In todays digital age, data is everything. Currency, photographs, videos, personal information, Facebook. You name it – it’s data.
Data is big business. We buy it, we sell it, we share it – we even fight for it. And second only to the importance of data itself, is how we share and move it. From Bluetooth to Airdrop, WhatsApp to Dropbox, transferring data has never been easier. But as vast and varied as the list of options available to us is, no other method is as simple, “universal” and dangerous than as the USB device – universal serial bus or thumb drive.
Invented to replace the various connectors at the back of PCs and to keep more of us connected across our very many different machines and digital devices, the USB fast became the data transfer vehicle of choice because they are small, readily available, inexpensive, and extremely portable. From the first USB released in 1994, to USB 3.1 released in 2013, this technology has growth in regard to performance and storage – you can now fit a sizeable library of music and movies on a device no bigger than your thumb! However, these same characteristics that made it universally top of its class for simplicity and ease of use, also made it the universally first choice for attackers and cyber criminals of every kind. Just look at some of the most spectacular computer attacks in the last few years, and you’ll usually find a USB drive at the heart of it all.
There are numerous ways for attackers to use USB drives to infect computers. One method is to install malicious code, or malware, on the device that can detect when it is plugged into a computer. When the USB drive is plugged into a computer, the malware infects that computer. Another method is to download sensitive information directly onto a USB drive. The only thing needed to accomplish this is physical access to a computer on the network. Even computers that have been turned off may be vulnerable, because a computer’s memory is still active for several minutes without power. If an attacker can plug a USB drive into the computer during that time, he or she can quickly reboot the system from the USB drive and copy the computer’s memory, including passwords, encryption keys, and other sensitive data, onto the drive.
Often times, a company’s biggest weakness might not be a malicious insider, but rather an employee who simply doesn’t understand the potential security risks of their actions. Even the Department of Homeland Security (http://gcn.com/articles/2011/06/30/dhs-test-found-thumb-drives-disks-network.aspx) discovered in 2011 that 60% of USB drives (deliberately planted in places like federal agency parking lots) were inserted into company computers after they were picked up by unsuspecting workers. This number rose to 90% when the USB drives had the Department of Homeland Security logo.
There are steps you can take to protect the data on your USB drive and on any computer that you might plug the drive into:
Take advantage of security features – Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost.
Keep personal and business USB drives separate – Do not use personal USB drives on company computers, and do not plug USB drives containing corporate information into your personal computer.
Use security software and keep all software up to date – Use a firewall, anti-virus software, and anti-spyware software to make your computer is less vulnerable to attacks, and make sure to keep the virus definitions current. It’s also important to keep both the operating system and other software on your computer up to date by applying any necessary patches.
Do not plug an unknown USB drive into your computer – If you find a USB drive, do not plug it into your computer to view the contents or to try to identify the owner. You may also want to notify someone in your IT department if the drive is found on work premises. Booby-trapped USB drives can destroy your network. Did you know hackers can control your keyboard without your knowledge? There are USB drives, nicknamed booby-trapped USBs, that are capable of controlling users’ computers without permission. In 2015, hackers developed a USB pen drive that can deliver a 220 volt charge to a computer, destroying it instantly. Just a few years earlier in 2010, the infamous Stuxnet worm infected Iranian nuclear facilities decreasing efficiency by 30 percent. Named the most sophisticated computer virus ever created, the Stuxnet worm is believed to have originated from a worker’s USB drive. Once this worm infects a USB drive, it attacks that drive first, then quickly moves toward other computing systems. Booby-trapped USBs are dangerous because users are unaware of the damage being inflicted.
Disable Autorun – The Autorun feature in Windows causes removable media such as CDs, DVDs, and USB drives to open automatically when they are inserted into a drive. By disabling Autorun, you can prevent malicious code on an infected USB drive from opening automatically.
Develop and enforce USB drive-related policies – Make sure employees are aware of the inherent dangers associated with USB drives and what your company policy is on the proper use of them. Also consider mentioning the dangers of USB flash drives in company training. No matter how technology-savvy your employees may seem, no company is immune to human error. Next time you pick up a USB drive, keep in mind the potential risks.
CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.
Our current FREE100 Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with Free awareness training.