An increasingly mobile workforce has focused attention on the need to provide solutions that are both flexible and secure, enabling the user to store their data safely irrespective of location.
It’s one of the reasons why portable storage devices such as hard drives and USB sticks continue to be so popular. Unlike cloud storage services such as Google Drive or Dropbox there’s no need for a continuous internet connection and the technology now boasts multi-terabyte storage, making it more versatile than ever.
USB sticks continue to be widely used with a third of the workforce using them on a daily basis and that same number on a weekly basis. The problem is that despite their popularity the technology continues to pose a major threat to corporate security.
Plugging them into the corporate network can unleash a host of malicious software. This might be in the form of firmware which is preloaded to the device or ransomware which then launches an attack that spreads throughout the network and seeks to escalate privileges to locate sensitive data. Spyware is another type of malware which seeks to covertly capture information from user devices and keylogging software can be record keystrokes to capture credentials which can be used to carry out a future attack.
Real world examples
There are multiple examples of USB stick attacks, the most notable of which is BadUSB. This sees the device pretend to be a keyboard and then initiate a series of keystrokes to the host computer to download the malware and make contact with the attacker’s command and control (C&C) servers. It’s proven to be a favoured technique for Advanced Persistent Threat (APT) groups such as FIN7 which then use USB drop attacks to target their ransomware victims. FIN7 sent out USB sticks purporting to be from Amazon and the US Department of Health and Human Services in 2022 to deliver REvil and Blackmatter ransomware.
More recently, the GoldenJackal ransomware group used malware on USB sticks to target airgapped computers. The device copied data from the segregated machine which was then transferred to the attacker’s C&C servers when plugged back in to an endpoint connected to the internet. The attack, discovered by ESET, was found to have been initiated against an EU government department and prior to that an embassy in Belarus.
Yet even if the USB isn’t infected, risk to data is also elevated because these devices can so easily be lost or stolen. If they are not encrypted, the data they house can then easily be accessed and used to carry out extortion, identity theft or to attack the network. One in four UBSs have no encryption, according to reports, meaning that anyone can access that data should it fall into the wrong hands.
Are users becoming more cavalier?
These threats are not new. Security awareness training has been banging the drum about USB stick mismanagement for decades. The problem is that we as users continue to engage in risky behaviour because we expect security measures to be in place that often aren’t there.
For instance, a fifth of those questioned in a recent industry survey believed it was acceptable to plug in a USB stick they had found or been sent in the post believing that the anti-virus on their PC would be sufficient to protect them from malware. Only 34% said they would take the storage device to their IT team first, which is the correct course of action as it allows the device to be tested in a sandbox environment.
We’ve also become more relaxed about how we use these devices as boundaries have blurred between our home and work lives. Almost half of users said they would allow a USB containing work documents to be used by a child to do their homework, potentially putting that data at risk of compromise when it is plugged in to the child’s computer and also the school network.
There’s clearly a widening gap between accepted best practice and data handling in real-life and it’s this that is to blame for the continued problem of data loss via USB. Security awareness training does of course have a part to play but it needs to reflect real working practices rather than hypothetical scenarios to be relevant to the user. Such training should also seek to create an open and blame free company culture to encourage the reporting of any lost or stolen USB sticks.
Should the USB be a user problem?
But it’s also becoming increasingly clear that businesses need to step up their game, ensure their acceptable use policies are clearer on what is and isn’t permitted, and to take some responsibility.
One of the best ways organisations can control the situation is to ensure that staff use only USB sticks that have been sourced and supplied by the company. Today, only half of USBs are provided by the business and just a quarter actually stipulate a supplier. Sanctioned devices mitigates the risk of malicious software being preinstalled. It also means network ports can be locked to prevent any non-approved devices from logging on by default.
Another key advantage of preselecting equipment is that the business can ensure that these devices have high level hardware-based encryption as standard. AES 256-bit encryption and FIPS 140-2 cryptography ensure that data held on the device cannot be accessed and remains protected even if the device becomes lost. In contrast, most privately owned devices feature no encryption at all. Security can further be strengthened through the use of a password policy that compels the use of strong passwords.
USB sticks will always be a highly convenient and flexible means of storing and transferring data. But as with any form of IT, they should be governed and controls applied to mitigate the risk of these devices being lost or stolen or becoming vessels for malicious software. Relying purely on the user to carry out this due diligence is unrealistic, so organisations should provide enterprise grade devices with robust encryption and security to prevent these issues without impinging the ability of their staff to carry out everyday tasks.
Jon Fielding is the Managing Director of Apricorn in EMEA and has extensive experience in growing companies in the EMEA market. Jon is responsible for the sales & operations strategy, driving revenue growth and establishing the channel network in the region.
Jon is CISSP certified and has been focused on Information Security for the past 18 years, working with a variety of organisations from IBM to security start-ups such as Valicert and Tumbleweed.
Jon joined Apricorn from IronKey where he worked exclusively in the secure USB market having established the Ironkey office in EMEA 8 years ago as the first in the region. During his tenure, Ironkey was acquired by Imation and then by Kingston.
