPlay & Autorun in Windows 10 & 11.

IT Inventory Management

IT Inventory Management plays a crucial role in USB security by providing visibility and control over these devices within your organization.

Tracking USB Usage

IT can track which devices are being used and by whom by having an accurate inventory of all USB devices assigned to employees or departments. This helps identify unauthorized USB usage and potential security risks.

Inventory management systems can help by recording details like:

Serial numbers of USB devices
Asset tags
Assigned users or departments
Purchase date and model information

Enforcing USB Usage Policies

IT policies might restrict the use of personal USB drives or require specific encryption standards. Inventory management helps enforce these policies by identifying non-compliant devices.

For example, IT can:

Flag unauthorized USB devices that haven’t been registered in the inventory.
Restrict access to specific types of USB devices (e.g., disable write access for non-essential devices).

Facilitating Incident Response:

If a USB drive is lost or stolen, knowing its details from the inventory allows for quicker and more targeted response.

With sufficient asset management practices, IT can:

Identify the potentially affected user or department
Remotely disable the device if it has such functionality
Investigate potential data breaches and take necessary remediation steps

Overall, IT Inventory Management plays a vital role in USB security by providing a centralized system for tracking, controlling, and securing USB devices within your organization. It complements other security measures like USB access control, encryption, and user awareness training to create a comprehensive defense strategy.

Train Employees to NEVER Insert Unauthorized Removable Media Devices Into Company Computers

Unknown or employee-owned USB devices pose a significant security risk, especially in the context of drop attacks. These attacks leverage unsuspecting users who might plug in a seemingly harmless USB drive containing malicious code.

Drop Attack Mechanics:

Planting the Seed: Attackers strategically leave infected USB drives in locations frequented by potential victims. These drives might be disguised as lost devices or labeled with enticing names to pique curiosity.
Triggering the Trap: When a user plugs the USB drive into their computer, the malicious code hidden within automatically activates. This code can take various forms:
- Malware Installation: The code might install malware like ransomware, keyloggers, or data stealers onto the victim’s computer.
- Phishing Attempts: The code might initiate a phishing attack, tricking the user into clicking a malicious link or entering sensitive information on a fake website.
- Zero-Day Exploits: In some cases, the code might exploit unknown vulnerabilities (zero-day attacks) in the user’s system, granting the attacker complete control.
Spreading the Infection: Once a user’s computer is compromised, the malware can spread further within a network:
- Lateral Movement: The malware might scan the network for other connected devices and attempt to infect them as well.
- Data Exfiltration: Stolen data can be exfiltrated from the compromised computer and the network to the attacker’s server.

Dangers of Drop Attacks:

Data Theft: These attacks can lead to the theft of sensitive data like login credentials, financial information, or intellectual property.
System Disruption: Malware can disrupt computer operations, cause data corruption, or even render systems unusable through ransomware attacks.
Network Compromise: A single compromised computer can become a gateway for attackers to infiltrate the entire network, putting all connected devices at risk.
Financial Loss: Drop attacks can result in financial losses due to data breaches, downtime, and the cost of remediation efforts.
Reputational Damage: Organizations that experience data breaches due to drop attacks can suffer significant reputational damage.

For example, in an experiment conducted by the University of Illinois and the University of Michigan, USB flash drives were scattered across a large university campus resulting in a staggering 45-98% of the USBs being inserted into machines.

For a less theoretical example, there’s also the incident in 2020 where hackers used snail-mail to send a company an envelope with a malware-laced USB thumb drive.

By training your users on the dangers of USB devices and your USB security measures, you can significantly reduce the risk of drop attacks and protect your organization’s data and systems. Remember, a cautious and well-informed workforce is the first line of defense against these cyber threats.

Case Study
Metromont Improves User Awareness of USB Security Risks

Now that CurrentWare is in place, our employees have stopped using random USB devices. Instead, they submit requests to use approved USB devices as needed.

Preventing users from inserting unauthorized removable media devices into company computers is an essential cybersecurity control.

Metromont realized the importance of USB security when an external security company performed a highly targeted USB drop attack on their employees.

Alarmingly, some of the employees plugged these unsanctioned USB drives into their work computers—A situation that otherwise could unknowingly grant threat actors access to sensitive information!

Read their case study to learn how CurrentWare’s USB restriction and USB device activity monitoring capabilities helped Metromont ensure compliance with their data security policies.

Read the Case Study

Data Backups

Removable media devices are not reliable long-term data storage mediums; they must only be used for the temporary storage and transmission of information, such as transporting files from one computer to another.

Frequent data backups are critical for protecting data from ransomware attacks and other risks associated with USB devices.

Defense Against Ransomware:

Recovery Option: Ransomware encrypts your files, rendering them inaccessible and demanding a ransom payment for decryption. Backups provide a clean copy of your data from before the attack. You can restore your system from the backup and regain access to your files without paying the attackers.
Reduces Downtime: Recovering from a ransomware attack using backups can be much faster than paying the ransom and hoping the attackers provide a working decryption key. This minimizes business disruption and keeps downtime to a minimum.
Discourages Ransomware Attacks: Knowing you have a reliable backup system might deter attackers in the first place. If they know you can easily recover your data, they may be less likely to target your organization.

Mitigating USB Device Risks:

Protection Against Data Theft: If malware on a USB device steals your data, backups ensure you have a copy of the information safe and secure. This helps minimize the impact of a data breach.
Accidental Data Loss Prevention: Accidental deletion or overwriting of data on a USB device is a possibility. Backups provide a safety net, allowing you to restore the lost data from a backup point.
Improves Security Posture: A strong backup strategy, combined with other security measures, strengthens your overall data security posture. This makes you less vulnerable to attacks that exploit USB devices.

For effective data protection against both ransomware and USB device threats, consider these backup best practices:

The 3-2-1 Backup Rule: This rule advises having 3 copies of your data on 2 different media types with 1 copy offsite. This ensures redundancy and protects against physical disasters like fire or theft.
Regular Backups: Schedule regular backups to ensure you have a recent copy of your data in case of an attack. Daily or weekly backups are common practices.
Secure Backup Location: Store backups on a secure location, like a cloud storage service or a physically separate storage device, to prevent them from being encrypted by ransomware.
Test Your Backups: Regularly test your backups to ensure they are functioning correctly and can be restored successfully when needed.

Do Not Transfer Confidential Information to Removable Media

Files and data that have been deleted from removable media devices can still be retrieved. Any device that once stored confidential information must be treated as if it still contains sensitive information until it has been securely erased by information security personnel.

If full data erasure is not feasible, the USB device must be limited to the highest data classification for which it was previously used; it should not be considered for declassification.

For this reason, it is not uncommon for hard drives and external storage devices to be destroyed at the end of their lifecycle.

Protect Sensitive Data Against USB Drives With AccessPatrol