Do USB memory sticks pose enterprise threats?
Do USB memory sticks pose new dangers for enterprises? Some reports claim that new drives can be used to automatically run malware. Is this true? And if so, what can information security pros do to prevent it?
Yes, USB memory sticks (sometimes called "thumb drives") are a major security issue for several reasons. First, they offer employees an easy way to steal all kinds of sensitive information. They can walk out of an organization with a small, easily concealed device. Second, innocent employees can bring in thumb drives that contain a virus or worm
and inadvertently infect an organization. And, third, a machine can run code from a USB drive simply by plugging it in; attackers can and have released software that can make a thumb drive auto-execute when inserted into a Windows computer. These programs trick Windows into believing that the USB drive is really a CD, which is then auto-run. We've been able to get these tools to work in our labs, so they are indeed a real threat. There are commercial products that do this as well, like SanDisk's U3 Cruzer drive. Thus, just plugging in a thumb drive can get you infected with a bot.
A few months back, an information security consulting firm employed this technique using a clever social engineering twist while performing a penetration test. The team scattered about 20 thumb drives around the penetration test customer's parking lot. Then, the team asked the employees of said company to find these USB tokens and plug them into corporate computers to see what was on them. Once inserted, the software on the drives automatically executed, allowing the penetration testers to bypass the firewall and control these computers.
So, how can information security pros deal with this new threat? You could disable USB tokens entirely from your environment, either by disabling the drivers on individual machines, or doing so on an enterprise-wide level, using Group Policy deployed with Active Directory. You can also use Group Policy to disable CD auto-run, as described here.
Some organizations have even taken the more draconian step of putting glue into all of their computer systems' USB slots to prevent them from being used. Of course, such a solution isn't ideal for all of us.
Visit our resource center for the latest news, tips and expert advice on how to create an effective device security policy.
Enforce a "no USB devices" policy by monitoring a laptop user's offline activities.
This was first published in December 2006