A USB drive from Heathrow Airport, found on a London street in late October, contained confidential information about accessing restricted areas at the airport and security measures used to protect the Queen. The drive also contained a timetable for anti-terrorism patrols at the airport and documentation of the ultrasound system used by Heathrow security to check perimeter fences and runways for breaches. The data was not encrypted, and the London resident who found it turned it over to a newspaper reporter.
How cybersecurity impacts physical security
The incident highlights a number of issues for security professionals. One is the interrelated nature of cybersecurity and physical security, and how a failure of one can directly impact the other. Another is extending cybersecurity outside the firewall, considering the inherent risks of USB drives and the need to manage “endpoint security,” such as restricting access to a system’s USB ports.
An important security failure in the case of the Heathrow incident was lack of encryption of the USB drive, says Ruben Lugo, Product Marketing Manager at Kingston Technology, which provides a line of USB drives with hardware-based encryption.
“If you block out all the USB ports, it can restrict productivity, and employees are not as efficient as they should be,” says Lugo. He says companies should be using more encrypted USB drives to combine the productivity advantages of allowing USB access while protecting the information on the drives.
Data protection regulations
Protection of data – whether inside the firewall or outside – is increasingly important in an age of greater cybersecurity regulation. The European Union's General Data Protection Regulation (GDPR) creates new safeguards and requirements for protecting personal data, with a compliance deadline of May 25, 2018, after which noncompliance can result in expensive fines.
|A disgruntled employee used a USB drive to steal banking information for 30,000 people, as published by Tom Brant in: “Report: FDIC Employees Caused Repeated Security Breaches,” PC Magazine, July 15, 2016|
Regulations also include New York State's 23NYCR500 cybersecurity requirements that financial services companies protect customer information and related IT systems. The New York regulation requires each company to assess its specific risk profile and design a programme to address its risks, ensuring the safety and soundness of the institution and protecting customers.
Providing a cybersecurity tool, Kingston highlighted its hardware-based encrypted USB drives at the recent ASIS show in Dallas. A USB drive with hardware-based encryption is self-contained and doesn’t require a software element on the host computer. No software vulnerability eliminates the possibility of brute-force, sniffing and memory hash attacks. Digitally signed firmware cannot be altered, and there is a physical layer of protection, too. The drives come in epoxy-dipped/filled cases that prevent access to the physical memory. In contrast, a USB drive with software encryption uses software that runs on the host computer and is vulnerable to attacks.
The use of AES 256-bit encryption with SSD mode ensures that anyone who finds a USB drive, such as the man in London, cannot access the information. The drive wipes itself clean after 10 attempts to guess the password.
“Encrypted drives are not complicated,” says Lugo. “They are a simple solution that anyone can implement.” Kingston’s encrypted USB drives are priced between $40 and $600, depending on the capacity and covering needs ranging from a small business owner to military- and government-grade products. Kingston also provides products for use inside the firewall, including business and enterprise solid state drives (SSDs), offering high density and extreme performance, and embedded memory products providing performance and flexibility.