IT Briefcase Exclusive Interview: Top 5 Must-have Security Features Every USB Drive Should Have
August 16, 2016 No CommentsIn a world where more and more employees are utilizing USB drives in the exchange and storage of private data, the following Q&A provides insight into the top must-have security features that every USB drive should contain:
1. 256-Bit AES Encryption
2. Forced Enrollment to require a unique PIN / password during setup
3. Brute Force Protection – prevents endless attempts to unlock the device
4. Hardware Based Encryption – More secure and functional than SW based encryption
5. Onboard Authentication – eliminates sharing critical security parameters with the host
- Q: What are some of the biggest data-protection risks that corporations face?
A. The stakes of not protecting sensitive data have never been higher, and will continue to grow in terms of increasing sensitive content, threats and consequences. Not knowing where sensitive data resides, who has access, where it goes, or how it gets there are leading challenges for IT departments in our increasingly mobile work environment. Once an assessment has been completed and a data security plan in place, the human element is the biggest risk. Intentionally or unintentionally, humans with access to data are the biggest contributors of breaches (over 40% of total), outpacing those instigated by black hats by almost double.
- Q: What is the ideal encryption level for a USB drive?
A. The level of data protection should be proportionate to the nature of the data. Does it make sense to spend $100,000 to protect $10,000 of data? Software encryption may be a cost effective solution for mildly sensitive data with the goal of keeping an honest person honest and allowing a company to state compliance. However, with truly sensitive data AES 256-bit hardware encryption should be mandatory. It is effective and has become both mainstream and affordable. That said, attackers seldom target the encrypted data directly. Attackers will focus on defeating the implementation of the encryption system to find or circumvent encryption keys, passwords or PINs versus breaking the actual encryption.
- Q: What are some commonly used avenues for data theft?
A. The most commonly used avenue for data theft is software hacking on networks or cloud servers that are available 24/7/365…including holidays. There are countless techniques to install malware, gain access or steal credentials. Many companies don’t realize they have been hacked until their data is being offered for sale on the dark web.
However, in the case of external encrypted devices, data is physically unavailable without the device in hand. Furthermore, external devices that are completely self-sufficient and perform the authentication and encryption processes onboard never share critical security parameters (Passwords, PIN, encryption keys, etc.) with the host system, thus eliminating the most common attack vectors.
- Q: Are pre-set access codes strong enough?
A. It’s commonly known that the biggest exposure to data breach vulnerability for any company is due to employee behavior, specifically malice and negligence. Of those two, failure to adhere to security protocol is statistically the biggest factor contributing to corporate breach. Most comprehensive security policies will require a sufficiently strong password or PIN that is changed on a regular basis.
In regards to extremal secure devices, limited physical access to the device provides a level of security. However, a targeted individual working with valuable data would be subject to social engineering, espionage and more. When it comes to setting passwords on a secure hard drive, it’s critically important to avoid default passwords and PINs that can easily be found on the web, as well as common passwords and PINs including birthdays, phone numbers and addresses, etc.
Despite a solid policy, expert advice, and multiple warnings, a percentage of external drive users will continue forward with a default or weak password or PIN. This is often the case with executive level personnel that aren’t technically trained or concerned about being fired.
In order to prevent this behavior, the USB drive should not provide default passwords or PINs, and include built in controls that limit the simplicity of the password or PIN.
- Q: What is a brute force attack as it pertains to USB drives?
A. A typical brute force attack is an attempt to pummel a device with a rainbow table of potential passwords or PINs until it finds the right combination and unlocks the device. However, most secure drives will include some level of brute force protection that will limit the number of consecutive failed entries (usually 20 or less). Once the device reaches the predetermined number of failed attempts the drive will assume it is being attacked and lock itself. The device may also perform a crypto erase, wiping out the encryption key, rendering the data useless.
However, many black hats aren’t going to simply try and access the device via the front door. An advanced attack will ponder the implementation of the security features and try to circumvent the built-in protection to discover other vulnerabilities in the device. Recent iPhone encryption controversies are a perfect example of the creativity and resourcefulness that motivated, funded hackers will take to gain access to data. Brute force can be used at various stages of the hacking process if the hacker is successful at circumventing the initial security system.
- Q. What types of security enhancements might a company need when they experience rapid growth or acquisition, etc.?
A. IT professionals working in a dynamic environment will be challenged to adapt their security policies to maintain control over their sensitive data. Acquisitions will likely introduce more variables in a short period of time that will enhance the challenge vs rapid growth. But recognizing the importance of developing and maintaining a data security plan is the first step. But even then, security concerns and associated funding requests get pushed to the side in favor of more traditional business concerns at the core of their business model.
Conclusion
We live in a complex digital world where nothing appears to be secure. Every day we read about organizations that have invested millions of dollars in data security announcing they have been breached. If it can happen to a company staffed with IT security professionals and million-dollar budgets, it can easily happen to you. It is commonly stated that there are 2 types of companies; those that have been hacked, and those that don’t know they have been hacked.
There is no system that can provide absolute security in all environments. We are fighting against an enemy motivated by money, principal, knowledge and war…with no end in sight. However, staying abreast of the ever changing threat landscape and implementing protection and policies to address those threats will help keep your business humming and your company out of the headlines.
Mike McCandless, VP of sales & marketing, Apricorn