The dangers of USBs and how to protect your organization
At around three centimetres in length and weighing less than 30 grams on average, the USB flash drive would appear to be a relatively innocuous storage device, but losing or inserting an unknown USB into a personal or company computer could have devastating consequences.
With over 22,000 USB sticks being left in the pockets of clothing sent to Britain’s dry cleaners alone last year, we thought it valuable to outline the dangers of the simple USB and how individuals and organizations alike can protect against the potential cyber weaknesses they can bring about.
USBs can be easily hacked or repurposed
If a USB manufacturer hasn’t protected the firmware (the permanent software that controls the ‘communications’ function of the USB) in their devices (many don’t) then criminals can reprogram it, or reverse engineer it, to hold malware capable of compromising computer systems. You don’t have to look too far on the Internet to find complete USB kits which are designed to steal security credentials and critical information just from plugging the device in. A hacked or reprogrammed device can imitate a keyboard in terms of issuing commands, mimic a network card and redirect a company’s internet connection by changing the DNS or infect a computer’s operating system prior to booting up.
The effects of this on an organization can be disastrous; stealing the contents of anything written to the drive while spreading malware through multiple computers on the same network. Clearswift’s own 2013 research ‘The Enemy Within’ revealed that 83% of organizations had suffered some form of data security incident. Over a third of these security threats were a result of employee misuse of USB or storage devices to save company data, making them a data loss threat that cannot be ignored by individuals or organizations.
Losing a USB means more than the inconvenience of losing data
Amongst cyber criminals personal data is a commodity growing in value. Even seemingly worthless data can be used to piece together a profile of an individual which can then be used against them. The technique is known as social engineering and anything from knowing social media addresses, phone numbers or which bank an individual is with, can be used to create a false source that appears both convincing and trustworthy. With the rise in social engineering, losing any type of data, even the most nondescript, could for example mean being contacted by someone posing as an employee from a bank requesting an immediate transfer of savings.
The Internet of Things
Having an internet connection redirected or a keyboard issue rogue commands might be the least of an individual’s worries. The Internet of Things (IoT) has very much arrived; anything from a fridge to a car can now be connected to home computers, meaning that more and more devices can potentially be hacked, reprogrammed and commandeered.
As everything in our lives becomes increasingly connected, cybercriminals gain more ways in which to exploit weaknesses in technology and steal our personal data. Inserting an unknown or hacked USB into a computer has never before had such far-reaching consequences.
In a recent social experiment carried out in Chicago, 200 USB sticks were dropped in public places. In around one out of every five instances, a member of the public picked up and plugged the dropped USB into a device. These individuals then proceeded to open documents and folders on the unknown USB, which had this been programmed with ill intent, could have had far reaching, damaging consequences. Even with the number of high-profile data breaches on the rise, individuals still do not understand the potential risk of misusing a USB flash drive. This has made USB’s a major tool for cybercriminals, with an aim to steal personal or corporate data.
It’s therefore not surprising that – whether malicious or accidental – the greatest threat to any organization’s data security comes from removable storage devices / USB’s. This comes before employees not following data protection protocol and using unauthorized devices at work.
How to protect your data:
- Common Sense: to put it simply, no matter how tempting it may be, you should not insert an unknown USB into a device that contains any of your own or your company’s data. Actually…do not use and unknown USB. Period
- Critical Information Protection at the Endpoint: have an Endpoint solution to protect your critical information. Clearswift’s Critical Information Protection (CIP) Management Server and Agent controls where sensitive data is located and how it is used on end-point devices, such as USBs. It ensures that critical information can be controlled when transferring data between corporate and personal devices, including via USB sticks and iPhones.
- Adaptive Data Loss Prevention: be proactive. Know what your critical information is and protect it. Clearswift’s Adaptive Data Loss Prevention (A-DLP) encrypts your sensitive data if an employee tries to send it in an email and is redacted if they try to upload it to a website. If an employee attempts to copy the information to a USB stick, that information is blocked and prevented from leaving your organization’s servers.
Ask yourself these questions...
- How many USB storage devices do you have?
- How many of them have company critical information on?
- Is the device or the information encrypted? How many have you lost or given away?
- How many have you gained ‘for free’, including those picked up from the last trade show?
Now multiply that by the number of employees in your organization and you can see it is time to take the USB threat seriously – and keep your critical information safe.