Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/31/2010
05:40 PM
50%
50%

Could USB Flash Drives Be Your Enterprise's Weakest Link?

The Pentagon last week conceded that a USB flash drive carried an attack program inside a classified U.S. military network. Could your company be next?

On any particular day, a horde of devices with flash memory are carried behind corporate firewalls and connected to business networks. It's a threat that many companies are not equipped to handle.

Last week, the U.S. military highlighted this fact when it confirmed that an attack on its systems in 2008 originated with a flash drive plugged into a military computer located in the Middle East. The infection "spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," U.S. Deputy Secretary of Defense William J. Lynn III wrote in an Aug. 25 essay.

The attack became a wakeup call for the Pentagon, which responded by banning USB flash drives for more than a year. The ban finally ended earlier this year.

While many companies worry about the software-based security vulnerabilities present in their networks and systems, far fewer have locked down their systems against devices that can be used to steal data or infect the network from behind the perimeter. Earlier this year, for example, a variant of an attack program known as Stuxnet used USB -- and other methods -- to spread among power companies, stealing information on the configuration of their sensitive operational networks.

"The USB spreading mechanisms are definitely increasing across in the landscape," says Sean-Paul Correll, a threat researcher at antivirus firm Panda Security. "We are seeing it in almost every advance program that we are analyzing in the lab right now."

About a quarter of all malicious programs have functionality that allows it to spread via USB flash drives, according to Panda.

As part of its reintroduction of USB flash drives, the U.S. military has improved its antivirus and malware capabilities, required that flash drives be authorized to connect to a computer, and tightened the security of authorized flash drives. The Department of Defense is also reducing its reliance on flash drives, opting for collaborative workspaces and other data-sharing portals.

Businesses have yet to lock down their own employees' use of flash drives. In its recent report, Barometer of Security in SMBs, Panda found that 32 percent of small and medium businesses cited USB flash drives and other external memory devices as the vector for viruses that infected the victims. In the U.S., almost half of all companies were infected by a virus via a USB flash drive.

"We uses devices every day," Correll says. "We have iPhones and Android device and iPads and all kinds of things, and more and more, we are taking them to work."

A Zen-like question arises for companies when deciding what type of strategy to pursue to protect against the threat of devices: Is the threat posed by the device -- or the data on the device?

An employee who takes work home by loading it onto a USB flash drive, for example, may lose the drive in a bar or on the train. In 2006, U.K. intelligence agency MI6 had to scrub an anti-drug operation when an agent left a USB flash drive on a bus, according to a report.

"Was it the data that was the problem or was it the USB [stick)] that was the problem?" asks Chris Merritt, director of solution marketing for security firm Lumension. "The device is the vector, but the data is what people are after, or the data is a malicious payload."

In a recent Ponemon Institute study funded by Lumension, IT security and operations managers gave both device control and data-loss prevention technologies similar rankings of importance. Nearly 60 percent of companies rated technology to control USB and other devices as important or very important, while only 3 percent fewer similarly rated data-loss prevention technologies.

However, antivirus and anti-malware technologies, whole-disk encryption, application controls, patch management and IT asset management were all rated as more essential.

A large part of the fight to keep organizations secure against such mobile devices is the education of employees. Because USB flash drives can aid productivity, getting employees to abandon them is difficult, as the Pentagon discovered. Instead, using technologies such as encryption, role-based authentication and data-leakage protection can help reduce the threat posed by flash drives.

"You can balance that security needs with the productivity by having policies in place, such as requiring encryption," Merritt says. "By having a system in place that enforce that policy, you can be far more secure."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...
CVE-2019-11644
PUBLISHED: 2019-05-17
In the F-Secure installer in F-Secure SAFE for Windows before 17.6, F-Secure Internet Security before 17.6, F-Secure Anti-Virus before 17.6, F-Secure Client Security Standard and Premium before 14.10, F-Secure PSB Workstation Security before 12.01, and F-Secure Computer Protection Standard and Premi...