The open front door of cybersecurity today consists of the physical points of connection and entry – the USB ports that dot our computers and data networks. The amount invested in protecting them is less than a rounding error in the $170 billion that Forbes Magazine estimates will be spent this year on cybersecurity, and yet their vulnerability has been amply demonstrated by the greatest cyberattacks thus far. Let’s not forget that the Stuxnet virus – which brought down Iran’s nuclear facility in 2010 and set back its program by at least 10 years – was delivered on a USB flash drive.
Use Caution with USB Drives
More recently, CISA Cyber-Infrastructure – a department of U.S. Homeland Security – re-released this advisory on November 15: Use Caution with USB Drives. Here’s some of what they wrote:
“Attackers can use USB drives to infect other computers with malware that can detect when the USB drive is plugged into a computer. The malware then downloads malicious code onto the drive. When the USB drive is plugged into another computer, the malware infects that computer.
“Some attackers have also targeted electronic devices directly, infecting items such as electronic picture frames and USB drives during production. When users buy the infected products and plug them into their computers, malware is installed on their computers.
“Attackers may also use their USB drives to steal information directly from a computer. If an attacker can physically access a computer, he or she can download sensitive information directly onto a USB drive. Even computers that have been turned off may be vulnerable because a computer’s memory is still active for several minutes without power. If an attacker can plug a USB drive into the computer during that time, he or she can quickly reboot the system from the USB drive and copy the computer’s memory, including passwords, encryption keys, and other sensitive data, onto the drive. Victims may not even realize that their computers were attacked.”
USB Threats to Industry
Still not convinced? Then read on.
In December 2018, Tripwire.com’s article, “USB Threats to Cybersecurity of Industrial Facilities,” stated:
“With increasing pressure to limit network access to industrial control systems, industrial plant dependence upon USB removable media to transfer information, files, patches and updates has been greater than ever. At the same time, past research into USB threats has shown that portable USB drives are one of the top threat vectors impacting industrial control systems.
“USB represents an even greater threat than spreading malware: a USB device can be used to attack systems directly, using the USB interface as a powerful attack vector. Ever since the Stuxnet attack used a USB flash drive to obliterate any semblance of an air gap in an Iranian nuclear facility, the industry has been well aware of the vulnerability that USB devices can introduce to their operations.”
Our failure to protect ports with a USB locking device is like locking every window and installing every known electronic home security device, but leaving the front door not only unlocked, but also wide open. Without effective USB port security, every USB port in your data network or information system is an open invitation to malware, spyware, ransomware, viruses, and all manner of disruptive events that could bring your operations to a halt and cost loads of time and money.