Whatever you call them — USB, thumb or flash drives — they hold a ton of data. (For the purposes of this discussion, we will refer to them as “USB drives.”) Their storage capacity has surpassed multi-gigabytes to the lofty terabyte realm.
One terabyte can store thousands of hours of music and videos, 500 hours of movies and more than 300,000 photos, as well as over a million 1-megabyte Word documents.
In fact, a USB drive was Edward Snowden’s preferred device for storage when he stole thousands of highly classified NSA documents, which he gave to reporters. Snowden didn’t have to burn up a copy machine and carry off the documents a few at a time. They all fit on a plastic-encased device the size of his thumb.
USB drives can also pose external threats
Most people would never pick up food lying on a parking lot pavement. However, hackers desiring front-door entry to corporate networks have littered employee parking lots with malware-laced USBs. Employees have been duped into picking them up and plugging them into their workstation computers.
When testing the foregoing, CompTIA researchers placed 200 unlabeled USB drives in cities throughout the United States. They dropped the drives in heavy foot-traffic areas to find out the number and identity of people who would pick them up and plug them in.
The results were that 20 percent (one out of five) users plugged in the rigged drives and opened files as well as clicked on strange web links and sent messages to a loaded email address. And this was just a security test. Read about the real thing in this ZDNet online piece.
Threats also come from “friendly” sources
In a recent incident, the American Dental Association inadvertently mailed malware-infected thumb drives to thousands of local dental offices. A code embedded in the USBs could gain control of a user’s Windows computer. The contamination, according to ADA, occurred “somewhere in the supply chain,” and only a fraction of the drives may have been infected.
Sensible practices for minimizing the USB threat
Does your company have a detailed, yet thoughtful, usage policy and sensible security procedures for USBs on the job? Somewhere between banning USB usage altogether and allowing sanctioned, limited use are the best practices for your company’s security posture.
Here are five general suggestions:
1. Limit your exposure by disabling USB ports on computers containing sensitive information. Make USB functionality on a strictly need-to-know/have basis. Issue USB drives that have full encryption and pass-phrase protection. Make sure your IT people can remotely wipe or lock the USB drives. Look for high-security products such as Iron Key.
2. Automatically run a USB scanning program on all company computers when the USB drive is plugged in. Permit no unauthorized applications to be run from any USB drive.
3. Audit your USB drives to ensure authorized use. Unannounced and random USB drive confiscation and scanning are the best tools to imprint security awareness among users. Inventory, add serial numbers, and record names of users. Ban all use of personal USB drives on work computers for any reason.
4. Do regular backups of your USB drives and include encryption keys so that the data can be recovered. Run a data recovery test to ensure that your IT security people can unlock and access any USB drive — even if user malfeasance or malware have disabled the drive.
5. Have a plan in place in the event someone loses a company USB drive. Procedures could include locating the drive through geotagging or simply wiping or destroying the device remotely.
Looking for help?
Alary Clinitech is the trusted choice when it comes to staying ahead of the latest cyber security and information technology tips, tricks and news. Contact us at (416) 291-7377 or send us an email at info@clinitech.ca for more information.