What Risks, I Hear You Say.

Since their introduction the USB memory stick has been hailed by those fed up with the shortcomings of the floppy. Their small physical size, satisfactory speed and ever-increasing storage capacity makes them the most convenient device to use for transferring files from one place to another. However, these very features can introduce new security risks and amplify risks that already existed with floppy disks. The primary risks associated with USB memory sticks can be identified as:

• Virus Transmissions - Data sharing opens up an avenue for viruses to propagate
• Corruption of data - Corruption can occur if the drive is not unmounted cleanly
• Loss of data - All media is susceptible to data loss
• Loss of media - The device is physically small and can easily be misplaced
• Loss of confidentiality – Data on the lost physical media can be obtained by others

Virus Transmissions

Whenever files are transferred between two machines there is a risk that viral code or some other malware will be transmitted, and USB memory sticks are no exception. Some USB memory sticks include a physical switch that can put the drive in read-only mode. When transferring files to an untrusted machine a drive in read-only mode will prevent any data (including viruses) to be written to the device. If files need to be transferred from an untrusted machine, the only countermeasure is to immediately scan the memory stick for infection before copying files from it.

Corruption of Data

If the drive is physically lost or uncleanly unmounted, then data loss can occur. Physical loss is covered in the next section and corruption can usually be prevented. USB memory sticks differ from other types of removable media, such as CD and DVD-ROMs because the computer usually has no way of knowing when USB memory sticks are going to be removed. Users of USB memory sticks usually need to alert the computer that they intend to remove the device, otherwise the computer will be unable to perform the necessary clean-up functions required to disconnect the device, especially if files from the device are currently open. The OS will attempt to handle unexpected disconnects as best it can, so often no corruption will occur. However, it is still advisable to learn and enforce the preferred method for unmounting the device according to the OS documentation.

Loss of Data

Although most USB memory sticks have no moving parts and thus are considerably less prone to mechanical wear than their older and larger counterparts, loss of data can still be an issue. Aside from mechanical failure, data can be lost by accidental erasure, or overwritten. No write capable media device is immune to this risk. The best safeguard against loss of data is frequent and proper backups, as with any other media type. Because of their propensity for physical loss USB memory sticks are best suited as intermediary storage, so it isn't advisable to store the only copy of an item on the memory stick.

Loss of Media

Data loss can occur if the memory stick is physically lost. Untethered drives are most at risk of being physically lost because their lightweight nature allows them to slip out of pockets unnoticed. To protect against physical loss of the device, it’s advisable to have the device tethered to something, preferably a keychain. Some devices have lanyard-style tethers, but use these with caution as the lanyard may only tether the drive cap and not the drive itself, which leaves the drive at risk of falling away unnoticed. Drives tethered to a keychain are less likely to be permanently lost because they are attached to another item that the user has presumably already learned not to lose.

Loss of Confidentiality

Perhaps the greatest benefit of the USB memory stick is also its greatest security risk. Because of its convenient small physical size and large logical size compared it predecessor, the floppy disk, more data can find its way to the USB Memory stick. Some of this data is likely to be confidential and becomes a risk if the media is lost. An executive who uses a memory stick to transfer a customer database from his desktop to laptop could potentially subsequently lose the memory stick. If the stick then finds its way into the hands of a competitor, then the company has suffered a much greater loss than simply the replacement cost of the memory stick. In a similar scenario, if a healthcare professional loses a memory stick containing patient records, then there are legal liability issues associated with laws and regulations.

There are two primary ways to mitigate the risk of loss of confidential data, mainly avoidance and encryption. With an avoidance strategy, no data is stored on the memory stick that can be considered private. Clearly, this strategy is severely limiting, not the least of which is determining exactly what constitutes private data. An ideal encryption strategy allows any data to be stored on the memory stick but renders the data useless without the required encryption key, which is usually a strong password, but can also be a biometric such as a thumb print. Some USB memory sticks include their own proprietary encryption algorithms and formats, but often the encryption used is either unproven or inadequate, and the memory sticks are more expensive. However, encryption software is available from many vendors that can be used to protect data on the memory stick. One of these, Cryptainer LE for Windows from Cypherix™ Software is available in a lightweight version; free of charge that will be explored later on.

Using Encryption to Safeguard Data on USB Memory Sticks

As discussed above, one of the best ways to safeguard against confidentiality loss is through the use of encryption. Many commercial encryption products are available today, but this article will focus on Cryptainer LE from Cypherix™ Software because it is free for both personal AND commercial use, and the product is ideally suited for USB memory sticks.

How Cryptainer LE Works

Cryptainer LE functions as a drive for Win32 systems that allows the operating system to view a single encrypted file as a virtual disk. Essentially, once the virtual disk is mounted it is available to Windows just as if it were any other type of disk. A small program is required to mount the encrypted disk and that program can be included on the USB memory stick as well. The portable version does not require installation and can reside on the memory stick as well, making Cryptainer LE a self-contained encryption system.

Unlike some other vendors who might implement a weak or obsolete encryption algorithm such as single-DES in their free or trial products, Cypherix™ uses strong encryption via the Blowfish algorithm. Blowfish is a highly efficient algorithm developed by cryptography expert Bruce Schnier and trusted by even the most paranoid of the security conscious community, the OpenBSD project. Provided that the password selected as the key is securely chosen, data encrypted by Cryptainer LE is about as secure as it gets, figuratively speaking.