What Is true about removable media that you find

While removable media and devices are extensively used for storing and transporting data, some of the characteristics that make them convenient can also introduce security risks. 

Please read and review the different types of removable media and devices listed below as well as the guidelines for managing these important information security risks.

Removable media and devices include:

• Optical Discs (Blu-Ray discs, DVDS, CD-ROMs)
• Memory Cards (Compact Flash card, Secure Digital card, Memory Stick)
• Zip Disks/ Floppy disks
• USB flash drives
• External hard drives (DE, EIDE, SCSSI, and SSD)
• Digital cameras
• Smart phones
• Other external/dockable devices which contain removable media capabilities 

 Please follow these guidelines for managing removable media and devices:

• Install anti-virus solution(s) on your computer that will actively scan for malware when any type of removable media or device is connected.
• Ensure that all removable media and devices are encrypted.  This will render any data useless to unauthorized users should the device be lost or stolen.
• Never connect found media or devices to a PC. Give any unknown storage device to security or IT personnel.
• Always apply new passwords before and after every business/personal trip where company data is being utilized on removable media or device.
• Never disclose the passwords used with removable media or device to anyone.
• Disable the Autorun and Autoplay features for all removable media or devices. These features automatically run when plugged into a USB port or drive.
• Keep your personal and business data separate. Do not store UMass Chan data on your personal device.
• When you have finished transferring sensitive data from removable media or device, be sure to delete it from that device.

Please refer to these following UMass Chan IT Policies:

  Portable device that can be connected to an information system (IS), computer, or network to provide data storage. These devices interface with the IS through processing chips and may load driver software, presenting a greater security risk to the IS than non-device media, such as optical discs or flash memory cards. Note: Examples include, but are not limited to: USB flash drives, external hard drives, and external solid state disk (SSD) drives. Portable Storage Devices also include memory cards that have additional functions aside from standard data storage and encrypted data storage, such as built-in Wi-Fi connectivity and global positioning system (GPS) reception. See also removable media.
Source(s):
CNSSI 4009-2015 under portable storage device

  See portable storage device.
Source(s):
CNSSI 4009-2015

  A system component that can communicate with and be added to or removed from a system or network and that is limited to data storage—including text, video, audio or image data—as its primary function (e.g., optical discs, external or removable hard drives, external or removable solid-state disk drives, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks).
Source(s):
NIST SP 800-53 Rev. 5 under portable storage device

  A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).
Source(s):
NIST SP 800-171 Rev. 2 under portable storage device

Removable media can be thought of as a portable storage medium that allows users to copy data to it and then take it off site, and vice versa. It presents itself as a convenient, cost effective storage solution that is available in many different size capacities and form factors, with differing transfer speed capabilities. Removable media can take many forms,  :

• USB Drives (Pen Drives, Portable Hard Drives)
• Smartphones, music players and similarly equipped handheld devices
• SD Cards
• Optical Media (CDs, DVDs, BluRay)
• Legacy Media: (T)

As you can see, removable media encompasses a large group of storage technologies, which is why some people have difficulty understanding what is meant by the term. Adding to some of this confusion is the function that removable media serves. There are a few different applications for removable media, including:

• Backup storage for files on PCs, laptops and servers
• Additional storage space for PCs and laptops
• A bootable Live Operating System
• A bootable installation media such as Windows and Linux

There are many reasons why removable media might be required in your business environment, and there are valid reasons why you might allow such devices on your network. However, as with most technologies, there are risks involved. The following information will seek to detail the potential risks, as well as some techniques that will help you to minimize your company’s risk of exposure to the dangers that are associated with removable media. This information needs to be passed onto your users via the following methods, with which we go into more detail towards the end of the article. They are:

• Initial user training and IT policy explanations
• Periodic refreshers
• A concerted ongoing awareness campaign from the IT department
• Newsletters and company-wide email reminders

We encourage you to visit infosecinstitute.com/iq to learn more about how you can gain certification in the field of computer forensics, network security, penetration testing and much more.

[Free] Marine Lowlifes Campaign Kit

You don’t need an unlimited budget or dozens of hours to create a truly engaging security awareness campaign. You just need the right resources and a playbook.

[Download] Free Security Awareness Kit

What are the risks involved with using removable media?

There are many advantages to using removable media, chief among which is the quick and convenient means by which users can copy, transfer and backup data. This same ease of use and convenience is part of the problem with removable media, however, as malware and viruses are able to easily replicate and distribute themselves to unprotected removable storage devices that are not write-protected. Here are some other risks that removable media can expose your company to, if not managed properly:

• Data Security
• Malware Infections
• Copyright Infringement
• Hardware Failures

Data security

Any time that an employee copies sensitive data to removable media such as a thumb drive or CD, there is a risk of that data being accessed by unauthorized personnel.   One such case occurred in 2012 when a detective in Manchester, England had his house burgled. His USB stick containing the details of over 1000 individuals relating to investigations was stolen during this incident. Greater Manchester Police was then fined over £120,000 ($155,000 at today’s exchange rate) following an investigation of the incident. So we can see that there are real financial implications for such occurrences because of the seriousness of data security breaches.

It is important to remember that once a device is no longer in your possession, you have no control over the data or who has access to it. Confidential information can then be transmitted to other parties, or posted online for all to see. There are some devices and software applications that encrypt data on your device or media, giving you an added layer of protection in the event of your device getting lost or stolen.

Malware infections

Malicious software, or malware, is a major problem for modern businesses. Malware is able to spread via removable media, and it is risky to use such media if the source cannot be identified .One such example is a recent study that has shown that as many as half of the USB sticks that are picked up in parking lots of business properties are then plugged into the user’s   computer once they get inside their offices. This means that any malicious software that is on the USB drive can then infect the company network. Rewriteable CDs, DVDs, and BluRays are all capable of delivering a malicious payload if autorun is enabled on a desktop PC, laptop or server, so having an up to date antivirus application is essential for businesses to ensure the continued safety of their network.

Media failure

Removable Media is inherently risky as a primary storage solution, and for many reasons. Due to the low cost and high production quantities of the different media types and devices, some may have shorter life spans than others. It is therefore really important for users to understand the importance of storing sensitive, important and confidential information safely and securely on the organization’s file server or NAS device. This is so that in the event of media failure, loss, theft or damage, then the data that is lost on the media is at least backed up to another source. 

How do you set up a removable media policy?

Outline

As with all policies that get introduced into an operational environment, there are certain parameters that need to be explained inside a policy document. You need to have a clear outline at the beginning of the document that explains the vulnerabilities of the company’s network, as well as the perceived risks that are associated with the use of removable media within your company.

Purpose

The next step is to clarify the purpose of your of your policy document. Here, you will explain what you wish to accomplish by having this policy in your environment, so that users can understand what you are safeguarding by implementing these regulations. This is a great opportunity for you to encourage users to contact the IT department with any queries or concerns that they might have.

Scope

You want to explain what it is that you are covering in your removable media policy, so a scope is essential so that users understand exactly what is covered and what is not. Make sure that you explain that removable media is the subject of the document, and make sure that you include explanations and definitions for them reference.

Policy overview

Now for the meat of your document, the actual policy is outlined here. You can explain when removal media can be used, and when it cannot. You must explain what data can be stored on such media, and how it must be copied. This is a good opportunity to explain anything from how to encrypt the information on the removable media, to how users must scan the media before it can be opened on their workstations. If you have any exceptions or exclusions that might cancel certain parts of your document, then now is a good chance to mention it.

Non-compliance

For this part, you will need some input from your manager as to what the repercussions are for anyone that fails to follow the procedures correctly. These must be explained in detail so that there is no confusion about the seriousness of such an offense.

Glossary

This section is where you will explain in detail some of the terms that you have mentioned throughout the document. It is important to remember that users in your organization might not be as familiar with the technical references as you are, so be sure to explain your definitions and terms in a clear and concise manner.

As with all IT security related matters, the importance of removable media as a  needs to be driven by the IT policy documentation so that everybody in the company has a clear and accurate picture of what is considered safe and acceptable usage of removable media. This means that initial training needs to be clear and concise so that all employees know about the potential security risks associated with removable media.

Other than increasing user awareness and training, the IT department can consider other avenues, such as:

• Disabling autorun on your optical drives and USB drives. This prevents some instances of malware from launching themselves automatically when connected to your system.
• Restrict removable media. This is not always possible, but only allowing specific devices and media to be used together can minimize your chances of infection.
• Use a standalone virus scanning PC. This has been mentioned previously, but it is worth talking about again. This is an effective solution that will isolate any malware from your network, allowing the removable media to be disinfected before in can propagate further onto your LAN.
• Ban removable media. Again, this is not easy to monitor, implement or enforce, but if you have a directive from your superiors, then this is one of the most effective method of avoiding a malware or virus outbreak from removable media within your organization.
• Continue to educate and inform your users. As we highlighted earlier, keeping the staff members in your organization aware of potential threats that may come from removable media is really important. There are many avenues for you to explore such as awareness campaigns and informational resources that you can make available to all of your company’s different departments. If you navigate to / you can find some great articles to help you gain a further understanding on the subject of removable media security. We also have some in depth training material over at https://www.infosecinstitute.com/iq for you to get started on, and best of all, it’s free to use.

We offer a wide range of network security related courses for IT professionals. If you have any queries please feel free to contact us here and we will be happy to assist you further.

What is the true about using removable media?

What is removable media that you find?

What can be found in removable devices?

What is the most common type of removable media?