So what is a USB flash drive exactly? This little device uses flash memory to store information and transfers that information via a USB (Universal Serial Bus) connection. Unlike a conventional hard drive, a flash drive has no moving parts. Instead, it is a special type of EEPROM (electrically erasable programmable read-only memory) that can be erased and reprogrammed automatically. Now granted, the storage capacity doesn’t even come close to what conventional hard drives offer but there is still plenty of room to store large video and audio files in addition to large documents.
USB flash drives come in all different shapes and sizes but are usually no bigger than a pack of gum. Other terms you may have heard that are synonymous with this type of device are thumb drives, pen drives, pocket drives, etc. The small size of these devices should be of concern when evaluating their use in your environment; especially from an information security perspective. They are easy to hide, can store a considerable amount of data, are simple to use, easily accessible and very affordable.
If proper steps are not taken to secure your computing environment, a USB flash drive would be an ideal means of collecting valuable information and literally pocketing it. So what steps can be taken to secure your environment against these potentially sinister little devices? Here are two rules of thumb.
Confidential information should be kept… confidential!
- Make sure you have a strong information security policy in place. Confidential information should be kept on your servers or in password-protected folders or shared drives. There’s no reason sensitive information should be saved on a local hard drive if it doesn’t have to be. That’s like leaving your $50,000 BMW parked on a busy street while your four car garage sits empty!
Disable the use of USB storage devices for users that don’t have a valid business need for it.
- USB storage in the Microsoft Windows environment is fairly simple but if you’re not familiar with the Microsoft Windows Registry or system structure, this may be something you’ll want to get assistance with. Intermediate and advanced users (i.e. system administrators, IT technicians, etc.) will most likely find this pretty straightforward. And not to worry, this will not affect normal USB devices such as mice, keyboards, or printers. This will only disable the use and installation of USB storage devices. Should you not wish to disable the use of USB devices completely, it's possible to create a policy that will make them read-only. See our article How To Enforce a Read-Only Policy on USB Drives for more information.
DISCLAIMER: The following should only be attempted by those who are familiar with the Windows Registry and system structure. Any time you make major changes to a system, it’s a good idea to backup your system registry. Go here for Microsoft’s instructions on how to do this.