Hi, I'm Steve.

True Story

To most people, a USB drive probably seems pretty harmless, right? Believe it or not, they are actually a threat to the confidentiality, integrity, and availability of an organization’s data. One may initially conjure up images of devious employees taking confidential information right out the door on a USB drive. That is certainly a risk, but what about all the nasty stuff that can be introduced to an organization through a simple USB drive? I was recently out of town for some training, and while I was there, I was reminded of the threat of the USB drive and the importance of everyone in an organization being security conscious.

A Little Background…

While I was at this particular training session, I was chatting with one of the other people attending this training, and this story was relayed to me. This particular individual needed to print something and had saved the file that needed to be printed to a USB drive. This person walked right up to the concierge desk of the hotel where we were staying and asked the person working there if they would be so kind as to print the file. The USB drive was then handed to the hotel employee, and with no questions asked, the employee inserted the USB drive into one of the hotel computers and printed the file. While this act was seemingly innocent enough, what if the conference attendee had placed malware on that USB drive - malware which, when the USB drive was inserted, would automatically run and infect the PC and potentially the entire network of the hotel? *

Lessons Learned…

One of the first (and easiest) methods for an organization to prevent a scenario where a USB device is used to introduce malware into an organization is to provide (and require) security training for all employees. With the appropriate training, most employees will be aware of the dangers of an unknown USB drive, and with proper training, the situation described above could have been avoided.

However, security training alone is not enough. What about an employee who is up to know good (or just plain dumb) who purposely (or inadvertently) pops in a USB drive that contains malware? To prevent this, there are many controls that can be utilized, which include, but are not limited to, the following: For Windows PC’s, the “Auto Run” feature should be disabled. Microsoft has fixed this problem in XP and Vista, and as such, up to date patches are a requirement. (It goes without saying anyway that all operating systems and applications must be kept up to date with the latest security patches.) In addition to that, the machine should have an active antivirus solution that is up to date on all virus definitions. This also applies to Macs and Linux boxes as well. Although Mac malware is less common, it is still a possibility, especially with regards to Trojan horses. ** An additional precaution (which also applies to all PC’s, not just Windows machines) is to ensure that all “regular” users (i.e. users in a role where they do not require admin access to their machines) do not have administrative privileges on the local machine.

Last but certainly not least, how does an organization prevent an employee who is up to no good from copying confidential customer information to a USB drive? In some circumstances, USB ports can simply be disabled. I have heard of extreme cases where USB ports were actually filled with epoxy. However, sometimes, disabling USB ports is not an option, especially with the proliferation of devices such as mouses and keyboards that require a USB port. As such, software solutions, such as McAfee DLP can also be utilized. DLP prevents data from being written to USB drives and other forms of removable storage.

In Conclusion…

These are just some ways by which to keep your organization safe from this type of threat. There are many things that I did not cover for the purpose of brevity. For example, I did not delve into physical security or auditing and logging, both of which are also important from a defense in depth perspective.

* As a note, my fellow conference attendee did not have any malware planted on the USB drive.

** A Trojan horse is a program that a user thinks he/she is installing for one purpose but actually contains malware that is used for various nefarious purposes. An example of a situation where a user may encounter a Trojan horse is when he/she thinks he/she is installing a legitimate video codec when in actuality the “codec” contains malware.