The March, 1968, issue of Communications of the ACM included a letter from computer scientist Edsger Dijkstra, Go To Statement Considered Harmful. Since then, others have picked up on the “considered harmful” theme. For example, “Comments Considered Harmful” was the theme of several opinionated articles in the decade after Dijkstra’s original letter.
Now I’d like to apply the “considered harmful” label to another entity: flash drives. Those ubiquitous memory sticks that are so convenient for carrying data from one computer to another pose a security risk as soon as you insert one into a USB port.
The essay Defending a New Domain, by Deputy Defense Secretary William Lynn III, appeared in the September/October 2010 issue of the journal Foreign Affairs. Lynn talks about malicious code from a foreign intelligence agency that penetrated a network run by the U.S. Central Command. Was the delivery vehicle an ultra-sophisticated viral attack that got past the Department of Defense’s perimeter defenses? No, it was—you guessed it—a flash drive. This one was inserted into a U.S. military laptop on a post in the Middle East in 2008. The malware spread from there to both classified and unclassified systems as the laptop was connected to networks.
The infections can run in both directions. Consider the case of the diligent computer operator who, failing to get a tape to read on one drive, tried it on several more, not realizing that the tape was damaged and in turn was harming the drives. Then each of the tapes mounted on those drives became damaged until someone finally figured out the problem. The same thing can happen with a flash drive. It might be clean initially, but when it’s put into the USB port of an infected system, it can pick up the infection and spread it wherever else it’s used.
What’s the solution? The US military banned the use of flash drives after the 2008 incident, but they later modified the policy to allow the use of approved flash drives. That’s because sometimes flash drives are the most convenient and safest way to transport data, and troops sometimes need the devices to carry or transfer critical data. It’s one of the many facets of the tradeoff between security and convenience that we face daily.
Secure flash drives, available for more than a decade, focus on protecting the confidentiality of the data on the drive, typically through encryption. Depending on the strength of the encryption, these can provide a reasonable safeguard against the loss of data when the flash drive itself is lost or stolen. But to protect the drive and its data from malware, you’ll need to install virus protection and anti-malware software on your flash drives. Furthermore, to protect PCs that might be infected when a flash drive is inserted, configure your anti-virus software on the PC to examine any removable media that connects to the PC.
Another flash drive danger is indicated by the security breach reported in the July 26, 2013, Cases section of Law360. A worker accidentally transferred names, Social Security numbers, birthdays, and other personal protected information onto a flash drive before taking a job with another agency, where the data was later found on their servers.
This raises another important safeguard: If there is no business reason for a PC to have a flash drive or other external storage attached, block the PC’s USB ports or disable them through software.
Finally, develop and publicize a policy for the appropriate use of flash drives, and educate your employees in their safe and appropriate use.
With encryption, anti-malware, selective connection prevention, security policy, and employee education, flash drives will still be considered harmful, but you will have minimized your risk of that harm befalling you.