USB sticks are everywhere. They’ve been with us for a long time now. They’re portable, convenient, and one of the most consistent security weakpoints for businesses for more than a decade.
USB drives are handy rewritable memory devices that are great for transferring information between computers. They’re small enough to fit in a pocket, and cheap enough to be given away at every business exhibition and convention across the country.
As well as being great at transferring legitimate files, they’re also great at transferring malware. And because we’re so used to seeing them everywhere, we don’t really consider them to be a great risk.
But they present a number of different problems. The first is that they can be used to circumvent a company’s network security systems. In recent years, we’ve seen USB sticks containing malicious files dropped in carparks of major corporations, in the hope that a member of staff will pick it up, plug it into their system and see what’s on it. At this point, the code which runs on the USB stick creates a backdoor into the company network, and allows remote access to the criminals who left them there.
The next problem is the transfer of malware from a member of staff’s home PC to the office network. Home users may not have the tools in place to keep their own PCs secure, and it’s very easy for someone to bring in a stick containing a few useful documents, but to also unwittingly transfer malware onto the corporate system at the same time. At one point, Windows machines would automatically run a set of actions when a usb stick was inserted, allowing an attacker to get their malware to start up without any user interaction beyond plugging in the stick.
There have been cases of corporate espionage, where USB drives have been given away at a trade shows, only to be running hidden software that would spy on the recipients, or others which transmitted the purchasing habits back to marketing companies.
And the threats aren’t always intentional. Other problems arise when important company documentation is saved to the drives, but left in the clear without any form of encryption. Since the devices are so small, they’re easily lost on trains, or in taxis, and then picked up by the next customer who can now divulge corporate information to the media or even to competitors.
Another risk comes from employees leaving the company, and taking huge amounts of company data with them. While it might be difficult to do this via email due to attachment size constraints, larger and inexpensive USB sticks can hold 128Gb of data, and this could walk out of your business as the employee leaves on their last day.
So what can be done to fix the problem?
The easiest method, but one which is most likely to cause an impact in the business, is to completely block USB storage devices. This can be done using Group Policies on Windows boxes, but may also block USB backup drives (which are also a bad idea) within the business.
If you are running some outdated Windows boxes on your network then it’s also a good idea to disable the “autorun” feature on external media such as CDs as well as USB drives. This prevents some of the older malware from propagating simply by being inserted into a system.
A better solution is to look at a USB DLP system. DLP, or Data Loss Prevention, is a huge topic – all we’re going to cover here is the fact that there are systems available which allow granular control over the usage of such devices within your business. For instance, McAfee’s DLP solution allows a company to lock down usb devices with the following methods.
- If drives are a necessary part of how your business works, then their usage should be kept to a minimum, with annual reviews on who needs them to carry out their roles, removing usage wherever possible.
- Policy should clearly state how they can be used – what the acceptable use cases are, who is allowed to do it, and defined restrictions on where they can be used outside the business (if allowed outside at all). Devices should never be plugged into a system which is running outdated AV – this is often the way that malware circumvents many company’s perimeter defences and gains a foothold on the internal network.
- Restrict all USB storage to a fixed manufacturer or set of approved vendors. This will involve the company having to scrap the old devices (carefully – ensuring that data is wiped beforehand), and replacing them with a known brand which can be identified by the DLP system. Once allowed, these devices can be used to write and read data. But another step is also needed. In order to prevent the risks associated with the loss or theft of USB sticks, encryption should be forced on all USB storage devices. This means that without the correct password, there is no way to gain access to the data held within the stick.
- DLP software can also monitor for particular types of document, quantities of files, or specifically included keywords being copied over to an external drive. It can monitor or block these actions, depending on the policy in place, and can alert those who need to know that such actions were taking place. This helps somewhat in the fight to keep company data within the business, but it does require significant time and business buy-in to be configured effectively. And don’t believe the hype of some of the DLP sellers – if someone is determined to exfiltrate data from your company, there is always a way that it can be done – no system is going to be able to guarantee prevention of such actions taking place.
It’s likely that the threat will only be mitigated by a combination of strong policy as well as technical controls. There is no magic bullet that can completely remove the risk if USB drives are allowed in any way. Investment upfront, of time as well as the usage of a robust DLP system, will help your business sit in a much stronger position with regards to this risk. Please get in touch with us if you would like to be helped through the process.