It sounds like the title of a wonderfully bad sci-fi B-movie, but it’s actually happened: the Internation Space Station is infected with a computer virus. Not only is it infected, it’s infected with a famous virus, Stuxnet, which was used to cripple (allegedly) Iran’s nuclear weapons program. Originally designed specifically for infecting Iranian nuclear power plant systems, Stuxnet has since “gone rogue” and is now doing its dirty work around the globe. The virus was designed to be spread not only via network connections, but through flash drives and disk drives as well, primarily because many nuclear power plant control systems are too old to be connected to the internet, which is a scary thought on its own. In the case of the ISS, Stuxnet stowed away on a USB thumb drive brought on board by an astronaut.
What this means for you:
As the story above illustrates, humans continue to be the weakest link in the chain of security. You can spend tons of money on securing your technology, but it can all be blown away by a $10 thumb drive and 30 seconds of careless behavior. A big part of security is training your people not only on what NOT to do, but also on how to be vigilant and careful. As a society, we are starting to understand just how pervasive malware has become, but there are still a surprising number of people who continue to be caught off guard and impacted negatively. Given how this paradoxical, and very human behavior isn’t limited to just technology risks (think about drugs, alcohol, tobacco, base jumping, junk food, etc.) it’s no wonder malware has continued to thrive despite its destructive nature.
Portable flash drives, also known as “thumb” drives, are about as common as their physiological namesake. They are readily available, useful for a variety of tasks, and now so cheap as render them nearly disposable. Partly because of their ubiquity and seemingly innocuous profile, they make extremely effective malware vectors and continue to be the bane of information security professionals everywhere:
- As part of a security test conducted by the Department of Homeland Security, USB drives were left in the parking lots of other government agencies and private contractors. After being spotted and picked up by employees, almost two-thirds of the orphaned drives were plugged into networked computers, even though the users had no clue as to the thumb drive’s origins, and if the thumb drive had a faux government logo on them, nearly 90% were accessed via networked computers.
- A survey of 300 IT professionals conducted at the 2013 RSA Security Conference found that almost 80% of respondents have plugged in thumb drives with questionable or unknown origins, despite probably knowing full well the dangers such an action could present.
- Infamous NSA whistleblower Edward Snowden purportedly copied digital documents supporting his claims onto a thumb drive that he smuggled without much effort into and out of the National Security Agency.
What this means for you:
Because of their size and capability, thumb drives are not something that will be controlled through simple policy and half-hearted enforcement. Companies with tightly managed technology environments can enforce a ban on non-authorized USB devices through centrally controlled software policies, and some have gone so far as to glue shut open USB ports in an attempt to close this security gap. For smaller companies with less dire security requirements, this may not be a reasonable solution. Instead, you should continue to make sure that you have working anti-malware in place and set to scan any storage device inserted into your computer. On top of this, if you regularly use thumb drives to transport business data, those drives should be encrypted with a strong password to prevent security breaches due to loss or theft, and obviously, they should be backed up regularly for the same reason. And for goodness sakes, don’t pick up some random thumb drive lying on the ground and plug it into your computer. You really don’t know where that thing has been!
Image courtesy of bplanet / FreeDigitalPhotos.net