We’ve all used pocket-sized USB drives to store and transfer data. We’ve also lost them countless times. USB sticks are a necessary convenience accompanied by complex and varied risks. Besides the loss of the actual ”pendrives” as they’re also known, organizations fall prey to targeted USB attacks, which are quite common. Threats designed for USB exploits have risen from 37% to 52%, according to Honeywell’s Industrial Cybersecurity USB Threat Report 2022. Even now, in the era of the cloud, USB attacks are executed, like some of the recent occurrences mentioned below.
Recent USB incidents
Those sleek-looking drives have led to massive exposure and data breaches. The Stuxnet attack (2010) and the USB drop attack on the Pentagon (2008) are some of the biggest data security incidents to date. Some recent attacks involving USBs include:
1. Malicious USBs mailed via US postal services, January 2022
Malicious USBs were mailed to professionals across the defense, insurance, and transportation sectors. Some of the mail was sent impersonating the US Department Of Health, supposedly containing authorized coronavirus guidelines. Some others impersonated brands like Amazon, offering free gift vouchers. The USBs contained ransomware that helped hackers gain entry into the organizations’ networks.
2. Raspberry Robin malware detected in Windows machines, May 2022
The malware Raspberry Robin was found in Windows devices across various sectors. Raspberry Robin is a Windows worm that can drop malware into Windows devices. The worm installs and executes malware in devices, which can then be used to escalate privileges.
3. Bug in USB software allowed hackers to add fake devices, June 2020
USB for Remote Desktop is software that allows users to access a locally plugged-in USB device in remote desktop sessions. Now patched, this vulnerability could have allowed hackers to create fake devices. Hypothetically, fake Ethernet network cards added this way could have led to network infiltration.
How do USB security risks affect an organization?
Data breach: A data breach occurs when organizational data is exposed to external entities, like when the personal data of stakeholders is published on the dark web. The consequences often strike a blow too big. Remember Equifax?
Security infiltration: A security breach occurs when organizational networks and devices are left exposed to external entities. It is similar to the fake devices added by hackers in the USB incident mentioned previously. Note that a security breach need not imply a data breach.
Compliance implications: Regulatory standards like the GDPR recommend data encryption to prevent stolen data from being accessed. Fail to comply, and you’ll be handed hefty fines. On top of this, you’ll end up spending even more on legal counsel and restoring data security controls.
Business operations interruption: When USBs are misappropriated by hackers, lots of business hours are spent identifying exposed data. USB drives can also be used to deliver malware to endpoints. If endpoints are infected, you can’t get them up and running quickly. Incident response and remediation take higher priority, leading to downtime in business operations.
Types of USB threats
USB attacks can be caused by both internal and external entities. In most attacks, hackers trick employees or other stakeholders into plugging harmful USBs into organizational devices. However, insiders with financial motives can also launch attacks. Security researchers in Israel have identified up to 29 different USB attacks.
Based on the threat actor, USB attacks can be broadly classified as:
-
USB attacks perpetrated by hackers and insiders: These attacks aim to expose organizational data or tamper with business operations. Cybercriminals can also collude with insiders using monetary deals to launch a malware infection in a network.
Examples: BadUSB attacks and rubber ducky attacks.
-
USB incidents brought about by unsuspecting employees: Negligent employees who do not follow security protocols often have their drives stolen or lose them outside the organization.
Examples: The Stuxnet attack (2010) and the Pentagon attack (2008) were brought about by inadvertent employees who plugged in unknown drives.
At least half of USB-based security incidents can be prevented by promoting user awareness and enhancing security controls on USB access. Instead of completely eradicating USB usage, organizations must implement better controls for the secure use of removable storage devices.
Check out these 10 best practices to securely use removable media devices. Download infographic
How to prevent USB-based attacks
A surefire method of preventing USB attacks is to completely ban portable devices. However, this is not practical because insiders looking to exploit loopholes will find other ways. Besides, inconvenienced employees may not adhere to security protocols for want of easier data transfers.An increasing number of tools are being developed to help enforce strict controls on portable flash drives. You can even track files copied to USB drives with endpoint monitoring tools.
We will delve deeper into protection against USB threats in part two of this blog. But before we get to that, here’s a valuable resource on creating a sound DLP strategy. Download now.
The right tool to help you track risky USB actions
ManageEngine DataSecurity Plus is a unified data security and visibility platform to develop sound data protection controls. You can identify who accessed a file during non-business hours or spot questionable user actions on removable media devices. You can also:
-
Discover sensitive data in your file servers and SQL servers to help secure them sufficiently.
-
Identify risky file accesses, including file modifications and file copy activity.
-
Track where users have pasted files, including in-USB actions.
-
Allow only authorized flash drives using a trusted devices list.
-
Restrict users to only reading files on USB media drives.
-
Block network or local file copy actions by users.
Block specific USBs, allow only read access to users, prevent file copy actions, and try all our features in a free, 30-day trial.