Why USB Policy Matters
Honeywell released a report that over 40% of USB portable storage devices contain at least one risky file and over 25% of those threats could lead to operational issues. In 2018, IBM’s chief information security officer, Shamla Naidoo, released a statement focused on digital hygiene and IBM’s steps towards banning portable storage devices, including USBs. Similarly, the French National Assembly has worked to raise cybersecurity awareness with a similar aim to ban USB sticks during their meetings. With companies, and even countries, working to ban the use of USBs, it can be difficult for enterprises to know what decision they should make when it comes to USB policy. One way or another, enterprises need to address the issue and strictly enforce these policies to avoid catastrophic breaches. Recent security breaches and mishaps with USBs should serve as a warning to enterprises still using them freely and without restrictions.
In recent years, the way the US government handles sensitive documents has come under scrutiny. This enhanced scrutiny comes, in part, from the actions of Edward Snowden, a systems administrator contractor for the NSA. Using simple USBs, Snowden was able to copy sensitive information about a government surveillance program called Prism and leak it to the media. Snowden’s case serves as a lesson for companies around the world. Without proper endpoint security any company or organization could have sensitive data lifted with something as simple as a USB.
Last year, Yujing Zhang was arrested and charged with trespassing after attempting to enter President Trump’s Mar-a-Lago resort. Zhang reportedly was carrying several electronic devices, including USB drives that contained malware that would begin working immediately after connection. After further investigation, law enforcement discovered nine other USB drives in Zhang’s hotel room. If Zhang, or anyone else, was able to connect the USB drives to the resort’s systems, hackers would have had access to a plethora of sensitive information and could have gained access to devices connected to the network. Although a seemingly harmless device, a USB can cripple networks and provide access to highly-classified data. Even if Zhang was able to successfully place the USBs, a comprehensive endpoint security and malware prevention solution would have stopped the malware spread from occurring.
Stuxnet is a powerful malware computer worm that was built to infect PCs and specifically target centrifuges used to create the enriched uranium that powers nuclear reactors and weapons. When Stuxnet infiltrates a network, it searches to see if a computer is connected to a specific type of programmable logic controller (PLC) that is manufactured by Siemens. The PLC’s programming is then changed by the worm to cause the centrifuges to work for too long and spin too quickly, which damages and destroys the equipment. Even while the attack is underway, the PLCs report that the centrifuges are operating as expected.
The Stuxnet malware was created by American and Israeli agencies to spy on and infect targeted systems using USBs. The malware, however, has been found on other IoT devices and advanced in an aggressive and sophisticated manner. Fortunately, Stuxnet does not cause major damage to the outside computers it infects, but often goes undetected as those computers didn’t have endpoint security or malware prevention measures in place.
Each of the aforementioned internationally reported cases was caused by USBs, which are seemingly simple and uncomplex devices. In each case, if the impacted organizations had proper endpoint security, malware prevention, security awareness and cybersecurity education practices in place, the threats would have been of little concern.
It’s a common misconception that the only threats to an enterprise’s security come from external actors. Whether intentional or not, 47% of organizational data breaches are the result of internal human error, such as a misplaced device or document. Moreover, some employees present an even larger risk than others. According to recent reports, younger employees are more likely to bypass security protocols that are viewed as an impediment to their productivity. When it comes to onboarding new employees, young or old, enterprises must have proper security awareness & anti-phishing training, in addition to a strong privileged access management solution, to guard against the different types of human error that could create security vulnerabilities.
Although email phishing has taken many forms throughout the years, the most common type of email scam is also the oldest. Since 2003, black-hat hackers have created domain names and web pages that look virtually identical to actual websites and have linked these copycat sites to vulnerable users via emails. It is increasingly difficult to tell the difference between a real web page and a fake one, especially for companies without sophisticated anti-phishing tools. For all companies, it's important to have the best anti-phishing solutions in place to ensure all data is protected and downtime is avoided.