Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

How USB Sticks Cause Data Breach, Malware Woes

Half of businesses have lost sensitive or confidential information due to USB memory sticks, with many incidents involving those infected with malware.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks. While such losses can obviously occur when the devices get lost or stolen, 55% of those incidents are likely related to malware-infected devices that introduced malicious code onto corporate networks.

Those findings come from a new survey of 743 IT and information security professionals, conducted by Ponemon Institute in July, and sponsored by flash memory manufacturer Kingston Digital.

Seemingly mindful of the information security and intellectual property risks, not all organizations permit the use of USB drives. Indeed, 36% of the survey respondents--who include employees at government agencies--said their approach to USB drives was "total lockdown through the use of a software solution to block the usage of USB ports."

But for most organizations, the study found, the use of USB drives is widespread. In addition, about half of surveyed organizations have policies that detail how employees can use USB drives to store sensitive or confidential information. But only half of those organizations actually enforce the policies. Meanwhile, only 21% of organizations with USB device security policies on the books use data loss prevention tools, and only 13% use network analysis technology to spot inappropriate use of USB drives.

On a related note, according to the study, 75% of respondents said they wouldn't pay a premium to ensure that USB drives are safe and secure. Unsurprisingly, 74% said they didn't use data loss prevention software to detect when confidential or sensitive information was being copied to the devices, or to monitor USB drives for viruses or malware. Nearly as many also don't have policies governing how USB drives are used, and don't see protecting information on USB drives as a top priority.

As with any storage device, data loss via USB thumb drives isn't new, and many survey respondents suspect that such losses often don't get reported. So far this year, according to the Identity Theft Resource Center, only five USB-related breaches have come to light, one of which included the theft of an unencrypted USB drive from the Family Planning Council in Philadelphia, which contained 70,000 records, in late 2010.

USB drives that are used as an attack mechanism also aren't new. Indeed, some experts have surmised, based on the pattern by which Stuxnet spread, that it initially infected only a handful of computers--and likely via a USB thumb drive.

Part of the difficulty in securing USB drives, perhaps, is that they're so common as to be unremarkable. In one test conducted earlier this year, for example, Department of Homeland Security staff scattered USB keys, some with the department's logo, around government and private contractor parking lots. Of the people who picked them up, according to Bloomberg, 60% later plugged the devices into their computer, although 90% of people who'd picked up a USB key with an official DHS logo plugged them in.

The study was cited as a failure of people to properly assess the threat posed by USB drives of unknown origin. But Bruce Schneier, chief security technology officer of BT, said the real issue involves operating systems. "The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good," he said in a blog post. "The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer."

When might operating systems catch up? Sixty percent of organizations, according to the Ponemon survey, take a hands-off approach to USB drives because they don't want to hamper workers' productivity. Accordingly, any approach to encrypting such devices arguably needs to be seamless.

Already, removable storage devices can be encrypted in Windows 7, using BitLocker, on a per-device basis. In addition, commercial and open source software add-ons will automatically encrypt removable devices.

Meanwhile, the latest version of Apple's operation system, OS X 10.7, aka Lion, includes a feature called FileVault2, which will fully encrypt--using XTS-AES 128 encryption--not just hard drives, but also USB storage devices. There's no default option, however, for requiring a drive to be encrypted. As with Windows 7 BitLocker, each external storage device must be encrypted on a per-item basis, using Apple's Disk Utility software. When so formatted, the drive requires a password when it's first connected to a Mac, or disconnected and reconnected, or else it can't be accessed.

In other words, the latest versions of Windows and Mac OS X enable users to encrypt their USB drives. But until they view USB drive encryption as a priority, will they encrypt, and should they have to bother?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
allencently
50%
50%
allencently,
User Rank: Apprentice
4/7/2014 | 11:27:22 PM
usb security
USB security is professional data security software that allows you to protect your portable storage devices from accessed by unauthorized users including malware.
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.