Policies are useful, but without enforcement, they are not a successful means of preventing malware invasions and the theft of business information.
By Paul Hyman
Savvy CIOs have policies in place to protect their networks against infected USB flash drives. That’s because most IT professionals know the amount of damage that can be caused by plugging in such a device.
For instance, Stuxnet, one of the world’s most sophisticated cyberweapons, is said to have gained access to its target system through a USB drive that someone found.
Yet having policies—and making sure they are followed—can be two very different things.
In a recent study of 300 IT professionals—many of whom are security experts—conducted at the RSA Conference 2013, 78% admitted to having plugged in a USB flash drive that they’d found lying around. To make matters worse, much of the data discovered on those drives included viruses, rootkits and bot executables.
Similarly, the U.S. Department of Homeland Security ran a test to see how hard it would be for hackers to gain access to computer systems. Staffers secretly dropped USB flash drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60% plugged the drives into office computers, apparently curious to see their content. If the drive had an official logo, 90% were installed.
“Even with the knowledge of the potential outcome, curiosity can indeed kill the cat,” says Brian Laing, a security entrepreneur who had been a vice president at AhnLab, the IT security vendor which conducted the RSA Conference survey. “Policies are useful, but without enforcement, they are not a successful measure,” he adds.
In addition to infecting systems, USB flash drives—which have become the floppy disk of the modern era—are a particularly effective tool for sharing files and thereby stealing data and trade secrets.
An earlier survey of 743 IT and information security pros conducted by Ponemon Institute revealed that 70% have traced the loss of sensitive or confidential information to USB flash drives.
Indeed, whistleblower Edward Snowden reportedly used a USB flash drive to smuggle files out of the National Security Agency (NSA) despite policies against using the devices.
“The NSA could have installed USB port-blocking software to restrict and track usage of USB-connected devices,” says David Jevans, chairman of Marble Security and the Anti-Phishing Work Group (APWG). “Despite the NSA’s having a policy of not allowing these devices, they didn’t have the security software installed to prevent it or to restrict usage to secure devices.”
While such data losses can obviously occur when the devices get lost or stolen, 55% of the incidents in the Ponemon Institute survey were reported to be likely related to malware-infected devices that introduced malicious code into corporate networks.
But the fact that many people don’t follow USB policies is no reason not to have them, say security experts. Here is a checklist with the experts’ best suggestions for effective USB flash drive management:
· An important first step is to raise awareness among employees, says Sebastian Poeplau, resident USB expert at The Honeynet Project. “Most computer users aren’t aware that USB drives can impose a risk on their machine, so user education is essential.”
· File sizes have increased and e-mail doesn’t always allow for sharing large files. If you want to minimize or restrict employees from using USB devices, provide a good alternative way for them to share files internally.
· Restrict usage of USB flash drives to company-authorized devices. Not allowing employees to use USB flash drives from external sources at their work machines is the simplest method of avoiding malware that may come from infected PCs at home, at copy shops, and so on.
· Allow only USB devices that are connected to a remote management system that enables you to track usage and to lock the device or delete data from the device.