Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division of the Software Engineering Institute. Earlier this year, we released the report Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources. In this report, we discuss the challenges universal serial bus (USB) flash drives present to organizations, especially those concerned with protecting their intellectual property.

Malicious insiders' intent on stealing organizations' sensitive information will look for any way to remove the information from systems, including the use of USB removable media. USB removable media is inexpensive, easy to conceal, and offers massive amounts of storage in a small package. Organizations need to better understand how to audit and restrict the use of these devices.

Organizations must know where their sensitive data lives before mitigation strategies can be used to protect it. Data may reside on servers, workstations, laptops, and mobile devices. Each of these devices is a potential exit point for sensitive data and must be included in the organization's overall risk assessment. Once an organization understands where its data lives, who has authorized access to it, and the possible exit points, mitigation strategies can then be implemented to mitigate the risk of the unauthorized data exfiltration.

In this report, we explore how Microsoft Windows operating system controls can be used to control and audit the use of USB removable media. We also look at an open-source tool for identifying where sensitive data lives. Finally, we discuss the importance of a security information and event management system for analyzing and correlating events to help paint a bigger picture of what is happening in the organization's information systems.

We are interested in hearing your feedback on this control. If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.