Network security practitioners are well aware of the challenges posed by removable data storage devices, including thumb drives. The blessings of their small size, low cost and ease of portability also are their curse, since they are more difficult for companies to track. In addition to the risk of loss, removable media – like other peripheral devices – often are a conduit for transferring malware onto networks and for stealing data.
Researchers recently discovered they could insert specialized malware into USB firmware that allowed the infected device to masquerade as a different type of USB device altogether. For example, a computer can be tricked into thinking that a thumb drive is actually a keyboard, and as a result accept the device’s output of typed hacking commands.
In one case in the past year, a healthcare provider notified nearly 50,000 patients of a missing USB flash drive believed to contain patient names, dates of birth and prescribed medications. Companies can better prepare for these types of losses by establishing and enforcing a removable media policy, which defines when USB storage devices may and may not be used, to include consideration of data sensitivity, network criticality and standard use cases. Encryption should be used whenever sensitive data is stored on an external device, and employees should be required to report any lost, stolen or misplaced removable media and understand how to dispose of it.
Jumping the Air Gap
Of course, not all data loss involving thumb drives is unintentional. In 2008, a foreign intelligence agency gained access to SIPRNet, a U.S. military network used for sharing information at the Secret level by first deploying malware to infect unclassified, vulnerable computers connected to the Internet. Once executed, the malware searched for thumb drives. Once a thumb drive was detected, the malware would jump onboard the removable media, wait for an unwitting user to bring the thumb drive to its next destination, gather some information about the locals, bundle it up and transmit it back home. In the event the malware found itself on an air-gapped system without an Internet connection, as was the case with SIPRNet, it planned its escape route by way of another thumb drive. Since the malware got onto the network by riding on a thumb drive, the odds were high that it could leave the closed network in the very same way, but this time carrying stolen property. Just as thumb drives can infect computers, computers can infect thumb drives.
Another problem is that the very nature of removable media serves as a malicious insider’s best friend. As demonstrated by Edward Snowden, thumb drives that are banned as a matter of policy may still be used with devastating effect if sufficient technical controls aren’t in place. To protect your business, systems administrators should consider deploying products, configurations and sufficient personnel resources to block USB connections from particular types of devices, monitor USB connections, audit data transfers and disable autorun and autoplay features. Being able to prevent unauthorized use always is preferable but, when that’s not possible, companies also should consider endpoint monitoring solutions that quickly detect, contain and mitigate rogue activities.
Stop. Don’t Think. Connect. Infect.
InfoSec training should include specific cautions regarding the use and disposal of thumb drives. Employees should know what to do if they find a flash drive on the street. Without proper training, the odds are high that an employee will insert a found flash drive into your corporate network, either to find the rightful owner or out of curiosity. When the Department of Homeland Security purposefully dropped data disks and USB flash drives in the parking lots of federal agencies and government contractors, 60 percent of the found objects were inserted into an agency or contractor network. The number rose to a staggering 90 percent when the thumb drive sported a DHS logo. In an unrelated study, even IT professionals admitted to plugging in found thumb drives – more than 75 percent, in fact.
Thumbs Up or Thumbs Down?
Whether the convenience of using thumb drives outweighs the risk is a fact specific business question. One potential middle ground is to permit thumb drives only to pass between company owned computers, and always to require encryption. If you have additional advice or lessons learned about removable media, please post your comments to SecurityMagazine.com.
About the Columnist: Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at firstname.lastname@example.org. You can follow him on Twitter @StevenChabinsky.