Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 22 - Security of removable media

Published: 2010-10-22
Last Updated: 2010-10-26 22:26:35 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)
Removable media are nothing new. Computer storage started with removable media, those of us old enough likely have fond memories of cassette tapes and floppy disks. What changed, primarily, is the ubiquity of such media and the stunning capacity of memory sticks, USB drives, iGadgets, etc.

 
In addition to a lot of Good Things, removable media come with two prominent risks:

 
(1) Given that such media is used as a carrier of data between computers, it is also a good carrier of communicable diseases, aka computer viruses.

 
(2) The small form factor of such media makes it very easy to misplace or lose the device, and all the data on it

 
Both problems can be stopped of course by banning the use of removable media completely.  Some firms and organizations are trying this, but since computers come with built-in ports of all sorts and DVD writers and Bluetooth and and, it is very hard and costly to get this "right".  Also, it usually doesn't stop staff from exchanging data, they'll just find some other way, like uploading it to a file exchange site.  Thus, while a complete ban of a certain technology is often the first reaction of Security in a corporate setting, it hardly ever works in the long run.

 
If we assume that the USB ports are accessible and usable, here's three things you can do reduce the virus risk:

 
(a) Disable AutoRun
AutoRun is one of the dumbest inventions ever. Attaching a device or inserting a DVD should *never* lead to direct execution of a program without explicit user action. Viruses propagating via removable media became almost completely extinct when the "boot floppy" vanished, but came back in force once Microsoft put AutoRun into XP. Thankfully, it can be completely turned off, and should be. http://support.microsoft.com/kb/967715 shows how.

 
(b) Enable Anti-Virus
For anti virus, auto-run is desired. It makes good sense to have antivirus do a quick and automatic scan of any newly attached or inserted removable media, as soon as the file system is mounted. Especially in a corporate setting, you might want to know if one of your staff brings in a keylogger on  a memory stick, even when the malicious file is not actually started.

 
(c) Write Protect
If you are in a support or techie role that requires you to attach your memory stick to many different PCs, for example to run diagnostic programs or software updates, do everyone a favor and invest in a memory stick that can be write protected. A stick that has no internal memory and only acts as an SD card reader, for example, can do the job, and also others USB media that come with a write protect switch. This keeps the USB memory clean even when attached to an infected PC.

 

 
To address the problem of data loss, encryption is the only viable answer. Free software like TrueCrypt (truecrypt.org) comes with cross-platform support, is reasonable easy to use, and provides good protection if used with a decent password. In a corporate setting, chances are you already have a way to encrypt files or folders. Using one of these programs, make sure you gather the data to be copied in a folder that is *not* on the stick, encrypt it there, and only then copy the encrypted archive over to the USB media. Otherwise, you create temporary files that can be retrieved by a skilled attacker. In case the stick gets lost, the separate copy on the source system also gives you a perfect inventory of what was actually lost, which can be invaluable.

 
If you have additional tips on how to safely use removable media, let us know (http://isc.sans.edu/contact.html) or use the comment form below.
1 comment(s)
Diary Archives