It is becoming readily apparent that no organization is immune to the threat of open and unprotected USB ports. At least not the Department of Energy, which received a reprimand from the Office of Inspector General recently for failing to safeguard peripheral devices – including USB drives – leaving the agency susceptible to data theft.
Data breaches related to USB drives and other peripheral devices are on the rise. In fact, according to the Ponemon Institute’s Cost of a Data Breach Study, along with hackers, insider threats are the leading cause of data breaches.
While one-third of insider incidents are malicious, the Ponemon Institute reported that two out of three insider threat incidents are caused by employee and contractor negligence. In other words, when an employee or contractor plugs what appears to be a harmless USB flash drive or other peripheral device into an open port, it can be the triggering event for an insider threat incident.
While insider negligence is certainly cause for concern, it was the ease with which a malicious attacker could penetrate the Department of Energy that concerned the OIG, stating that a malicious user could, without much difficulty, easily make unauthorized changes to information technology peripheral devices and disclose sensitive information.
“The confidentiality, integrity, and availability of systems and data could be directly impacted by the vulnerabilities discovered by our test work,” the DOE inspector general said in a July 6 memo.
Flash Drives Long the Weapon of Choice
The vulnerability associated with open computer ports and USB flash drives is nothing new. In fact, the USB flash drive has long been the vehicle of choice for smuggling malware into facilities. Consider the infamous Stuxnet virus, which destroyed numerous centrifuges in Iran’s Natanz uranium enrichment facility in 2010 – setting back the country’s nuclear program by a decade or more. How was the virus smuggled into this highly secure facility? Through a USB flash drive, of course.
One would think that 10 years after Stuxnet, business and industry would universally be safeguarding their computers and networks by locking unused ports and appropriately securing ports that are connected to peripheral devices. According to a recent Honeywell study, though, that doesn’t seem to be the case. “Whether you call them USBs, flash drives, or pen drives,” says Honeywell, “it’s almost certain your teams are carrying these devices around – and that’s putting your industrial organization at risk.”
The Honeywell study, titled the USB Threat Report, was conducted at 50 industrial sites on four continents and led Honeywell to call USB flash drives a “security threat in disguise” and “malice in a pocket.” Why such grave descriptions? Because 44% of the industrial sites included in the study detected and blocked at least one malicious file that rode in on the back of a USB flash drive.
If that alone doesn’t sound your alarm, then consider this additional tidbit: 15% of those blocked threats were infamous malware packages, including Stuxnet, Trisis, Mirai, and WannaCry. Another 25% of the threats blocked would have caused “a major disruption to an industrial control environment,” according to the report.
Waiting for Disaster to Strike
So, why wait for disaster to strike? USB port locks, network module locks, LAN cable locks, and secure USB hubs for your attached USB devices are inexpensive devices that effectively thwart both malicious and negligent insiders. Sure, they’re not foolproof, but they are enough of a deterrent that the malicious attacker will move on to an easier target. It’s like the car thief who has to choose between two Lincoln Navigators, one of which is unlocked with the windows rolled down and the other which is locked up tight with the little red security light flashing on and off. The thief will steal the first vehicle and bypass the second.
With port locks costing as little as $4 each – and the average cost of an insider incident, according to the Ponemon report, now at $11.45 million – it just doesn’t make good business or financial sense to allow your computer and network ports to be accessible to anyone with a thumb drive.
It’s your call. Keep the doors unlocked and the windows wide open or secure your cybersecurity perimeter. Which is it going to be?