If you must use portable USB drives, then you must read this…

We discourage the use of USB drives both internally and by clients – the issues arising include:

  • Insiders who intend to betray the trust put in them often steal data using a USB stick. Quick to use, easy to conceal – for an example of this watch Iron Man the movie, because it is exactly what Pepper Potts does.
  • Portable USB drives and the information they contain are easily lost (or stolen) both in and out of the office. Have a look at this story to see what can be lost:

Japanese man loses USB stick with entire city’s personal details – BBC News

  • We had a case where a client picked up a USB drive in the street and then put it in their computer to see what was on it. It was a virus.
  • The FBI has issued warnings about threat actors sending malware/spyware infected USB sticks to companies and organisations – maybe someone there will plug it in. (Cimpanu, 2022)

However, there are some situations where a portable USB drive is the perfect tool and in those cases you need a cyber secure solution that recognises the risk. We have written policies and procedures for clients to cover these tasks, which include the use of Windows encryption, but there are limitations with these solutions. We also have experience with some third-party applications but have never found anything easy to use.

Let me take a quick aside here – I have been very disappointed with SanDisk in the past – and had been preventing my team from purchasing their products. However, I have had a change of mind.

SanDisk iXpand Go USB drive with encryption

We have a comprehensive incident and business recovery plan (of course) and we discuss and review the plan regularly. During our last role play test, one of our engineers came up with a scenario of having a copy of our plan documentation on a memory stick, which would have made recovery quicker. But these documents are some of the most secret we have, so I had to go and find a secure answer to the problem.

Research led me to the SanDisk iXpand Go USB drive so I had to break my own rule and buy one to test.

So why does this portable USB drive meet our requirements?

  • If a PC is not available, the drive can be used in an iPhone/iPad. The encrypted information can then be accessed on the devices.
  • The encryption software runs from the iXpand drive when it is plugged into a Windows PC or Mac. This was a major advantage for our need, as the solution is self contained.
  • We use a very complicated encryption key which is not available to the user with the drive. During an incident I as CISO, or our CEO, will make the key available by text.
  • Our remote monitoring and management software reports on the use of USB drives across our computers and we have custom reporting on our incident response folders in Microsoft 365.

The downside:

  • Any use of portable USB storage is a cyber security risk, that you have to examine and decide if the risk is worth it. Remember that your team may have read and understood your policies and procedures. What happens when they do not follow them and leave sensitive data unencrypted on the drive or they use the drive for unauthorised copying?
  • The drive is made by SanDisk who have a track record of abandoning apps that are needed to support their hardware. In this case if SanDisk do abandon you and stop developing the app, you will lose the app encryption when the supplier updates its software, but your iOS file explorer functionality will not be lost as the drive functions with FE Explorer (my new favourite iOS app).
  • Make sure you are using SanDisk PrivateAccess Version 6.3.5 or better (6.3.12W. is the current version) – there was a problem with earlier versions (Sylvain. 2022)
  • All is not perfect with SanDisk:

SanDisk SecureAccess bug allows brute forcing vault passwords (bleepingcomputer.com)

WDC-21014 SanDisk SecureAccess Software Update | Western Digital

So here are a couple of take-aways from this:

  • Do your team understand the cyber security risks of using portable data storage? If not, then implement some training.
  • Do you have policies and procedures to cover the use of USB devices and transfer of information? If not get some. If your people do not know what your standards are how can they meet them?
  • Do not be stubborn – good cyber security may need you to change your mind!


Clive Catton MSc (Cyber Security) – 
by-line and other articles


References

Sylvain. (2022). Practical Bruteforce of AES-1024 Military Grade Encryption. Retrieved June 14, 2022, from https://research.kudelskisecurity.com/2022/05/11/practical-bruteforce-of-aes-1024-military-grade-encryption/

Further Reading

I have a SanDisk device that used to have encrypted information on – do you? UPDATED – Smart Thinking Solutions