Perimeter
8/31/2010
05:40 PM
Connect Directly
RSS
E-Mail
50%
50%

Could USB Flash Drives Be Your Enterprise's Weakest Link?

The Pentagon last week conceded that a USB flash drive carried an attack program inside a classified U.S. military network. Could your company be next?

On any particular day, a horde of devices with flash memory are carried behind corporate firewalls and connected to business networks. It's a threat that many companies are not equipped to handle.

Last week, the U.S. military highlighted this fact when it confirmed that an attack on its systems in 2008 originated with a flash drive plugged into a military computer located in the Middle East. The infection "spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," U.S. Deputy Secretary of Defense William J. Lynn III wrote in an Aug. 25 essay.

The attack became a wakeup call for the Pentagon, which responded by banning USB flash drives for more than a year. The ban finally ended earlier this year.

While many companies worry about the software-based security vulnerabilities present in their networks and systems, far fewer have locked down their systems against devices that can be used to steal data or infect the network from behind the perimeter. Earlier this year, for example, a variant of an attack program known as Stuxnet used USB -- and other methods -- to spread among power companies, stealing information on the configuration of their sensitive operational networks.

"The USB spreading mechanisms are definitely increasing across in the landscape," says Sean-Paul Correll, a threat researcher at antivirus firm Panda Security. "We are seeing it in almost every advance program that we are analyzing in the lab right now."

About a quarter of all malicious programs have functionality that allows it to spread via USB flash drives, according to Panda.

As part of its reintroduction of USB flash drives, the U.S. military has improved its antivirus and malware capabilities, required that flash drives be authorized to connect to a computer, and tightened the security of authorized flash drives. The Department of Defense is also reducing its reliance on flash drives, opting for collaborative workspaces and other data-sharing portals.

Businesses have yet to lock down their own employees' use of flash drives. In its recent report, Barometer of Security in SMBs, Panda found that 32 percent of small and medium businesses cited USB flash drives and other external memory devices as the vector for viruses that infected the victims. In the U.S., almost half of all companies were infected by a virus via a USB flash drive.

"We uses devices every day," Correll says. "We have iPhones and Android device and iPads and all kinds of things, and more and more, we are taking them to work."

A Zen-like question arises for companies when deciding what type of strategy to pursue to protect against the threat of devices: Is the threat posed by the device -- or the data on the device?

An employee who takes work home by loading it onto a USB flash drive, for example, may lose the drive in a bar or on the train. In 2006, U.K. intelligence agency MI6 had to scrub an anti-drug operation when an agent left a USB flash drive on a bus, according to a report.

"Was it the data that was the problem or was it the USB [stick)] that was the problem?" asks Chris Merritt, director of solution marketing for security firm Lumension. "The device is the vector, but the data is what people are after, or the data is a malicious payload."

In a recent Ponemon Institute study funded by Lumension, IT security and operations managers gave both device control and data-loss prevention technologies similar rankings of importance. Nearly 60 percent of companies rated technology to control USB and other devices as important or very important, while only 3 percent fewer similarly rated data-loss prevention technologies.

However, antivirus and anti-malware technologies, whole-disk encryption, application controls, patch management and IT asset management were all rated as more essential.

A large part of the fight to keep organizations secure against such mobile devices is the education of employees. Because USB flash drives can aid productivity, getting employees to abandon them is difficult, as the Pentagon discovered. Instead, using technologies such as encryption, role-based authentication and data-leakage protection can help reduce the threat posed by flash drives.

"You can balance that security needs with the productivity by having policies in place, such as requiring encryption," Merritt says. "By having a system in place that enforce that policy, you can be far more secure."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.