Risk
8/8/2011
04:05 PM
50%
50%

How USB Sticks Cause Data Breach, Malware Woes

Half of businesses have lost sensitive or confidential information due to USB memory sticks, with many incidents involving those infected with malware.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks. While such losses can obviously occur when the devices get lost or stolen, 55% of those incidents are likely related to malware-infected devices that introduced malicious code onto corporate networks.

Those findings come from a new survey of 743 IT and information security professionals, conducted by Ponemon Institute in July, and sponsored by flash memory manufacturer Kingston Digital.

Seemingly mindful of the information security and intellectual property risks, not all organizations permit the use of USB drives. Indeed, 36% of the survey respondents--who include employees at government agencies--said their approach to USB drives was "total lockdown through the use of a software solution to block the usage of USB ports."

But for most organizations, the study found, the use of USB drives is widespread. In addition, about half of surveyed organizations have policies that detail how employees can use USB drives to store sensitive or confidential information. But only half of those organizations actually enforce the policies. Meanwhile, only 21% of organizations with USB device security policies on the books use data loss prevention tools, and only 13% use network analysis technology to spot inappropriate use of USB drives.

On a related note, according to the study, 75% of respondents said they wouldn't pay a premium to ensure that USB drives are safe and secure. Unsurprisingly, 74% said they didn't use data loss prevention software to detect when confidential or sensitive information was being copied to the devices, or to monitor USB drives for viruses or malware. Nearly as many also don't have policies governing how USB drives are used, and don't see protecting information on USB drives as a top priority.

As with any storage device, data loss via USB thumb drives isn't new, and many survey respondents suspect that such losses often don't get reported. So far this year, according to the Identity Theft Resource Center, only five USB-related breaches have come to light, one of which included the theft of an unencrypted USB drive from the Family Planning Council in Philadelphia, which contained 70,000 records, in late 2010.

USB drives that are used as an attack mechanism also aren't new. Indeed, some experts have surmised, based on the pattern by which Stuxnet spread, that it initially infected only a handful of computers--and likely via a USB thumb drive.

Part of the difficulty in securing USB drives, perhaps, is that they're so common as to be unremarkable. In one test conducted earlier this year, for example, Department of Homeland Security staff scattered USB keys, some with the department's logo, around government and private contractor parking lots. Of the people who picked them up, according to Bloomberg, 60% later plugged the devices into their computer, although 90% of people who'd picked up a USB key with an official DHS logo plugged them in.

The study was cited as a failure of people to properly assess the threat posed by USB drives of unknown origin. But Bruce Schneier, chief security technology officer of BT, said the real issue involves operating systems. "The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good," he said in a blog post. "The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer."

When might operating systems catch up? Sixty percent of organizations, according to the Ponemon survey, take a hands-off approach to USB drives because they don't want to hamper workers' productivity. Accordingly, any approach to encrypting such devices arguably needs to be seamless.

Already, removable storage devices can be encrypted in Windows 7, using BitLocker, on a per-device basis. In addition, commercial and open source software add-ons will automatically encrypt removable devices.

Meanwhile, the latest version of Apple's operation system, OS X 10.7, aka Lion, includes a feature called FileVault2, which will fully encrypt--using XTS-AES 128 encryption--not just hard drives, but also USB storage devices. There's no default option, however, for requiring a drive to be encrypted. As with Windows 7 BitLocker, each external storage device must be encrypted on a per-item basis, using Apple's Disk Utility software. When so formatted, the drive requires a password when it's first connected to a Mac, or disconnected and reconnected, or else it can't be accessed.

In other words, the latest versions of Windows and Mac OS X enable users to encrypt their USB drives. But until they view USB drive encryption as a priority, will they encrypt, and should they have to bother?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
allencently
50%
50%
allencently,
User Rank: Apprentice
4/7/2014 | 11:27:22 PM
usb security
USB security is professional data security software that allows you to protect your portable storage devices from accessed by unauthorized users including malware.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.