USB Drives and the risks they pose

You can attach almost anything to your computer using the USB port. A USB flash drive allows users to easily store and transfer data across USB-enabled devices. There’s no denying the convenience of USB media; from hard drives and flash drives, practically everyone uses them regularly. The simplicity with which data can be transferred from a secure network to an unsecured device raises some important red flags, relating to cyber security, for organizations.

As part of an organization’s cyber security paradigm, hardware (ISO Level 1) monitoring should be part of any security-conscious professional’s arsenal. Sepiocyber.com, for example, addresses security vulnerabilities introduced by physical hardware in the organization. Ensuring service continuity and data security by minimizing cyber risks and safeguarding the physical layer against criminal activity.

Risks Introduced by USB Devices

Organizations are especially vulnerable when sensitive data is stored on insecure USB flash drives by employees who use the devices to move data outside the office. The repercussions of losing disks containing such data can be severe, including the loss of client data, financial information, company strategies, and other confidential information, as well as the danger of reputational harm. This is a serious breach of regulatory compliance.

The loss of data can be exacerbated when employees carry around organizational or client data on USB drives for which no other copies exist. This means that, if the device is lost or stolen, the organization will have to deal with both a loss and data breach. The impact of such a loss can greatly impact an organization, especially if the data on the device was mission critical.

Another risk introduced by USB drives is Malware. This is far more common than frequent users of USB drives might like to admit. A computer that is infected with malware can propagate the malware to any clean USB thumb drive inserted into it, especially if the PC in question has the Auto-Run feature enabled. This feature executes any executable files in the drive’s root directory, making it ideal for malware propagation on MAC and PC.

Threat actors have gone so far as to create specialized USB devices that seem like legitimate USB drives. These devices hide technology that was engineered exclusively for malicious intent, however. A prime example of such a device is the so-called USB Rubber Ducky. Once inserted the USB Rubber Ducky injects keystrokes at superhuman speeds, breaking computers’ natural confidence in humans by masquerading as a keyboard. Without knowing the user has given a threat actor access to the organization’s network and that computer in particular.

How to Reduce the Risks

Following a few simple rules can greatly decrease the attack surface USB drives might introduce.

• Never insert an unknown USB drive into your computer. If you discover a USB drive, notify the proper authorities, such as your organization’s information technology. Do not connect it to your computer to read the contents or identify the owner.
• To protect your data, use passwords and encryption on your USB drive, and make sure you have a backup in case your drive is lost.
• Home USB drives should not be used on computers controlled by your employer, and USB drives containing corporate information should not be plugged into your personal computer.
• When USB drives are inserted into a drive, the Autorun function forces them to open immediately. You can prevent dangerous malware on an infected USB device from opening automatically by deactivating Autorun.
• Keep security software, such as anti-malware software up to date, along with any Operating System security updates
• Organizations are encouraged to utilize their Microsoft Tenant to subscribe to cloud storage solutions such as SharePoint, OneDrive, or the like. By applying the practice of zero trust sensitive documents can be secured from unwarranted access and backed up in real-time.

In Summary

Cyber security is not a one- or two-dimensional aspect of business, but rather a multifaceted machine that needs to be carefully planned and scoped for. Some organizations might expose themselves by underestimating the importance of what might seem to be, small and insignificant risks.