In 2006, a security firm was hired to assess the security infrastructure of a credit union. They scattered 20 USB thumb drives in the parking lot of the bank for employees to find. When they plugged in the USB drive, malware was installed on the employees’ computers and the hacker was into the bank’s network! The same thing happened to the Department of Defense in 2008, but this time, it was not just a security test. Transferring malware by running an infected thumb drive is just one of the ways USB devices can be used to spread viruses and other malicious software.
An infected computer can spread a virus to a clean USB thumb drive that is inserted. If an infected USB drive is inserted into a machine with AutoRun enabled, then that virus can be transferred to the new machine. The AutoRun function in Windows launches installers and other programs automatically when a thumb drive is inserted.
A virus also can be embedded in what looks like a normal file on a USB device, so that even if AutoRun is disabled, the computer will become infected when the file is opened. In addition to disabling AutoRun, employees should use an antivirus tool to scan their USB devices before opening any files from them and be cautious with files on devices even if they come from trusted sources. Thumb drives are not the only culprits; any device that plugs into a USB port, including iPods and other mp3 players can be used to spread malware.
These are just a few of the data security risks associated with USB devices. To ensure you are protecting your data from the risks associated with USB thumb drives, you may want to implement the following procedures into your daily operations and policies:
*If you find a USB device in the wild, don’t plug it into your USB port
*Disable autorun and autoplay on Windows machines
*Run antivirus software on USB devices
*Encrypt contents and use a complex password to protect your data
*Routinely delete contents then run a secure delete utility on USB drive
*Educate employees on use of USB devices.
Educating employees on these policies is crucial. Most employees aren’t doing anything intentionally malicious. They may be opening the USB drive to help find its owner, may just be curious about the device’s content, or think they just scored a free USB device and tried unsuccessfully to reformat it. Whatever the intent, ignorance of these risks could result in a crippling compromise to your business.
Tags: data security, Payment Card Industry Data Security Standard, PCI, PCI Compliance, PCI Security Standards
This is a good article and I completely agree about educating employees. That is, I believe, the most important aspect. However, I would like to mention a couple of additional points for your readers. (To provide full disclosure, I am an employee of Kanguru Solutions.)
1.) If you use flash drives, you should work with hardware encrypted flash drives with 100% encryption. These drives generally cannot automatically do an auto-run, plus have the added benefit of securing your data.
2.) Some flash drives like Kanguru’s Defender Elite now come with on-board anti-virus to protect them (and the host computer) from malware and viruses. The on-board anti-virus will scan the drive and, if necessary, any computer you plug the drive into. (Think of it as portable anti-virus.)
Using a combination of 100% encryption and the built-in anti-virus is a great way to prevent some of the issues outlined in this story.