Start With a Policy Plan
Reducing USB risks starts by recognizing how they could be a danger for your organization. This means developing a set of policies that guide users as to which USB devices they can use to access corporate information, how they can be used and how these devices will be managed within and without the firewall.
Limit USB Use to Only Sanctioned Devices
The best organizations make their first USB policy one that limits USB usage to a predefined subset of sanctioned devices, sometimes to only those which have been issued by the business. Doing so limits the exposure surface of devices that access corporate data.
Centrally Manage Devices
The policy of limiting devices should be enforced through a centrally managed system that keeps tabs on all devices with access to corporate assets. A manual system that tracks all devices in use within a database would be the minimum in this case, but the preferable option is an automated system that restricts unauthorized devices from loading on corporate endpoints and tracks all instances of device usage within auditable logs.
Password Protect All Flash Drives
A recent survey by Credant Technologies found that 1 in 10 workers have lost a USB drive containing corporate information. At bare minimum, organizations should require that USB drives that are connected to the network be protected by password.
Spring for Biometric Devices
Of course, passwords are hardly fool-proof. Take a step further and consider bringing in sanctioned devices with built-in biometric capabilities for an added layer of security.
Utilize Full Disk Encryption
Organizations should require that USB drives used on their endpoints be fully encrypted to ensure that if they contain sensitive information and are left behind on a cab or a plane somewhere they aren’t causing a data breach.
Disable AutoRun on Endpoints
Many of the nastiest viruses spread via USB take advantage of Windows AutoRun in order to execute applications without any user intervention beyond simply plugging in the device. Shutting down this functionality will drastically reduce the risk of widespread infection.
Limit Executables from Running Off Devices
One of the best ways to keep malware from propagating via USB is to prevent executables from running off portable devices in the first place. Consider implementing and enforcing policies that ban the initiation of some or all executables from portable devices.
Patch Your Endpoints
Reduce the risk of malware lurking on USB devices from taking advantage of endpoint weaknesses by ensuring that security updates and patches are implemented in a timely fashion. Many Conficker and Stuxnet infections over the last few years could have been greatly reduced in scope and severity had organizations’ machines been patched.
Institute User Training
Often some of the worst cases of infection occur when workers use devices outside the network on unsecured and unprotected machines in public places. Organizations need to train their users on policies regarding device use outside the network.