Categories Topics
Removable Media Security

Removable Media Security is the process of controlling the usage of removable media devices (e.g., USB devices, CD/DVD media, backup tapes, etc.). Use of removable media should be controlled on systems to help prevent unauthorized transfer or disclosure of sensitive information and to minimize the propagation of malicious software.

Use of removable media should first be specifically authorized by the organization to ensure usage is only allowed for intended business purposes. Examples of authorized usage can include, but not limited to:
  • Marketing personnel (e.g. media used for presentations)
  • IT Support (e.g. to maintain IT devices)
  • Finance/Tax/Personal information (e.g. to support regulatory needs) 
  • Data backup (archival, availability)
Removable media should also be encrypted (e.g. AES256) to ensure sensitive information can not be accessed by unauthorized users. Software encryption can also be used to protect sensitive data that needs to be copied to and transported via CD/DVD. USB devices and CD/DVD media should be password enabled and require strong password controls to include at least 10 characters and complex passwords. Media can be lost or stolen and could lead to unauthorized access to sensitive information and lead to costly data breaches.

Also, Data Loss Prevention (DLP) solution can be used as an added layer of protection to enforce controls aforementioned, but also to better monitor and prevent access to unauthorized removable media devices (such as personal USB devices that can be misused to transfer sensitive data).

Many DLP solutions can be implemented in phases to better understand what types of devices and sensitive data is being moved within the network to include: monitoring phase (to understand device usage and user behavior), notification phase (alert users when policies are violated), and prevention (blocking access to non-authorized devices or movement of data based on data classification).

Finally, some organizations may choose to disable USB ports or access to removable media altogether. This approach may include leveraging Active Directory (e.g., Group Policy Objects) or physically disabling USB ports from usage. Although this may be the most secure to limit access to removable media devices, it may not allow very much flexibility to meet business needs. SZ would recommend DLP controls or a combination of AD and DLP to better control removable media usage.

Topic Category
Data Loss Prevention
News Articles
How the CIA gained access to air-gapped computerswww.helpnetsecurity.com6/23/2017
WannaCry Ransomware Infects Australian Traffic Cameras, Human Error Blamedwww.tripwire.com6/22/2017
IBM has been shipping malware-infected USB stickswww.grahamcluley.com5/2/2017
Examiner caused Palm Springs credit union breach, NCUA IG to investigatewww.scmagazine.com12/31/2014
SanDisk ships its first self-encrypting SSDswww.computerworld.com5/13/2014
Do you use NAS drives? For work? One just LEAKED secret cash-machine
Drives containing info on 2,500 stolen from Michigan health departmentwww.scmagazine.com4/7/2014
California hospital notifies patients of missing thumb drivewww.scmagazine.com11/20/2013
Info of nearly 3K University of Illinois dorm residents stolenwww.scmagazine.com6/25/2013
Lost, unencrypted USB thumb drive impacts more than 50k Medicaid providerswww.scmagazine.com3/12/2013
Nursing watchdog fined £150k for confidential unencrypted DVD
'Terrific Employee' Fired After Losing USB Drive Containing Medical Recordsthreatpost.com1/17/2013
U.S. power plants combat USB malware infectionswww.zdnet.com1/16/2013
Malware Infects Two Power Plants Lacking Basic Security Controlsthreatpost.com1/14/2013
Chemical giant foils infected USB stick espionage
Chinese hackers breach Indian navy computerswww.zdnet.com7/2/2012
Alaska agency must pay $1.7m after 500-person breachwww.scmagazine.com6/29/2012
Honeynet looks to trap USB
Obama Order Sped Up Wave of Cyberattacks Against Iranwww.nytimes.com6/1/2012
Cyber-intruder sparks massive federal response - and debate over dealing with threatswww.washingtonpost.com12/8/2011
Class action suit seeks $4.9 billion in damages from TRICARE data theftwww.nextgov.com10/13/2011
White House Orders New Computer Security Ruleswww.nytimes.com10/6/2011