Risk
8/8/2011
04:05 PM
Connect Directly
RSS
E-Mail
50%
50%

How USB Sticks Cause Data Breach, Malware Woes

Half of businesses have lost sensitive or confidential information due to USB memory sticks, with many incidents involving those infected with malware.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks. While such losses can obviously occur when the devices get lost or stolen, 55% of those incidents are likely related to malware-infected devices that introduced malicious code onto corporate networks.

Those findings come from a new survey of 743 IT and information security professionals, conducted by Ponemon Institute in July, and sponsored by flash memory manufacturer Kingston Digital.

Seemingly mindful of the information security and intellectual property risks, not all organizations permit the use of USB drives. Indeed, 36% of the survey respondents--who include employees at government agencies--said their approach to USB drives was "total lockdown through the use of a software solution to block the usage of USB ports."

But for most organizations, the study found, the use of USB drives is widespread. In addition, about half of surveyed organizations have policies that detail how employees can use USB drives to store sensitive or confidential information. But only half of those organizations actually enforce the policies. Meanwhile, only 21% of organizations with USB device security policies on the books use data loss prevention tools, and only 13% use network analysis technology to spot inappropriate use of USB drives.

On a related note, according to the study, 75% of respondents said they wouldn't pay a premium to ensure that USB drives are safe and secure. Unsurprisingly, 74% said they didn't use data loss prevention software to detect when confidential or sensitive information was being copied to the devices, or to monitor USB drives for viruses or malware. Nearly as many also don't have policies governing how USB drives are used, and don't see protecting information on USB drives as a top priority.

As with any storage device, data loss via USB thumb drives isn't new, and many survey respondents suspect that such losses often don't get reported. So far this year, according to the Identity Theft Resource Center, only five USB-related breaches have come to light, one of which included the theft of an unencrypted USB drive from the Family Planning Council in Philadelphia, which contained 70,000 records, in late 2010.

USB drives that are used as an attack mechanism also aren't new. Indeed, some experts have surmised, based on the pattern by which Stuxnet spread, that it initially infected only a handful of computers--and likely via a USB thumb drive.

Part of the difficulty in securing USB drives, perhaps, is that they're so common as to be unremarkable. In one test conducted earlier this year, for example, Department of Homeland Security staff scattered USB keys, some with the department's logo, around government and private contractor parking lots. Of the people who picked them up, according to Bloomberg, 60% later plugged the devices into their computer, although 90% of people who'd picked up a USB key with an official DHS logo plugged them in.

The study was cited as a failure of people to properly assess the threat posed by USB drives of unknown origin. But Bruce Schneier, chief security technology officer of BT, said the real issue involves operating systems. "The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good," he said in a blog post. "The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer."

When might operating systems catch up? Sixty percent of organizations, according to the Ponemon survey, take a hands-off approach to USB drives because they don't want to hamper workers' productivity. Accordingly, any approach to encrypting such devices arguably needs to be seamless.

Already, removable storage devices can be encrypted in Windows 7, using BitLocker, on a per-device basis. In addition, commercial and open source software add-ons will automatically encrypt removable devices.

Meanwhile, the latest version of Apple's operation system, OS X 10.7, aka Lion, includes a feature called FileVault2, which will fully encrypt--using XTS-AES 128 encryption--not just hard drives, but also USB storage devices. There's no default option, however, for requiring a drive to be encrypted. As with Windows 7 BitLocker, each external storage device must be encrypted on a per-item basis, using Apple's Disk Utility software. When so formatted, the drive requires a password when it's first connected to a Mac, or disconnected and reconnected, or else it can't be accessed.

In other words, the latest versions of Windows and Mac OS X enable users to encrypt their USB drives. But until they view USB drive encryption as a priority, will they encrypt, and should they have to bother?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
allencently
50%
50%
allencently,
User Rank: Apprentice
4/7/2014 | 11:27:22 PM
usb security
USB security is professional data security software that allows you to protect your portable storage devices from accessed by unauthorized users including malware.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.