What is the difference, from a security perspective, between a USB Hard Drive and Flash Drive?

Question

Many corporate and government IT departments prohibit the use of USB Flash Drives (thumb drives, the little ones with no spinning disk inside), but allow and even endorse the use of USB Hard Drives (the ones with 2.5" or 3.5" hard drive inside).

What is the difference, from a security perspective, between these two devices? Why is one more or less secure than the other?

Answer 1

There is no difference

From your computer point of view, both disk are the same kind.

There are some little differences in how information is deleted, but it should not matter regarding prohibition.

A Flash Drive will usually have a smaller capacity, but if they were concerned about leaks, several gigabytes allow for losing a lot of information.

Maybe they just think that since a flash drive is smaller it will be easier to lose it while larger drives won't? That doesn't seem too reasoned.

Answer 2

There is no practical difference in terms of security (data exfiltration or infection possibilities) of the device internals as the other answers already noted.

One important factor not taken into consideration in your question is whether the organisations you mentioned encourage use of any device or only the units designated and provided by the IT department.

And these would typically be physically larger devices (containing 2.5 or 3.5 drives) what allows security department to put:

• a sticker with a sign "this device is allowed to be connected to company PCs" and rely on other users noticing exceptions and notifying security
• an RF tag that does not allow the device to pass the physical gates of a designated area
• a barcode or QR code that identifies the device and allows easier asset management which includes recording the fact of safe data deletion (while QR code could be put on a small pen-drive sized device too, it could likely become damaged by constant touching)

Answer 3

There's several reasons why an IT department might limit the use of external storage to a specific set of drives.

1. Ownership. The company owns the drive, which stays within the company and is used for work purposes. If an employee uses a thumb drive they also use for personal business, they may unintentionally infect a system. Where did the drive come from, did the employee get it at a trade show? Is it infected with something? Who knows. The company can make sure their supply chain is secure and typically be assured the drives they are using are secure.

2. Asset control. It's possible to whitelist certain devices while denying others (see https://serverfault.com/questions/368812/restrict-access-to-certain-usb-drives). In this case they can be assured that only the devices they control are used. In order to get a device the user may have to check out the drive, which leave an audit trail on paper, and also forensic details on the system of which drive was used to remove data.

3. Hardware security controls. Some drives come with hardware or software encryption built into them. The company may determine they want to use this in order to prevent unencrypted data from being accidentally leaked.

4. Device Quality. Thumb drives are a dime a dozen now and the don't always last that long. Imagine if a employee stores a ton of work on a thumb drive only to have it die on them. The drives the company buys may be of higher quality and be less prone to dying. What's to say a USB drive also may not damage the computer if it's built improperly.

Answer 4

The two concerns that IT departments have with flash drives are:

1. They are vectors of infection.
2. They can be used to exfiltrate data from the company's secure network.

Regarding infection, the size of the drive is unimportant. Either it has bad data on it or it doesn't. If you are talking about USB-specific attacks such as BadUSB, then all that matters is that the device uses a USB connector - it doesn't even need to be a drive. Keyboards, mice, and even USB cables can all be infected.

As far as taking data outside of the company, a smaller flash drive is perhaps easier to physically hide, but other than that, there is no difference.

My suspicion is that your IT department has implemented a set of policies that are a compromise between the security they want and the convenience their users want. I cannot say if the IT department did this intentionally or not.

Answer 5

It's silly logic, but they may consider flash drives to be a bigger risk because they're easier to lose.

Neither should be considered secure, unless they're fully encrypted.

Answer 6

Something that has not been covered is in case of disk failure (intentionally or not). Many companies/etc may dispose drives (USB or not) in many different ways. There is always a risk when disposing such devices, as some information may be recovered from them (that is why its important to nuke them in case they failed or --bleach-- them if you want to reuse them).

In that sense, it seems that recovering files from a flash drive or SSD drive is harder than conventional HDD drives. From that perspective, having a "SSD USB Drive" would be about the same as a "USB pen drive", but better than a spinning USB drive.

I agree that the main security risk is size, in which a small USB pen drive is a lot more easier to get lost (or keep track of) than a USB Hard drive.