Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

How USB Sticks Cause Data Breach, Malware Woes

Half of businesses have lost sensitive or confidential information due to USB memory sticks, with many incidents involving those infected with malware.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks. While such losses can obviously occur when the devices get lost or stolen, 55% of those incidents are likely related to malware-infected devices that introduced malicious code onto corporate networks.

Those findings come from a new survey of 743 IT and information security professionals, conducted by Ponemon Institute in July, and sponsored by flash memory manufacturer Kingston Digital.

Seemingly mindful of the information security and intellectual property risks, not all organizations permit the use of USB drives. Indeed, 36% of the survey respondents--who include employees at government agencies--said their approach to USB drives was "total lockdown through the use of a software solution to block the usage of USB ports."

But for most organizations, the study found, the use of USB drives is widespread. In addition, about half of surveyed organizations have policies that detail how employees can use USB drives to store sensitive or confidential information. But only half of those organizations actually enforce the policies. Meanwhile, only 21% of organizations with USB device security policies on the books use data loss prevention tools, and only 13% use network analysis technology to spot inappropriate use of USB drives.

On a related note, according to the study, 75% of respondents said they wouldn't pay a premium to ensure that USB drives are safe and secure. Unsurprisingly, 74% said they didn't use data loss prevention software to detect when confidential or sensitive information was being copied to the devices, or to monitor USB drives for viruses or malware. Nearly as many also don't have policies governing how USB drives are used, and don't see protecting information on USB drives as a top priority.

As with any storage device, data loss via USB thumb drives isn't new, and many survey respondents suspect that such losses often don't get reported. So far this year, according to the Identity Theft Resource Center, only five USB-related breaches have come to light, one of which included the theft of an unencrypted USB drive from the Family Planning Council in Philadelphia, which contained 70,000 records, in late 2010.

USB drives that are used as an attack mechanism also aren't new. Indeed, some experts have surmised, based on the pattern by which Stuxnet spread, that it initially infected only a handful of computers--and likely via a USB thumb drive.

Part of the difficulty in securing USB drives, perhaps, is that they're so common as to be unremarkable. In one test conducted earlier this year, for example, Department of Homeland Security staff scattered USB keys, some with the department's logo, around government and private contractor parking lots. Of the people who picked them up, according to Bloomberg, 60% later plugged the devices into their computer, although 90% of people who'd picked up a USB key with an official DHS logo plugged them in.

The study was cited as a failure of people to properly assess the threat posed by USB drives of unknown origin. But Bruce Schneier, chief security technology officer of BT, said the real issue involves operating systems. "The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good," he said in a blog post. "The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer."

When might operating systems catch up? Sixty percent of organizations, according to the Ponemon survey, take a hands-off approach to USB drives because they don't want to hamper workers' productivity. Accordingly, any approach to encrypting such devices arguably needs to be seamless.

Already, removable storage devices can be encrypted in Windows 7, using BitLocker, on a per-device basis. In addition, commercial and open source software add-ons will automatically encrypt removable devices.

Meanwhile, the latest version of Apple's operation system, OS X 10.7, aka Lion, includes a feature called FileVault2, which will fully encrypt--using XTS-AES 128 encryption--not just hard drives, but also USB storage devices. There's no default option, however, for requiring a drive to be encrypted. As with Windows 7 BitLocker, each external storage device must be encrypted on a per-item basis, using Apple's Disk Utility software. When so formatted, the drive requires a password when it's first connected to a Mac, or disconnected and reconnected, or else it can't be accessed.

In other words, the latest versions of Windows and Mac OS X enable users to encrypt their USB drives. But until they view USB drive encryption as a priority, will they encrypt, and should they have to bother?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
allencently
50%
50%
allencently,
User Rank: Apprentice
4/7/2014 | 11:27:22 PM
usb security
USB security is professional data security software that allows you to protect your portable storage devices from accessed by unauthorized users including malware.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.