To say there has been a bit of news coverage about cybersecurity of late is like saying water is a requirement for life – it is both obvious and an understatement. From our recent presidential election to the seemingly daily corporate hacking incident to ongoing Facebook infiltrations, the question of computers and security is, perhaps, the biggest story of our age, and almost certainly the issue with the widest footprint.
British Airways, Reddit, Ticketmaster, Yahoo!, Equifax, Target, Marriott, and others have found themselves under the white-hot media spotlight because of data breaches. While the focus of these news events are the mysterious, remote, and invisible threat of hackers unknown, the Achilles heel, the unnoticed vulnerability in this whole picture, is the one element that’s visible and tangible – the USB data ports and unlocked cable connections that are hiding in plain sight. There are literally more ports and connections in the world than there are computers, and all but a precious few are unguarded.
A Case in Point
If you doubt that the ubiquitous USB port is a cybersecurity threat, then consider that the Iran nuclear program was derailed several years ago because its computers were not protected with simple USB port locks that cost less than $2 each.
According to U.S. intelligence sources, an Iranian double agent working for Israel used a standard thumb drive to infect Iran’s Natanz nuclear facility with the highly destructive Stuxnet computer worm.
All it took for the virus to be triggered was a user clicking on the Windows icon. Once that happened, Stuxnet quickly propagated throughout Natanz – knocking that facility offline and at least temporarily crippling Iran’s nuclear program – all because Natanz didn’t foresee the need for USB port blockers.
If you are reading this thinking that the likelihood of your company being the target of cyber-espionage is extremely small, then look around your facility to see how many of your employees have third-party devices plugged into USB ports. While your employees are not double agents and their intentions may not be malicious, the resulting impact of plugging any unauthorized device into a network UDB port could devastate your computer network security. For instance, a smart phone that was synced to the home computer brings these viruses and malware to work just as thoroughly, and if an employee plugs in at work to charge, then the viruses and malware find a new home at the office.
A Lesson from Homeland Security
In 2011, the U.S. Department of Homeland Security – in a controlled experiment – randomly dropped USB and optical drives in government and private contractor parking lots. More than half of those who picked one up readily plugged it into their work computer. Bloomberg News reported that 60% of those workers and contractors who picked up the drives plugged them into office computers. The report also said that 90% of found drives stamped with official government logos were plugged in.
The lesson here is that intentional attacks are far from the only way that sinister viruses and malware come into data ports. In fact, intentional attacks are most likely the minority.
The broader threat is unintentional. A thumb drive that gets used at home and then at work brings with it anything the home computer might have picked up along the way in the form of bugs and bleeps from the vast Petri dish of the Internet. All the more reason to secure your USB ports with network port locks.
It’s also the easiest way to remove the Achilles’ heel of cybersecurity.