Download PDF version Contact company

A USB drive from Heathrow Airport, found on a London street in late October, contained confidential information about accessing restricted areas at the airport and security measures used to protect the Queen. The drive also contained a timetable for anti-terrorism patrols at the airport and documentation of the ultrasound system used by Heathrow security to check perimeter fences and runways for breaches. The data was not encrypted, and the London resident who found it turned it over to a newspaper reporter.

How cybersecurity impacts physical security 

The incident highlights a number of issues for security professionals. One is the interrelated nature of cybersecurity and physical security, and how a failure of one can directly impact the other. Another is extending cybersecurity outside the firewall, considering the inherent risks of USB drives and the need to manage “endpoint security,” such as restricting access to a system’s USB ports.

An important security failure in the case of the Heathrow incident was lack of encryption of the USB drive, says Ruben Lugo, Strategic Product Marketing Manager at Kingston Technology, which provides a line of USB drives with hardware-based encryption.

“If you block out all the USB ports, it can restrict productivity, and employees are not as efficient as they should be,” says Lugo. He says companies should be using more encrypted USB drives to combine the productivity advantages of allowing USB access while protecting the information on the drives.

Data protection regulations

Protection of data – whether inside the firewall or outside – is increasingly important in an age of greater cybersecurity regulation. The European Union's General Data Protection Regulation (GDPR) creates new safeguards and requirements for protecting personal data, with a compliance deadline of May 25, 2018, after which noncompliance can result in expensive fines.

A USB drive containing sensitive data for patients went missing from a hospital ER
A disgruntled employee used a USB drive to steal banking information for 30,000 people, as published by Tom Brant in: “Report: FDIC Employees Caused Repeated Security Breaches,” PC Magazine, July 15, 2016

Regulations also include New York State's 23NYCR500 cybersecurity requirements that financial services companies protect customer information and related IT systems. The New York regulation requires each company to assess its specific risk profile and design a programme to address its risks, ensuring the safety and soundness of the institution and protecting customers.

Hardware-based encryption

Providing a cybersecurity tool, Kingston highlighted its hardware-based encrypted USB drives at the recent ASIS show in Dallas. A USB drive with hardware-based encryption is self-contained and doesn’t require a software element on the host computer. No software vulnerability eliminates the possibility of brute-force, sniffing and memory hash attacks. Digitally signed firmware cannot be altered, and there is a physical layer of protection, too. The drives come in epoxy-dipped/filled cases that prevent access to the physical memory. In contrast, a USB drive with software encryption uses software that runs on the host computer and is vulnerable to attacks.

The use of AES 256-bit encryption in XTS mode ensures that anyone who finds a USB drive, such as the man in London, cannot access the information. The drive wipes itself clean after 10 attempts of guessing the password.

“Encrypted drives are not complicated,” says Lugo. “They are a simple solution that anyone can implement.” Kingston’s encrypted USB drives are priced between $40 and $600, depending on the capacity and covering needs ranging from a small business owner to military- and government-grade products. Kingston also provides products for use inside the firewall, including business and enterprise solid state drives (SSDs), offering high density and extreme performance, and their server premier DRAM memory products providing performance and flexibility.

To learn more about Kingston, please visit www.kingston.com 

Download PDF version Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SourceSecurity.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SourceSecurity.com's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Anviz Global expands palm vein tech for security
Anviz Global expands palm vein tech for security

The pattern of veins in the hand contains unique information that can be used for identity. Blood flowing through veins in the human body can absorb light waves of specific wavelen...

Bosch sells security unit to Triton for growth
Bosch sells security unit to Triton for growth

Bosch is selling its Building Technologies division’s product business for security and communications technology to the European investment firm Triton. The transaction enc...

In age of misinformation, SWEAR embeds proof of authenticity into video data
In age of misinformation, SWEAR embeds proof of authenticity into video data

The information age is changing. Today, we are at the center of addressing one of the most critical issues in the digital age: the misinformation age. While most awareness of thi...

Quick poll
What is the most significant challenge facing smart building security today?