The security awareness hazards of removable media
What is removable media?
Removable media can be thought of as a portable storage medium that allows users to copy data to it and then take it off-site, and vice versa. It presents itself as a convenient, cost-effective storage solution that is available in many different size capacities and form factors, with differing transfer speed capabilities. Removable media can take many forms:
- USB Drives (Pen Drives, Portable Hard Drives)
- Smartphones, music players and similarly equipped handheld devices
- SD Cards
- Optical Media (CDs, DVDs, BluRay)
- Legacy Media: (T)
See Infosec IQ in action
As you can see, removable media encompasses a large group of storage technologies, which is why some people have difficulty understanding what is meant by the term. Adding to some of this confusion is the function that removable media serves. There are a few different applications for removable media, including:
- Backup storage for files on PCs, laptops and servers
- Additional storage space for PCs and laptops
- A bootable Live Operating System
- A bootable installation media such as Windows and Linux
There are many reasons why removable media might be required in your business environment, and there are valid reasons why you might allow such devices on your network. However, as with most technologies, there are risks involved. The following information will seek to detail the potential risks, as well as some techniques that will help you to minimize your company’s risk of exposure to the dangers that are associated with removable media. This information needs to be passed on to your users via the following methods, with which we go into more detail towards the end of the article. They are:
- Initial user training and IT policy explanations
- Periodic refreshers
- A concerted ongoing awareness campaign from the IT department
- Newsletters and company-wide email remindersand a playbook.
What are the risks involved with using removable media?
There are many advantages to using removable media, chief among which is the quick and convenient means by which users can copy, transfer and backup data. This same ease of use and convenience is part of the problem with removable media, however, as malware and viruses are able to easily replicate and distribute themselves to unprotected removable storage devices that are not write-protected. Here are some other risks that removable media can expose your company to if not managed properly:
- Data Security
- Malware Infections
- Copyright Infringement
- Hardware Failures
Data security
Any time that an employee copies sensitive data to removable media such as a thumb drive or CD, there is a risk of that data being accessed by unauthorized personnel. One such case occurred in 2012 when a detective in Manchester, England, had his house burgled. His USB stick containing the details of over 1000 individuals relating to investigations was stolen during this incident. Greater Manchester Police was then fined over £120,000 ($155,000 at today’s exchange rate) following an investigation of the incident. So we can see that there are real financial implications for such occurrences because of the seriousness of data security breaches.
It is important to remember that once a device is no longer in your possession, you have no control over the data or who has access to it. Confidential information can then be transmitted to other parties or posted online for all to see. There are some devices and software applications that encrypt data on your device or media, giving you an added layer of protection in the event of your device getting lost or stolen.
Malware infections
Malicious software, or malware, is a major problem for modern businesses. Malware is able to spread via removable media, and it is risky to use such media if the source cannot be identified. One such example is a recent study that has shown that as many as half of the USB sticks that are picked up in parking lots of business properties are then plugged into the user’s computer once they get inside their offices. This means that any malicious software that is on the USB drive can then infect the company network. Rewriteable CDs, DVDs, and BluRays are all capable of delivering a malicious payload if autorun is enabled on a desktop PC, laptop or server, so having an up-to-date antivirus application is essential for businesses to ensure the continued safety of their network.
Media failure
Removable Media is inherently risky as a primary storage solution, and for many reasons. Due to the low cost and high production quantities of the different media types and devices, some may have shorter life spans than others. It is, therefore, really important for users to understand the importance of storing sensitive, important and confidential information safely and securely on the organization’s file server or NAS device. This is so that in the event of media failure, loss, theft or damage, then the data that is lost on the media is at least backed up to another source.
How do you set up a removable media policy?
Outline
As with all policies that get introduced into an operational environment, there are certain parameters that need to be explained inside a policy document. You need to have a clear outline at the beginning of the document that explains the vulnerabilities of the company’s network, as well as the perceived risks that are associated with the use of removable media within your company.
Purpose
The next step is to clarify the purpose of your policy document. Here, you will explain what you wish to accomplish by having this policy in your environment so that users can understand what you are safeguarding by implementing these regulations. This is a great opportunity for you to encourage users to contact the IT department with any queries or concerns that they might have.
Scope
You want to explain what it is that you are covering in your removable media policy, so a scope is essential so that users understand exactly what is covered and what is not. Make sure that you explain that removable media is the subject of the document, and make sure that you include explanations and definitions for their reference.
Policy overview
Now for the meat of your document, the actual policy is outlined here. You can explain when removal media can be used and when it cannot. You must explain what data can be stored on such media, and how it must be copied. This is a good opportunity to explain anything from how to encrypt the information on the removable media to how users must scan the media before it can be opened on their workstations. If you have any exceptions or exclusions that might cancel certain parts of your document, then now is a good chance to mention it.
Non-compliance
For this part, you will need some input from your manager as to what the repercussions are for anyone that fails to follow the procedures correctly. These must be explained in detail so that there is no confusion about the seriousness of such an offense.
Glossary
This section is where you will explain in detail some of the terms that you have mentioned throughout the document. It is important to remember that users in your organization might not be as familiar with the technical references as you are, so be sure to explain your definitions and terms in a clear and concise manner.
As with all IT security-related matters, the importance of removable media needs to be driven by the IT policy documentation so that everybody in the company has a clear and accurate picture of what is considered safe and acceptable usage of removable media. This means that initial training needs to be clear and concise so that all employees know about the potential security risks associated with removable media.
Other than increasing user awareness and training, the IT department can consider other avenues, such as:
Phishing simulations & training
- Disabling autorun on your optical drives and USB drives. This prevents some instances of malware from launching themselves automatically when connected to your system.
- Restrict removable media. This is not always possible, but only allowing specific devices and media to be used together can minimize your chances of infection.
- Use a standalone virus-scanning PC. This has been mentioned previously, but it is worth talking about again. This is an effective solution that will isolate any malware from your network, allowing the removable media to be disinfected before in can propagate further onto your LAN.
- Ban removable media. Again, this is not easy to monitor, implement or enforce, but if you have a directive from your superiors, then this is one of the most effective method of avoiding a malware or virus outbreak from removable media within your organization.
- Continue to educate and inform your users. As we highlighted earlier, keeping the staff members in your organization aware of potential threats that may come from removable media is really important. There are many avenues for you to explore such as awareness campaigns and informational resources that you can make available to all of your company’s different departments. If you navigate to / you can find some great articles to help you gain a further understanding on the subject of removable media security. We also have some in depth training material over at https://www.infosecinstitute.com/iq for you to get started on, and best of all, it’s free to use.
We offer a wide range of network security-related courses for IT professionals. If you have any queries please feel free to contact us here and we will be happy to assist you further.