USB drives, also known as thumb drives, have become a popular form for storing and transporting files from one computer to another. Their appeal lies in the fact that they are small, readily available, inexpensive, and extremely portable. However, these same characteristics make them attractive to attackers. Just look at some of the most spectacular computer attacks in the last few years, and you’ll usually find a USB drive at the heart of it all. And it’s not just thumb drives that are the culprits, any device that plugs into a USB port including electronic picture frames, iPods, and cameras can be used to spread malware. These devices can even be infected during the production or supply chain process if quality control measures are not up to par. When users buy the infected products and plug them into their computers, malware is installed on their computers.
There are numerous ways for attackers to use USB drives to infect computers. One method is to install malicious code, or malware, on the device that can detect when it is plugged into a computer. When the USB drive is plugged into a computer, the malware infects that computer. Another method is to download sensitive information directly onto a USB drive. The only thing needed to accomplish this is physical access to a computer on the network. Even computers that have been turned off may be vulnerable, because a computer’s memory is still active for several minutes without power. If an attacker can plug a USB drive into the computer during that time, he or she can quickly reboot the system from the USB drive and copy the computer’s memory, including passwords, encryption keys, and other sensitive data, onto the drive.
Often times, a company’s biggest weakness might not be a malicious insider, but rather an employee who simply doesn’t understand the potential security risks of their actions. Even the Department of Homeland Security (http://gcn.com/articles/2011/06/30/dhs-test-found-thumb-drives-disks-network.aspx) discovered in 2011 that 60% of USB drives (deliberately planted in places like federal agency parking lots) were inserted into company computers after they were picked up by unsuspecting workers. This number rose to 90% when the USB drives had the Department of Homeland Security logo.
There are steps you can take to protect the data on your USB drive and on any computer that you might plug the drive into:
- Take advantage of security features – Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost.
- Keep personal and business USB drives separate – Do not use personal USB drives on company computers, and do not plug USB drives containing corporate information into your personal computer.
- Use security software and keep all software up to date – Use a firewall, anti-virus software, and anti-spyware software to make your computer is less vulnerable to attacks, and make sure to keep the virus definitions current. It’s also important to keep both the operating system and other software on your computer up to date by applying any necessary patches.
- Do not plug an unknown USB drive into your computer – If you find a USB drive, do not plug it into your computer to view the contents or to try to identify the owner. You may also want to notify someone in your IT department if the drive is found on work premises.
- Disable Autorun – The Autorun feature in Windows causes removable media such as CDs, DVDs, and USB drives to open automatically when they are inserted into a drive. By disabling Autorun, you can prevent malicious code on an infected USB drive from opening automatically.
- Develop and enforce USB drive-related policies – Make sure employees are aware of the inherent dangers associated with USB drives and what your company policy is on the proper use of them. Also consider mentioning the dangers of USB flash drives in company training. No matter how technology-savvy your employees may seem, no company is immune to human error.
Next time you pick up a USB drive, keep in mind the potential risks you could be unleashing on your network. Following these simple suggestions, can go a long way in helping to increase your data’s security.
Jessica Katz is a Security Analyst with M.A. Polce Consulting, Inc. For questions or comments, please contact her at firstname.lastname@example.org.