If you found a random USB device what would you do with it? Would you be curious and plug it into your computer to find what juicy secrets it holds? Or would you leave it where you found it? Most often, unsuspecting, ill-informed users take the risk of using a USB devices they find – despite the known & significant risks. As of 2016, the real risks of using an unknown USB device are nothing new and have been understood for many years. In the face of this risky reality people in 2016 are still making the wrong choice. A recent study by Elie Bursztein of Google’s anti-fraud and abuse team confirmed peoples willingness to take foolhardy risks of unknown and potentially malicious USB devices. The study involved leaving 300 infected USB drives in the University of Illinois campus that had software which would allow the creators of the study to gauge how they were used when found. The software on these USB’s allowed the study’s creators to gain insight into how the unsuspecting users interacted with the devices. All too alarmingly was that 45% of the USB thumb drives were used by those that found them. This 45% phoned home to a central server which gave rich data on these unwitting participants. Were these USB’s from a true malicious source such as a cybercriminal, foreign nation state, etc. it could cause serious damage to an organization. This simple USB hack could put you in the new as the next huge data breach, intellectual property theft, or data exfiltration. Thankfully, there are some steps you and your company can take to address the malicious USB threat.
Security Awareness Training
The human element can most often be the biggest risk to organizations. In the case of malicious USB’s and other media, end user security awareness and training are paramount. At a bare minimum organizations should be conducting annual security awareness training. The so called “human firewall” is a big part of keeping your information secure.
Many other methods exist for limiting and blocking this type of such as blocking the ports completely or epoxying or gluing them. In a Microsoft Windows network you can use tools such as Windows AD policy. Additionally most modern anti-malware offer an ability to control or block USB access. It’s import to note that anti-malware isn’t a cure all and magically make the problem go away. Real defense in depth is the only way to address this and any other information security issues.
Don’t Use What You Don’t Trust
Don’t use USB or other forms of storage from unknown sources ever. If you find a USB at work, throw it away. If you get a “free” USB drive in the mail or at a conference, do the same. The same goes for any media CD/DVD or otherwise. Remember to trust less and be more cautious so you and your organization don’t become an easy target.