Perimeter
8/31/2010
05:40 PM
50%
50%

Could USB Flash Drives Be Your Enterprise's Weakest Link?

The Pentagon last week conceded that a USB flash drive carried an attack program inside a classified U.S. military network. Could your company be next?

On any particular day, a horde of devices with flash memory are carried behind corporate firewalls and connected to business networks. It's a threat that many companies are not equipped to handle.

Last week, the U.S. military highlighted this fact when it confirmed that an attack on its systems in 2008 originated with a flash drive plugged into a military computer located in the Middle East. The infection "spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," U.S. Deputy Secretary of Defense William J. Lynn III wrote in an Aug. 25 essay.

The attack became a wakeup call for the Pentagon, which responded by banning USB flash drives for more than a year. The ban finally ended earlier this year.

While many companies worry about the software-based security vulnerabilities present in their networks and systems, far fewer have locked down their systems against devices that can be used to steal data or infect the network from behind the perimeter. Earlier this year, for example, a variant of an attack program known as Stuxnet used USB -- and other methods -- to spread among power companies, stealing information on the configuration of their sensitive operational networks.

"The USB spreading mechanisms are definitely increasing across in the landscape," says Sean-Paul Correll, a threat researcher at antivirus firm Panda Security. "We are seeing it in almost every advance program that we are analyzing in the lab right now."

About a quarter of all malicious programs have functionality that allows it to spread via USB flash drives, according to Panda.

As part of its reintroduction of USB flash drives, the U.S. military has improved its antivirus and malware capabilities, required that flash drives be authorized to connect to a computer, and tightened the security of authorized flash drives. The Department of Defense is also reducing its reliance on flash drives, opting for collaborative workspaces and other data-sharing portals.

Businesses have yet to lock down their own employees' use of flash drives. In its recent report, Barometer of Security in SMBs, Panda found that 32 percent of small and medium businesses cited USB flash drives and other external memory devices as the vector for viruses that infected the victims. In the U.S., almost half of all companies were infected by a virus via a USB flash drive.

"We uses devices every day," Correll says. "We have iPhones and Android device and iPads and all kinds of things, and more and more, we are taking them to work."

A Zen-like question arises for companies when deciding what type of strategy to pursue to protect against the threat of devices: Is the threat posed by the device -- or the data on the device?

An employee who takes work home by loading it onto a USB flash drive, for example, may lose the drive in a bar or on the train. In 2006, U.K. intelligence agency MI6 had to scrub an anti-drug operation when an agent left a USB flash drive on a bus, according to a report.

"Was it the data that was the problem or was it the USB [stick)] that was the problem?" asks Chris Merritt, director of solution marketing for security firm Lumension. "The device is the vector, but the data is what people are after, or the data is a malicious payload."

In a recent Ponemon Institute study funded by Lumension, IT security and operations managers gave both device control and data-loss prevention technologies similar rankings of importance. Nearly 60 percent of companies rated technology to control USB and other devices as important or very important, while only 3 percent fewer similarly rated data-loss prevention technologies.

However, antivirus and anti-malware technologies, whole-disk encryption, application controls, patch management and IT asset management were all rated as more essential.

A large part of the fight to keep organizations secure against such mobile devices is the education of employees. Because USB flash drives can aid productivity, getting employees to abandon them is difficult, as the Pentagon discovered. Instead, using technologies such as encryption, role-based authentication and data-leakage protection can help reduce the threat posed by flash drives.

"You can balance that security needs with the productivity by having policies in place, such as requiring encryption," Merritt says. "By having a system in place that enforce that policy, you can be far more secure."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?