The Dangers of Unsecured USB DrivesPosted 07-18-2013
The Dangers of Unsecured USB Drives
By Paul Hyman
Savvy CIOs have policies in place to protect their networks against infected USB flash drives. That’s because most IT professionals know the amount of damage that can be caused by plugging in such a device.
For instance, Stuxnet, one of the world’s most sophisticated cyberweapons, is said to have gained access to its target system through a USB drive that someone found.
Yet having policies—and making sure they are followed—can be two very different things.
In a recent study of 300 IT professionals—many of whom are security experts—conducted at the RSA Conference 2013, 78% admitted to having plugged in a USB flash drive that they’d found lying around. To make matters worse, much of the data discovered on those drives included viruses, rootkits and bot executables.
Similarly, the U.S. Department of Homeland Security ran a test to see how hard it would be for hackers to gain access to computer systems. Staffers secretly dropped USB flash drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60% plugged the drives into office computers, apparently curious to see their content. If the drive had an official logo, 90% were installed.
“Even with the knowledge of the potential outcome, curiosity can indeed kill the cat,” says Brian Laing, a security entrepreneur who had been a vice president at AhnLab, the IT security vendor which conducted the RSA Conference survey. “Policies are useful, but without enforcement, they are not a successful measure,” he adds.
In addition to infecting systems, USB flash drives—which have become the floppy disk of the modern era—are a particularly effective tool for sharing files and thereby stealing data and trade secrets.
An earlier survey of 743 IT and information security pros conducted by Ponemon Institute revealed that 70% have traced the loss of sensitive or confidential information to USB flash drives.
Indeed, whistleblower Edward Snowden reportedly used a USB flash drive to smuggle files out of the National Security Agency (NSA) despite policies against using the devices.
“The NSA could have installed USB port-blocking software to restrict and track usage of USB-connected devices,” says David Jevans, chairman of Marble Security and the Anti-Phishing Work Group (APWG). “Despite the NSA’s having a policy of not allowing these devices, they didn’t have the security software installed to prevent it or to restrict usage to secure devices.”
While such data losses can obviously occur when the devices get lost or stolen, 55% of the incidents in the Ponemon Institute survey were reported to be likely related to malware-infected devices that introduced malicious code into corporate networks.
But the fact that many people don’t follow USB policies is no reason not to have them, say security experts. Here is a checklist with the experts’ best suggestions for effective USB flash drive management:
· An important first step is to raise awareness among employees, says Sebastian Poeplau, resident USB expert at The Honeynet Project. “Most computer users aren’t aware that USB drives can impose a risk on their machine, so user education is essential.”
· File sizes have increased and e-mail doesn’t always allow for sharing large files. If you want to minimize or restrict employees from using USB devices, provide a good alternative way for them to share files internally.
· Restrict usage of USB flash drives to company-authorized devices. Not allowing employees to use USB flash drives from external sources at their work machines is the simplest method of avoiding malware that may come from infected PCs at home, at copy shops, and so on.
· Allow only USB devices that are connected to a remote management system that enables you to track usage and to lock the device or delete data from the device.
The Dangers of Unsecured USB Drives
· Some companies have dedicated machines or specifically trained employees who handle external USB drives in situations where it is necessary to carry data from the outside into the corporate environment. There are dedicated systems, often specialized Linux variants, that provide tools to scan USB drives without providing the typical attack surface themselves.
· Have a port-control solution installed on all of the enterprise’s computers that can access your network, says the APWG’s Jevans. This can prevent any non-authorized USB device from being used to copy data to or from your computers and network. In addition, allow only USB devices that have self-encryption that is always enabled. USB devices with hardware-based encryption are best because they cannot be disabled.
· Remember iPhones, iPads, and Android devices are USB-compatible and can store up to 64 gigabits of data. Make certain you are managing these devices.
· Consider incorporating Ghost into your malware defenses toolkit. Ghost is a malware detection component—freely available at http://code.google.com/p/ghost-usb-honeypot/—that simulates the connection of a USB drive. “If malware that propagates via a USB drive resides on a system,” says Christian Seifert, Honeynet Project CEO, “the malware will attempt to copy itself onto this simulated USB drive therefore allowing Ghost to raise an alert.”
The dangers that infected USB flash drives pose are, of course, not new. But, earlier on, the infections simply corrupted files or the drives, making them inoperable. Now, says Laing, with cybercriminals focused on financial gain, things are not so simple.
“Now infections can be super viruses or advanced persistent threats (APTs), and can do anything from collect biographical information on the user, locate files containing intellectual property [such as blueprints and credit card information], or do damage as Stuxnet did,” Laing explains.
It is impossible to stress enough the possible dangers that can occur when USB usage goes uncontrolled, says APWG’s Jevans.
Take, for example, the Conficker malware that infected more than 15 million computers and tens of thousands of corporations. The cause? An unauthorized USB flash drive that contained a worm that required a concerted global effort by SRI and many security companies to shut it down, recalls APWG’s Jevans.
“If the Conficker authors ever adapt their malware to iPhones or Androids,” Jevans says, “the epidemic that could occur could be staggering.”
About the Author
Paul Hyman is a freelance technology writer and editor. He was an editor-in-chief at CMP Publications (now United Business Media) and currently reports for such publications as Communications of the ACM, IHS’ Electronics360, and CRM Magazine. See an archive of some of his stories.