USB Security: The Often Overlooked Security Hole
You’ve likely got a USB security problem that you don’t even know about.
An often-overlooked component of any secure network infrastructure is USB security. While most businesses maintain at least some basic digital security infrastructure ranging from basic virus detection software to inward and outward facing firewalls (if your business does not have a security plan in place, stop right here and call HumanIT or your current IT provider), many don’t know that they should be taking a few additional steps to protect their data and network. USB security guidelines in particular do not exist at the vast majority of businesses. You probably didn’t even know you needed one: no one sees the problem until after the virus strikes.
Consider the way most users (i.e. people who do not work in IT) go about practicing security: they have a tendency to view network security through the lens of the internet. “Don’t click that ad on that sketchy website,” “make sure to screen out suspicious emails,” and “don’t download that screensaver of Santa Claus bowling in his underwear” are all fantastic tips for internet safety because any number of viruses, Trojans, and malware could be lurking underneath your mouse pointer. People are well trained to take precautions when we do not know if a link is safe to click. Now it is time to apply the same mindset to USB security. Sticking any old USB drive into your computer is a bad idea. Unfortunately, if you haven’t experienced the problem, you do not know to avoid it.
It’s important to understand that there is little difference between downloading a file and plugging a USB into a computer. Except that plugging in an infected drive can be prove to be far more dangerous. With the AutoPlay feature enabled on most machines, malicious programs on USB drives will happily activate themselves, when downloading an infected file you usually have to click on it before anything seriously bad can happen. And while all but a few virus-laden files are safe to download, and only a handful of USB drives are designed to be harmful just as you need to watch for one, you need to protect yourself from the other. The consequences can and will be equally devastating. Flash drives are one of the most popular vehicles for hackers and cyber criminals to gain access to a computer, and those tiny, convenient devices can spread malware and other viruses.
So what can you do?
From a personal-use standpoint, the solution is simple: never ever plug a flash drive into your computer unless you know both where it came from and where it has been. Businesses, however, should institute policies to ensure that the networks and computers remain safe under any circumstances. That includes protecting themselves from uninformed employees, disgruntled staff, as well as malicious outsiders.
Many types of internal policies for USB security can provide near-foolproof protection while resulting in only minor inconveniences. For example, disabling the USB ports on all of your devices can prevent 99% of potential USB security concerns. But your company can also achieve a similar level of security by preventing any unknown devices from accessing company’s computers. You can establish a whitelist of known USB devices that prevents access to all but certain pre-approved devices. An easy means of accomplishing this task would be to provide all employees with encrypted company flash drives.
It is also important to educate your employees on the dangers of using unknown USB drives. And any devices found lying around should also be reported to IT personnel immediately. Treat them as you would an abandoned bag at the airport. And it’s not just USB drives that can be infected, any USB device you find is liable to be dangerous. That includes the extra cable to charge your phone with that you found lying in the parking lot. Don’t let your guard down, this is one of the most pervasive social engineering attacks out there.
Don’t let it happen to you.
Of course, HumanIT will be happy to help develop and implement these and other important IT security policies for your company, provide security training for employees, and also work with your business on compliance and data retention issues. You would never leave the back door to your home or office unlocked; don’t provide an easy-access back door (or slot) for viruses and malware to enter your systems?