Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/31/2010
05:40 PM
50%
50%

Could USB Flash Drives Be Your Enterprise's Weakest Link?

The Pentagon last week conceded that a USB flash drive carried an attack program inside a classified U.S. military network. Could your company be next?

On any particular day, a horde of devices with flash memory are carried behind corporate firewalls and connected to business networks. It's a threat that many companies are not equipped to handle.

Last week, the U.S. military highlighted this fact when it confirmed that an attack on its systems in 2008 originated with a flash drive plugged into a military computer located in the Middle East. The infection "spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," U.S. Deputy Secretary of Defense William J. Lynn III wrote in an Aug. 25 essay.

The attack became a wakeup call for the Pentagon, which responded by banning USB flash drives for more than a year. The ban finally ended earlier this year.

While many companies worry about the software-based security vulnerabilities present in their networks and systems, far fewer have locked down their systems against devices that can be used to steal data or infect the network from behind the perimeter. Earlier this year, for example, a variant of an attack program known as Stuxnet used USB -- and other methods -- to spread among power companies, stealing information on the configuration of their sensitive operational networks.

"The USB spreading mechanisms are definitely increasing across in the landscape," says Sean-Paul Correll, a threat researcher at antivirus firm Panda Security. "We are seeing it in almost every advance program that we are analyzing in the lab right now."

About a quarter of all malicious programs have functionality that allows it to spread via USB flash drives, according to Panda.

As part of its reintroduction of USB flash drives, the U.S. military has improved its antivirus and malware capabilities, required that flash drives be authorized to connect to a computer, and tightened the security of authorized flash drives. The Department of Defense is also reducing its reliance on flash drives, opting for collaborative workspaces and other data-sharing portals.

Businesses have yet to lock down their own employees' use of flash drives. In its recent report, Barometer of Security in SMBs, Panda found that 32 percent of small and medium businesses cited USB flash drives and other external memory devices as the vector for viruses that infected the victims. In the U.S., almost half of all companies were infected by a virus via a USB flash drive.

"We uses devices every day," Correll says. "We have iPhones and Android device and iPads and all kinds of things, and more and more, we are taking them to work."

A Zen-like question arises for companies when deciding what type of strategy to pursue to protect against the threat of devices: Is the threat posed by the device -- or the data on the device?

An employee who takes work home by loading it onto a USB flash drive, for example, may lose the drive in a bar or on the train. In 2006, U.K. intelligence agency MI6 had to scrub an anti-drug operation when an agent left a USB flash drive on a bus, according to a report.

"Was it the data that was the problem or was it the USB [stick)] that was the problem?" asks Chris Merritt, director of solution marketing for security firm Lumension. "The device is the vector, but the data is what people are after, or the data is a malicious payload."

In a recent Ponemon Institute study funded by Lumension, IT security and operations managers gave both device control and data-loss prevention technologies similar rankings of importance. Nearly 60 percent of companies rated technology to control USB and other devices as important or very important, while only 3 percent fewer similarly rated data-loss prevention technologies.

However, antivirus and anti-malware technologies, whole-disk encryption, application controls, patch management and IT asset management were all rated as more essential.

A large part of the fight to keep organizations secure against such mobile devices is the education of employees. Because USB flash drives can aid productivity, getting employees to abandon them is difficult, as the Pentagon discovered. Instead, using technologies such as encryption, role-based authentication and data-leakage protection can help reduce the threat posed by flash drives.

"You can balance that security needs with the productivity by having policies in place, such as requiring encryption," Merritt says. "By having a system in place that enforce that policy, you can be far more secure."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
WannaCry Has IoT in Its Crosshairs
Ed Koehler, Distinguished Principal Security Engineer, Office of CTO, at Extreme Network,  9/25/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...