Beware the USB
Malware or a virus can be loaded into a flash drive, which can then automatically infect a machine when the user inserts the stick into it. Back in 2014 some security researchers showed how easy this was; and things haven’t changed much. Researchers have shown how malware from a USB stick can take control of a computer, upload files, track browser history, infect software and even provide a hacker remote keyboard control. In many cases the problems can’t be patched, infected files can’t be cleaned, and the infection almost impossible to detect.
Shared Data, Lost Data
Flash drives are convenient, but their size also makes them USB security risks. Recently, IBM banned workers from using them for work, along with any removable memory device. As reported by the BBC, IBM cited the possibility of “financial and reputational” damage if staff lost or misused the devices.
IBM is being cautious, and for good reason. A few months ago, the University of Toledo made news when a faculty member lost a flash drive filled with social security numbers (as reported by the Toledo Blade). In 2017, an insurance underwriter paid a $2.2 million HIPAA breach settlement after a USB drive containing sensitive health information of more than 2,200 people was stolen from its IT department.
Even deleting the information from a USB drive isn’t always effective for USB security, as the devices can leave traces of files behind, or even full copies, which an expert hacker can recover.
Using a flash drive isn’t the only USB security risk. Many modern laptops can now be charged through the USB port, a tremendous convenience but one that can leave a machine open for attack. Much like thumb drives, these small USB chargers are borrowed and shared, and lost and replaced. Like USB chargers, they can also be booby trapped to inject malware, root kits and other malicious infections into a computer, allowing the hacker access to files and data.
Getting the Drop on USB Security
Not every trick is high tech, as shown in this simple ploy: a hacker drops an infected USB drive on the ground, which is then picked up and used, infecting a computer. According to an article by digital news company Mic, researchers dropped a few hundred USB devices around the University of Illinois, even going as far as attaching keys or a return mailing address to some of them. Incredibly, 48% of the 300 devices they dropped were picked up and plugged into a computer.
USB devices aren’t the only portable devices that can put you at risk. Have you ever left a laptop on the table at a coffee shop while you stood in line, or ran to the restroom? Even if your laptop is where you left it when you return, that doesn’t mean it hasn’t been compromised.
A test of Google’s Chrome browser showed how easy and fast it is to steal passwords from an unguarded screen. One reporter for the Guardian says he tried exactly that: and stole 52 passwords in 57 seconds. If your computer doesn’t have a master password, it’s a simple procedure to access every web password you have.
USB Security and the GDPR
Recently, the GDPR (General Data Protection Regulation) was implemented for Europe, with a whole new set of rules regarding privacy protection and sharing of information. We reported on this in great detail in an earlier blog post. One interesting aspect of the GDPR is in regards to USB drive compliance. Keeping customer information safe and secure, with only limited employee access to this data, is at the heart of the GDPR. The failure to use an encrypted USB stick to transport data can be considered a breach of protocols and result in hefty fines.
Instead of relying on antiquated USB devices to share files, most companies should switch to cloud computing, which allows for safe storage and accessibility of files across a secured network. We wrote a blog post recently in which we listed a number of practices small-to-medium sized businesses should implement immediately, including amping up their cyber security, going to the cloud, and finding the right tech partner to assist them in setting it all up.
As security experts, DYOPATH is that “right partner” for many organizations. We know a thing or two about USB security, and even more about network security and data security. We help our clients implement proactive infrastructure patch management, provide a security risk assessment and much more. We also offer a full slate of managed cloud services, giving you access to the best cloud technologies without high initial costs or ongoing investments in upgrades.