Recently there have been a lot of stories involving the security flaws of some high profile encrypted flash drives. Some follow up articles have claimed the initial news to be nothing more than FUD (Fear, Uncertainty, Doubt) stories, an attempt to influence public perception with negative information on what is essentially a nonstory.
We, however, disagree. If there is a security flaw in what is supposed to be a secure flash drive, one certified by the U.S. government and used for sensitive data, this is extremely newsworthy. The fact that they are FIPS certified only increases its newsworthiness.
Many government agencies are required to purchase FIPS validated/certified products. This requirement is based on the belief that if a device is FIPS certified, it is secure enough for sensitive government information. While FIPS only validates cryptographic functionality of products, there may be additional security aspects reviewed in the future (Common Criteria for example). NIST’s stance, that they are “actively investigating whether any changes in the NIST certification process should be made in light of this issue” may indicate that they need to also review items that have traditionally been treated as out-of-scope from a FIPS standpoint, but are certainly security relevant. One example would be a review of the cryptographic boundaries of security products.
Data Security, Government
One of the lessons that can be drawn from last week’s massive flash drive recall is the importance of central management. Right now many organizations are scrambling to retrieve their formerly secure flash drives from all over the globe. Little thought has gone into things like patch management, because thumb drives have not been treated the same way as other information assurance products. That may change after this incident.
Kanguru Remote Management Console allows Kanguru’s Secure USB Drives to be updated remotely anywhere in the world. Not only can you modify the security settings and password requirements, but the device firmware itself can be updated without physical possesion of the drive. Audit logs keep track of which devices are up-to-date and which are out of compliance. Administrators can even create automated actions to disable drives that have not checked in for updates within a certain period of time.
Central management is key to lowering the overall cost of ownership when you factor in costly compliance issues and helpdesk support. Now we can add security updates to the list of cost savings.
Data Security, Malware, Portable Storage
Several high profile Secure USB Flash Drives have been in the news this week due to a security flaw that could allow hackers to unlock the encrypted data. The Kanguru Defender family of encrypted flash drives are not susceptible to this method of attack. For more information, see our recent announcement or contact Kanguru directly if you have any specific concerns.
Kanguru Defender and Defender Elite use a secure hardware encryption processor to perform all password checks. Software hacks are ineffective against this type of security. The encryption chip itself is protected from physical tampering as well.
Data Security, Malware, Portable Storage
Follow us on Twitter