As highly portable media, USB flash drives are easily lost or stolen. Several measures can be used to prevent the data on lost USB flash drives from being accessed by unauthorized users. Some of these measures, such as password-protected encryption, are used on other storage mediums such as floppy disks, hard disk drives, and CD-ROMs in an attempt to keep data from falling into the wrong hands. However, as history has shown, any method of preventing unauthorized access is only secure until it has been compromised.

In addition to securing on-board data, USB flash drives are increasingly being called upon to protect the environments in which they are used. In particular, USB flash drives have been used to transfer malware and autorun worms, usually unbeknownst to their owners, which can then infect and wreck havoc upon an otherwise secure network.

[edit] Encryption

All USB flash drives can have their contents encrypted using third party disk encryption software such as FreeOTFE and TrueCrypt or programs which can use encrypted archives such as ZIP and RAR. Some of these programs can be used without installation. The executable files can be stored on the USB drive, together with the encrypted file image. The encrypted partition can then be accessed on any computer running the correct operating system, although it may require the user to have administrative rights on the host computer to access data.

Other flash drives allow the user to configure secure and public partitions of different sizes, and offer hardware encryption.

Newer flash drives support biometric fingerprinting to confirm the user's identity. As of mid-2005^[update], this was a costly alternative to standard password protection offered on many new USB flash storage devices. Most fingerprint scanning drives rely upon the host operating system to validate the fingerprint via a software driver, often restricting the drive to Microsoft Windows computers. However, there are USB drives with fingerprint scanners which use controllers that allow access to protected data without any authentication.^[28]

Some manufacturers deploy physical authentication tokens in the form of a flash drive. These are used to control access to a sensitive system by containing encryption keys or, more commonly, communicating with security software on the target machine. The system is designed so the target machine will not operate except when the flash drive device is plugged into it. Some of these "PC lock" devices also function as normal flash drives when plugged into other machines.

[edit] Security threats

Flash drives present a significant security challenge for large organizations. Their small size and ease of use allows unsupervised visitors or unscrupulous employees to smuggle confidential data out with little chance of detection. Equally, corporate and public computers alike are vulnerable to attackers connecting a flash drive to a free USB port and using malicious software such as keyboard loggers or packet sniffers. To prevent this, some Antivirus software companies have designed specific applications to protect computers from the spread of malware via USB flash drives.

Also it is possible to run a solution that has been specifically designed to run from a USB flash drive. This kind of solution prioritises the protection of the USB flash drives and protects any sensitive data contained on USB flash drives from infected malware residing on any computer that the USB flash drive is attached to.

Alternatively some organizations simply forbid the use of flash drives altogether, and some computers are configured to disable the mounting of USB mass storage devices by ordinary users; others use third-party software to control USB usage. The use of software allows the administrator to not only provide a USB lock but also control the use of CD-WR, SD cards and other memory devices. With this added control those company's that have written policies against the use of USB sticks are able to enforce their policy. In a lower-tech security solution, some organizations disconnect USB ports inside the computer or fill the USB sockets with epoxy.

[edit] Security breaches

Examples of security breaches as a result of using USB drives include:

• In the UK:
  
  
  
  • HM Revenue & Customs lost personal details of 6500 private pension holders.
  
  
  • Nine NHS trusts lost patient records kept on disk; details of 1,500 students were lost in the post.
  
  
  • Details of three million British learner drivers were lost.
  
  
  
  

• In the United States:
  
  
  
  • A USB drive was stolen with names, grades, and social security numbers of 6,500 former students.
  
  
  • USB flash drives with US Army classified military information were up for sale at a bazaar outside Bagram, Afghanistan.^[29]