Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/31/2010
05:40 PM
50%
50%

Could USB Flash Drives Be Your Enterprise's Weakest Link?

The Pentagon last week conceded that a USB flash drive carried an attack program inside a classified U.S. military network. Could your company be next?

On any particular day, a horde of devices with flash memory are carried behind corporate firewalls and connected to business networks. It's a threat that many companies are not equipped to handle.

Last week, the U.S. military highlighted this fact when it confirmed that an attack on its systems in 2008 originated with a flash drive plugged into a military computer located in the Middle East. The infection "spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," U.S. Deputy Secretary of Defense William J. Lynn III wrote in an Aug. 25 essay.

The attack became a wakeup call for the Pentagon, which responded by banning USB flash drives for more than a year. The ban finally ended earlier this year.

While many companies worry about the software-based security vulnerabilities present in their networks and systems, far fewer have locked down their systems against devices that can be used to steal data or infect the network from behind the perimeter. Earlier this year, for example, a variant of an attack program known as Stuxnet used USB -- and other methods -- to spread among power companies, stealing information on the configuration of their sensitive operational networks.

"The USB spreading mechanisms are definitely increasing across in the landscape," says Sean-Paul Correll, a threat researcher at antivirus firm Panda Security. "We are seeing it in almost every advance program that we are analyzing in the lab right now."

About a quarter of all malicious programs have functionality that allows it to spread via USB flash drives, according to Panda.

As part of its reintroduction of USB flash drives, the U.S. military has improved its antivirus and malware capabilities, required that flash drives be authorized to connect to a computer, and tightened the security of authorized flash drives. The Department of Defense is also reducing its reliance on flash drives, opting for collaborative workspaces and other data-sharing portals.

Businesses have yet to lock down their own employees' use of flash drives. In its recent report, Barometer of Security in SMBs, Panda found that 32 percent of small and medium businesses cited USB flash drives and other external memory devices as the vector for viruses that infected the victims. In the U.S., almost half of all companies were infected by a virus via a USB flash drive.

"We uses devices every day," Correll says. "We have iPhones and Android device and iPads and all kinds of things, and more and more, we are taking them to work."

A Zen-like question arises for companies when deciding what type of strategy to pursue to protect against the threat of devices: Is the threat posed by the device -- or the data on the device?

An employee who takes work home by loading it onto a USB flash drive, for example, may lose the drive in a bar or on the train. In 2006, U.K. intelligence agency MI6 had to scrub an anti-drug operation when an agent left a USB flash drive on a bus, according to a report.

"Was it the data that was the problem or was it the USB [stick)] that was the problem?" asks Chris Merritt, director of solution marketing for security firm Lumension. "The device is the vector, but the data is what people are after, or the data is a malicious payload."

In a recent Ponemon Institute study funded by Lumension, IT security and operations managers gave both device control and data-loss prevention technologies similar rankings of importance. Nearly 60 percent of companies rated technology to control USB and other devices as important or very important, while only 3 percent fewer similarly rated data-loss prevention technologies.

However, antivirus and anti-malware technologies, whole-disk encryption, application controls, patch management and IT asset management were all rated as more essential.

A large part of the fight to keep organizations secure against such mobile devices is the education of employees. Because USB flash drives can aid productivity, getting employees to abandon them is difficult, as the Pentagon discovered. Instead, using technologies such as encryption, role-based authentication and data-leakage protection can help reduce the threat posed by flash drives.

"You can balance that security needs with the productivity by having policies in place, such as requiring encryption," Merritt says. "By having a system in place that enforce that policy, you can be far more secure."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25414
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
CVE-2021-32078
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
CVE-2021-31818
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-34825
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
CVE-2021-32944
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...