USB connections are the most common used to connect various devices today; Cell phones, tablets, keyboards, mice, thumb drives are just to name a few. Its common practice that users freely plug devices into a USB port without any consideration of the potential risks involved. Using the USB connection might be a quick, convenient way to charge your device or transport data, it is a major conduit for transferring malware onto your network and for stealing data.
Any device with storage, wireless or Bluetooth capabilities can carry an infection. The real risk isn’t necessarily the infection, but how all USB devices operate. All USB devices carry a form of software called firmware. USB manufacturers do not protect the firmware in their devices and this is a major vulnerability where attackers can exploit this by installing malware to overwrite the firmware and take control of everyday devices. And because so many different devices can plug into the same connection, one type of device can be reprogrammed and turn into a malicious device without the user even knowing.
Security threats are not only concern when it comes to USB drives. The overwhelming rise in the use of such devices has also raised the incidents regarding privacy. Given the diminutive size of the USB, they can be easily pocketed and taken anywhere. They could be used to steal massive amounts of corporate data such as valuable customer information.
How devices can turn malicious:
1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to ex-filtrate files or install malware.
2. The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
3. A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
Often times, a company’s biggest weakness might not be a malicious insider, but rather an employee who simply doesn’t understand the potential security risks of their actions. Often companies will invest time and money into firewalls to protect their network as their main defence mechanism against attackers but neglect that USB drives can be risk overlooked. All traffic that flows through such network devices can be filtered but when using a USB device directly to the endpoint can bypass all of these security mechanisms.
What you can do to protect yourself?
There are steps you can take to protect the data on your USB drive and on any computer that you might plug the drive into:
- Take advantage of security features – Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost.
- Keep personal and business USB drives separate – Do not use personal USB drives on company computers, and do not plug USB drives containing corporate information into your personal computer.
- Use security software and keep all software up to date – Use a firewall, anti-virus software, and anti-spyware software to make your computer is less vulnerable to attacks, and make sure to keep the virus definitions current. It’s also important to keep both the operating system and other software on your computer up to date by applying any necessary patches.
- Do not plug an unknown USB drive into your computer – If you find a USB drive, do not plug it into your computer to view the contents or to try to identify the owner. You may also want to notify someone in your IT department if the drive is found on work premises.
- Disable Autorun – The Autorun feature in Windows causes removable media such as CDs, DVDs, and USB drives to open automatically when they are inserted into a drive. By disabling Autorun, you can prevent malicious code on an infected USB drive from opening automatically.
- Develop and enforce USB drive-related policies – Make sure employees are aware of the inherent dangers associated with USB drives and what your company policy is on the proper use of them. Also consider mentioning the dangers of USB flash drives in company training. No matter how technology-savvy your employees may seem, no company is immune to human error.
Next time you pick up a USB drive, keep in mind the potential risks you could be unleashing on your network. Currently, the only way to truly prevent the potential risk is to educate yourself and fellow users about the risks and follow computing best practices. Do not insert your devices into computers (and networks) you don’t trust and don’t plug other’s devices into your computer unless you know for certain where they’ve been.