What’s more convenient for moving and accessing business and personal data than portable media?
How great is the risk of allowing portable media into your organization?
Portable media devices such as USB flash drives, smartphones, music players, SD cards, and external hard drives are ubiquitous. It is likely that you own at least two of these devices – and probably more. While all portable media have inherent dangers, USB flash drives and external hard drives pose the greatest threats, as they allow employees to copy and transfer data, take that data off site, and conduct business outside the secure perimeters of the office.
In this new work-from-home era created by a global pandemic, the cybersecurity dangers are growing exponentially, as the very properties that make these devices portable and enable them to connect to various networks also make them vulnerable to network security breaches.
USB Devices are a Leading Source of Malware
According to a 2012 report from the United States Computer Emergency Readiness Team, 25% of malware is spread through USB devices. While this report is nearly a decade old, we doubt much has changed since then; indeed, we suspect that the situation has only gotten worse.
The report states that these devices “may contain malware that you copy unknowingly or that gets launched automatically by the Autorun or Autoplay feature of your PC. And attacks are growing even more sophisticated and hard to detect as attackers use small circuit boards inserted in keyboards and mouse devices to launch malicious code when a certain key is pressed or condition is met. Once malware infects your PC to steal or corrupt your data, it might spread to other PCs on your home or organizational network. And these devices are an easy way for attackers to quickly propagate malware by passing it across all PCs that the device connects to. Because these storage devices can install malware inside of any firewalls set up on your PC or network, you might not detect the malware until major damage has been done. Storage devices can also give malicious insiders the opportunity to steal data easily and inconspicuously because the devices are easy to hide and their use is hard to track.”
It Only Gets Worse
To add insult to injury, in 2016, the FBI issued a warning about keystroke loggers disguised as USB device chargers. According to the FBI, “if placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information. Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.”
The 21st Century Version of USB Risk
So, you might be thinking that you are protected from malware infections because your PC scans for viruses every time you plug them in, or you occasionally reformat the devices to wipe them clean, or you know about these keystroke loggers and your chargers are authentic. Think again. According to security researchers Karsten Nohl and Jakob Lell, the risk associated with portable media isn’t just in what they carry. The 21st century risk is now built into the core of how portable media work.
At the 2014 Black Hat Security Conference, Nohl and Lell demonstrated a collection of proof-of-concept malicious software that exploits USB devices. The malware they created, called BadUSB, can be installed into the firmware of a USB device – rather than in the memory storage. This malware can completely take over a PC, invisibly alter files installed from the portable media, and even redirect the user’s Internet traffic. Because BadUSB resides in the firmware, the attack code can remain hidden even after the device has been wiped clean.
Can it get any worse? Sort of, if you consider that it is nearly impossible to know if the firmware of your portable media has been tampered with.
How to Minimize Your Risk
To ensure that your organization isn’t brought down by a cyber attack whose origin is a portable media device, you must make the ports on your computers inaccessible. USB port locks, network module locks, LAN cable locks, and secure USB hubs for your attached USB devices are inexpensive devices that effectively thwart both malicious and negligent insiders.
With port locks costing as little as $4 each – and the average cost of an insider incident, according to the Ponemon Institute’s Cost of a Data Breach Study, now at $11.45 million – it just doesn’t make good business or financial sense to allow your computer and network ports to be accessible to anyone with a portable media device.