Portable flash drives, also known as “thumb” drives, are about as common as their physiological namesake. They are readily available, useful for a variety of tasks, and now so cheap as render them nearly disposable. Partly because of their ubiquity and seemingly innocuous profile, they make extremely effective malware vectors and continue to be the bane of information security professionals everywhere:
- As part of a security test conducted by the Department of Homeland Security, USB drives were left in the parking lots of other government agencies and private contractors. After being spotted and picked up by employees, almost two-thirds of the orphaned drives were plugged into networked computers, even though the users had no clue as to the thumb drive’s origins, and if the thumb drive had a faux government logo on them, nearly 90% were accessed via networked computers.
- A survey of 300 IT professionals conducted at the 2013 RSA Security Conference found that almost 80% of respondents have plugged in thumb drives with questionable or unknown origins, despite probably knowing full well the dangers such an action could present.
- Infamous NSA whistleblower Edward Snowden purportedly copied digital documents supporting his claims onto a thumb drive that he smuggled without much effort into and out of the National Security Agency.
What this means for you:
Because of their size and capability, thumb drives are not something that will be controlled through simple policy and half-hearted enforcement. Companies with tightly managed technology environments can enforce a ban on non-authorized USB devices through centrally controlled software policies, and some have gone so far as to glue shut open USB ports in an attempt to close this security gap. For smaller companies with less dire security requirements, this may not be a reasonable solution. Instead, you should continue to make sure that you have working anti-malware in place and set to scan any storage device inserted into your computer. On top of this, if you regularly use thumb drives to transport business data, those drives should be encrypted with a strong password to prevent security breaches due to loss or theft, and obviously, they should be backed up regularly for the same reason. And for goodness sakes, don’t pick up some random thumb drive lying on the ground and plug it into your computer. You really don’t know where that thing has been!
Image courtesy of bplanet / FreeDigitalPhotos.net