Uncategorized

USB Security Risks to All Companies

secureguard

Now that we’ve covered phishing, in this next set of blogs, we’re going to start looking at some of the other various methods hackers use to compromise systems and protective controls that you can implement to keep yourselves safer.  In this blog, we’ll explain the risks associated with using USB or flash drive media.

Bullet Point Summary

  • Hackers can infect a USB or flash drive
  • Hackers can now go even further and infect the firmware of a USB drive where antivirus can’t even see this.
  • Hackers can take complete control of your computer via malware on a USB drive – USB drives are a direct access point to your computer and network.
  • Disable USB capability for all employees.
  • If USB capability is not disabled, then disable for most employees and identify exceptions.  But – wherever possible, disable USB.
  • For any exceptions, use only trusted USB devices.

USB Drives

We’ve all used USB drives.  They’re perfect for sharing documents.  They’re perfect for storing presentations to take to another computer.  They’re perfect for storing files, pictures, music, etc.  But these devices are also perfect for hacking.

Hacking

USB’s, similar to storing files, can also store executables, which means they can store malware.  USB’s can be used to open a backdoor – open remote access to your device, bring your computer and network down among many other things.  It’s the perfect tool for a hacker because it’s direct access to the computer and network – more so than almost all other mechanisms.

BadUSB

Furthermore, a few years ago, researchers identified a new type of attack vector with USB’s dealing with firmware.  Firmware on your computer loosely helps the computer start up properly when the power button is pressed.  It turns out that USB’s also have firmware, the same as your your computer.    The problem with firmware is that antivirus doesn’t scan firmware – antivirus can only scan software and apps.  So, even with effective antivirus software enabled, it doesn’t matter because it can’t see the firmware.  And with this new attack vector, it was identified that we could infect a USB drive’s firmware with malware.  When, as security professionals, we assume that antivirus can only identify about 1/3 of the viruses out there, then we take into account that antivirus could potentially not identify any of what’s on a USB, this device now becomes one of the biggest security threats.

Data Loss

Other risks are more internal and involve internal theft of company resources.  This could be in removing financial data, customer data, or other proprietary data.  The problem in this area is that what’s taken offsite through a USB might have been a legitimate action originally, but later, due to termination or resignation, the data is still out there exposed.  Other cases would be when employees purposefully take information out of the company’s network.  USB drives are just too easy to use for this type of activity.

Testing

As penetration testers, we perform what we call USB drop attacks, where we drop a USB somewhere in a company’s location either onsite or in the parking lot.  Industry statistics very; however, we at Secure Guard Consulting assume that 45% or more of all USB’s dropped will eventually be connected to a company’s network.  Reasons for this vary, but curiosity plays a very big role.

What Can We Do?

It’s important for companies to understand how dangerous USB drives can be.  For most employees and computers, USB drives should be disabled.  If exceptions are identified, they should be documented, and for any potential exceptions, it’s important to lock down which USB drives can be used either by policy or via some data loss prevention tool.  Those with exceptions should only use known USB’s that don’t go outside of the company’s network (no one’s home or another customer).  USB’s present significant risk to a company and should be disabled as much as possible.

Author

This article was written by Kaushal Kothari, President of Secure Guard Consulting, LLC, a cybersecurity / IT audit and consulting company. Kaushal is a former FDIC IT examination analyst and certified ethical hacker with 15+ years of experience in the technology field.