In 1986 IBM introduced the 3.5 inch floppy disk with 1.44 megabytes of storage space. A big step forward over its predecessor, the flimsy 5.25 inch floppy. Fast forward 20 years or so and we have USB thumb drives that can hold over 350 thousand times more data.
USB drives are small; inexpensive, portable and have massive storage capacity. Small wonder they are immensely popular with IT workers to store and transport files from one device to another. Unfortunately, these same characteristics make USB drives appealing to attackers. Nor is it just thumb drives that poses significant risks to an organisation, SD cards, portable hard drives and even mobile phones plugged in by employees can cause harm.
THE DANGERS OF PORTABLE MEDIA:
Portable media is designed to be small and compact and is easily lost or stolen. A commonly encountered problem that organisations face.
SOURCES OF INFECTION
USB products can be plugged into a device and automatically load malware such as viruses, key loggers, ransomware, rootkits, Trojans and backdoor access. These drives can be left in public spaces, where they will be picked up and used by the unwary or plugged into unprotected workstations. In one experiment, researchers from the University of Illinois left nearly 300 unmarked USB flash drives around the University campus; half of which were plugged into a host device.
Attackers have even targeted large manufacturing companies and supply chains to infect new storage devices coming to market, such attacks are a serious concern for those organisations that rely on these products.
When attackers physically access a computer system, they can download sensitive data directly onto the storage device. When turned off, a computer's memory is still active for several minutes without power. If an attacker plugs a USB drive in, during that time, they can quickly reboot the system from the USB and copy the computer's memory - including passwords, encryption keys, and other sensitive data. Victims may not even realize that their computers have been attacked.
HOW TO MITIGATE THE PROBLEM OF REMOVABLE STORAGE
To automatically scan external storage devices for harmful malware before use. Keep anti-virus software updated to identify and sanitise the latest threats.
To prevent malicious code on an infected item from opening and running automatically.
PERMIT ONLY PRE-APPROVED USB DRIVES
Purchase from reputable vendors and do not permit any others to be plugged into the work environment by using an Acceptable Use Policy and signage to reinforce this important message.
USE MOBILE CHARGING STATIONS
Discourage staff from charging mobile phones at company work stations. Who knows what is being synchronised or downloaded? In highly sensitive environments, it is not uncommon to forbid the use of mobile phones and smart watches altogether.
Some of the more secure versions of encrypted USB drives will also erase data when an incorrect password is entered multiple times. AES encryption is widely considered unbreakable.
Staff should identify sensitive data and avoid storing such information on portable media. It is also important to train staff to recognise how users are socially engineered to plug in USB drives and the importance of scanning media before use. Of course, the effectiveness of any security awareness program needs to be measured and validated. For example, you could drop any number of USB devices across your organisation to see how many are handed over to IT support for investigation and disposal.
Systems that contain sensitive or critical data need to be protected. As such, the placement of such devices should be carefully considered as should the obstacles put in place to deny or deter access. Fences; gates, manned reception points, turnstiles, locked doors, screened offices, signage, procedures to lock or shut down terminals - all require consideration.
The most sophisticated thumb drives are designed to act like any other input device such as a keyboard or mouse. In these circumstances, anti-virus software and disabling auto run will still struggle to detect malicious behaviour. Because of this, every organisation should seriously consider whether the benefits of using portable media outweigh the security risks they pose. After all, there are other means of sharing files between work colleagues.