It’s pretty easy for organizations to get so wrapped up about what goes out on USB drives that they forget to protect against what comes in their environments via USB. And with attacks inflicting increasingly greater damage following uncontrolled connection, it’s time that organizations got serious about this threat.
The news today is chock full of stories about sensitive information being carried out the institutional perimeter on ‘simple’ USB devices. These powerful portable drives rightfully worry IT as a means for devastating data loss at the hands of malicious insiders. But it’s
pretty easy for organizations to get so wrapped up about what goes out on USB drives that they forget to protect against what comes in their environments via USB. And with attacks inflicting increasingly greater damage following uncontrolled connection, it’s time
that organizations got serious about this threat.
After all, according to researchers, as many as one in four malware attacks1 is carried out through a USB device. In the past year, we’ve seen Stuxnet raise its ugly head and Conficker continue to circulate through the USB vector. And yet the proliferation of USB devices only continues to skyrocket by billions each year.
In order to keep organizations secure from threats, IT departments must bring greater scrutiny and control over how the network is exposed to potentially infected portable payloads. But let’s get real: they can’t do so by gluing USB ports shut. Portable devices as these are business tools that are here to stay. IT leaders who refuse to recognize that fact will be seen throughout their organizations as inhibitors to success. The key to USB security is balancing productivity with protection.
Early on, USB malware was exploratory and experimental. Most of all it was just, well, random. Hackers would find ways to get malware files onto drives–either online or even manually–and cross their fingers in hope that the intended victim clicked the files to initiate infection.
But as USB platforms evolved, so did the attack methods. Functionality enhancements opened up new possibilities for hackers. For example, Windows Autorun made it simpler for users to gain immediate access to the contents of their drives but also enabled hackers to write code that could initiate without user intervention. And now, new attack platforms such as the U3 smartdrive platform made it possible to run applications directly from the drive, giving hackers another potentially untraceable attack vehicle.
This manipulation of Autorun is a common theme with many malware variants that plague IT environments today. Any USB device connected to an infected machine would become infected and then would infect any other machine to which it was connected;
then that machine would begin infecting other USB devices plugged into it. This is how the malware is able to move from machine to machine via USB devices and this “worm like” malware propagation method copies itself to all available drives, shares, removable media and peer-to-peer software application file folders.
This can greatly increase the exposure surface of an organization that may otherwise have its network security bases covered. In fact, Microsoft recently announced its findings that Windows XP users were 10 times more likely to get infected when faced with such an attack. In addition to propagating malware, USB drives have also proven to be exceptional hacking platforms for those attackers with physical access to corporate machines. One of the many legitimate useful features of USB drives is their ability to act as a “PC on a stick” through the use of certain platform and virtualization utilities. But again, this legitimate use can also be used for dark purposes. It also makes it possible for malicious users to replicate their entire Windows hacking lab with a USB device and run it on virtually any PC
with an available USB port. When the malicious user is done, she simply removes the USB device and leaves without a trace.
Balancing USB Usefulness with Protection
It is now difficult to return to the days of yore when IT administrators would simply glue USB ports shut and call their endpoints secure. USB devices are an everyday necessity whether you’re running a mom-and-pop business, a corporate office or a government department.
The truth is that portable devices have done great things for the business world, which leverages these devices for incredible productivity gains. A late 2010 survey found that all of nearly 230 workers surveyed own at least one USB flash drive and more than half own three to six of these devices.
Today’s workers can now use ultra-portable flash drives to easily transfer large amounts of data between locations. They can use these same devices to store important presentation information while on the road at conferences and sales meetings. And large organizations can quickly disseminate information to a large number of customers or employees by uploading data to USB devices and distributing
them to the right people.
USB Security Best Practices
So what exactly does it take to change our trust models? It starts with smart policy development. Some key policies that organizations should consider to reduce their risks right off the bat include:
- Ensuring common PC and laptop configurations have AutoRun features disabled, limiting the efficacy of USB malware that depends on this feature to run and to propagate.
- Requiring timely installation of security updates in order to minimize the risk of USB-borne malware taking advantage of unpatched endpoint vulnerabilities.
- Limiting access of USB and portable devices to registered devices only, enabling better control over who, when and how devices are being utilized.
- Preventing the initiation of some or all executables from portable devices, blocking malware from running in the first place.
- Requiring strong passwords (and not allowing the use of default passwords) throughout your infrastructure to prevent worms such as Stuxnet from working their way further into systems.
- Requiring proper, up-to-date AV and firewall usage to prevent malware from gaining a foothold within the endpoint and spreading to other systems in the network.
While the first battle in the war against mobile malware starts with the development of clear, in-depth policies regarding the use of removable devices and media, the ultimate fight still remains. None of those policies amount to much without solid enforcement. Unfortunately, most organizations havenot yet gotten that message.
Putting Teeth In Policies
By enforcing usage policies for removable devices such as USB flash drives and other removable media such as CDs / DVDs, you can control the flow of inbound and outbound data from your endpoints.
Devices that are not authorized should simply not be allowed to execute. Ideally, organizations should look for tools and develop processes that enable them to quickly establish and enforce device control policies as simply and as methodically as possible. The idea
is to enable users to continue to use approved devices without resorting to an outright blanket ban.
Policies should be manageable by user or user group as well as by computer, and organizations should look for capabilities that enable user groups to be immediately associated with devices “on-the-fly.” The goal is to dramatically simplify the management of endpoint
device resources through improved tracking of who, when and how devices are being used. By validating removable devices as they are used within the enterprise, you can prevent malware from being introduced into the network. This includes assigning permissions
for authorized removable devices and media to individual users or user groups and controlling the uploading of unknown or unwanted files from removable devices.
Organizations should also widen the lens a bit and think about more than just simple device control. Defense-in-depth should play a role in risk mitigation. For example, intelligent whitelisting technology can help prevent the initiation of risky applications running on the endpoints by controlling the trust factors that enable execution, such as code source, who authorized the application, whether it is running on other stable systems within the network and from where the application originated. And the use of encryption
to augment defenses could make network assets less attractive to potential attackers.
Finally, organizations should consider revisiting end user training to ensure they’re covering the risks posed by USB devices. That one-time discussion on the first day at work has likely been long forgotten by most employees and is undoubtedly obsolete anyway.
After all, these workers really are your first, last and best defense against USB attacks. That’s why IT professionals need to remember that in order to win over the hearts and minds of these line-of-business users, they’ll need to institute policies and practices that don’t
adversely affect these workers’ daily productivity. This means taking control of USB device usage without stooping to wholesale purchases of superglue.
By developing policies and implementing solutions that enable a more flexible but easily trackable environment, IT departments become partners in security and business success rather than technology mall cops to be disregarded at all costs. Enterprises with
such forward-looking technology decision-makers will gain a decisive productivity advantage while protecting their organizational endpoints.
While we’ve focused much of our attention on the ubiquitous USB flash drive, organizations need to think about threats that extend from all forms of removable media in use today. These include: CD drives, DVD drives, Blu-ray drives, FireWire, External hard disks, eSATA connected devices and Consumer products such as picture frames, MP3 players, digital cameras, etc.