Has anyone come across the U3 USB memory device and does anyone have any views on the threats this might pose to corporate networks?

USB 3 presents a set of challenges for both managers and auditors in so far as it comes with a "Launchpad" and a set of user preferences that allow software applications to be readily installed on the USB and execute on insertion in your business PCs, unless you have the USB port locked down, glued or removed.

This means that with software on USB 3s that has not been not authorized by the business, it is possible to extract data from your systems and/or create damage to your systems when plugging in USB 3 devices.

Would end users do this? YES, in some cases it happens unwittingly, in others, via malicious intent where they can see leveraged opportunity in selling off or stealing your data.

BUT, not only can this occur via USB 3, but the same sort of hacker software can be installed on USB 2 and USB 1.1 devices. This too represents significant problems for auditors. There are a very wide range of hacker tools that are freely available that can be loaded to any USB to achieve this. If you know what they are called they are very easy to locate!

There are well over 8B USB devices in the marketplace now according to industry (marketing) statistics, and they are selling at the rate of 2B to 3B per year at present!

I have an independent risk whitepaper on USBs that I can make available at the email link below if you are interested in finding out more, about the areas of risk with USBs.

In terms of USB devices, don't forget laos that the iPod is now USB capable as a risk. These now come with 80GB to 120GB of data storage area and with drag and drop capabilty via Windiows interfaces, they can quite easily extract your data from the system while the desktop user is quite happily listening to music without interference. This presents an unseen risk from many sites as they aren't aware of this issue.

A good starting point for any organization is to have a strong Acceptable Use Policy for USB devices, and then this gives the auditor something against which to audit, and police.

If you don't have an AUP for USBs. we offer a free Acceptable Use Policy for USBs that can be tailored to suit your own organization needs and requirements. Contact me at

Only registered users can see links on this forum! Register or Login on forum!

for your copy along with the free independent whitepaper on USB risks.

Auditors need to pay a LOT MORE attention to the risk of using USBs in their organization, as we have seen so far that these are not well understood and the consequences can be quite severe if not managed and audited correctly.